ssh-audit is a tool for ssh server & client configuration auditing.

Related tags

Security related resourcesssh-audit
Overview

ssh-audit

License PyPI Downloads Docker Pulls Build Status PRs Welcome

ssh-audit is a tool for ssh server & client configuration auditing.

jtesta/ssh-audit (v2.0+) is the updated and maintained version of ssh-audit forked from arthepsy/ssh-audit (v1.x) due to inactivity.

Features

  • SSH1 and SSH2 protocol server support;
  • analyze SSH client configuration;
  • grab banner, recognize device or software and operating system, detect compression;
  • gather key-exchange, host-key, encryption and message authentication code algorithms;
  • output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
  • output algorithm recommendations (append or remove based on recognized software version);
  • output security information (related issues, assigned CVE list, etc);
  • analyze SSH version compatibility based on algorithm information;
  • historical information from OpenSSH, Dropbear SSH and libssh;
  • policy scans to ensure adherence to a hardened/standard configuration;
  • runs on Linux and Windows;
  • supports Python 3.6 - 3.9;
  • no dependencies

Usage

run a policy test using the specified policy -t, --timeout= timeout (in seconds) for connection and reading (default: 5) -T, --targets= a file containing a list of target hosts (one per line, format HOST[:PORT]) --threads= number of threads to use when scanning multiple targets (-T/--targets) (default: 32) -v, --verbose verbose output "> 
usage: ssh-audit.py [options] 
      
       

   -h,  --help             print this help
   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -4,  --ipv4             enable IPv4 (order of precedence)
   -6,  --ipv6             enable IPv6 (order of precedence)
   -b,  --batch            batch output
   -c,  --client-audit     starts a server on port 2222 to audit client
                               software config (use -p to change port;
                               use -t to change timeout)
   -d,  --debug            Enable debug output.
   -j,  --json             JSON output (use -jj to enable indents)
   -l,  --level=
       
            minimum output level (info|warn|fail)
   -L,  --list-policies    list all the official, built-in policies
        --lookup=
        
             looks up an algorithm(s) without
                                    connecting to a server
   -m,  --manual           print the man page (Windows only)
   -M,  --make-policy=
         
            creates a policy based on the target server
                                    (i.e.: the target server has the ideal
                                    configuration that other servers should
                                    adhere to)
   -n,  --no-colors        disable colors
   -p,  --port=
          
            port to connect -P, --policy=<"policy name" | policy.txt> run a policy test using the specified policy -t, --timeout=
           
             timeout (in seconds) for connection and reading (default: 5) -T, --targets=
            
              a file containing a list of target hosts (one per line, format HOST[:PORT]) --threads=
             
               number of threads to use when scanning multiple targets (-T/--targets) (default: 32) -v, --verbose verbose output
  • if both IPv4 and IPv6 are used, order of precedence can be set by using either -46 or -64.
  • batch flag -b will output sections without header and without empty lines (implies verbose flag).
  • verbose flag -v will prefix each line with section type and algorithm name.
  • an exit code of 0 is returned when all algorithms are considered secure (for a standard audit), or when a policy check passes (for a policy audit).

Basic server auditing:

ssh-audit localhost
ssh-audit 127.0.0.1
ssh-audit 127.0.0.1:222
ssh-audit ::1
ssh-audit [::1]:222

To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]):

ssh-audit -T servers.txt

To audit a client configuration (listens on port 2222 by default; connect using ssh -p 2222 [email protected]):

ssh-audit -c

To audit a client configuration, with a listener on port 4567:

ssh-audit -c -p 4567

To list all official built-in policies (hint: use resulting policy names with -P/--policy):

ssh-audit -L

To run a policy audit against a server:

ssh-audit -P ["policy name" | path/to/server_policy.txt] targetserver

To run a policy audit against a client:

ssh-audit -c -P ["policy name" | path/to/client_policy.txt]

To run a policy audit against many servers:

ssh-audit -T servers.txt -P ["policy name" | path/to/server_policy.txt]

To create a policy based on a target server (which can be manually edited):

ssh-audit -M new_policy.txt targetserver

Screenshots

Server Standard Audit Example

Below is a screen shot of the standard server-auditing output when connecting to an unhardened OpenSSH v5.3 service: screenshot

Server Policy Audit Example

Below is a screen shot of the policy auditing output when connecting to an un-hardened Ubuntu Server 20.04 machine (hint: use -L/--list-policies to see names of built-in policies to use with -P/--policy): screenshot

After applying the steps in the hardening guide (see below), the output changes to the following: screenshot

Client Standard Audit Example

Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects: client_screenshot

Hardening Guides

Guides to harden server & client configuration can be found here: https://www.ssh-audit.com/hardening_guides.html

Pre-Built Packages

Pre-built packages are available for Windows (see the releases page), PyPI, Snap, and Docker.

To install from PyPI:

$ pip3 install ssh-audit

To install the Snap package:

$ snap install ssh-audit

To install from Dockerhub:

$ docker pull positronsecurity/ssh-audit

(Then run with: docker run -it -p 2222:2222 positronsecurity/ssh-audit 10.1.1.1)

Web Front-End

For convenience, a web front-end on top of the command-line tool is available at https://www.ssh-audit.com/.

ChangeLog

v2.6.0-dev

  • Snap packages now print more user-friendly error messages when permission errors are encountered.
  • JSON 'target' field now always includes port number; credit tomatohater1337.
  • Added 24 new key exchanges: ecdh-sha2-1.3.132.0.1, ecdh-sha2-1.2.840.10045.3.1.1, ecdh-sha2-1.3.132.0.33, ecdh-sha2-1.3.132.0.26, ecdh-sha2-1.3.132.0.27, ecdh-sha2-1.2.840.10045.3.1.7, ecdh-sha2-1.3.132.0.16, ecdh-sha2-1.3.132.0.34, ecdh-sha2-1.3.132.0.36, ecdh-sha2-1.3.132.0.37, ecdh-sha2-1.3.132.0.35, ecdh-sha2-1.3.132.0.38, ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==, ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==, ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==, ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==, ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==, ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==, ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==, ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==, ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==, ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==, ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==, ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==.

v2.5.0 (2021-08-26)

  • Fixed crash when running host key tests.
  • Handles server connection failures more gracefully.
  • Now prints JSON with indents when -jj is used (useful for debugging).
  • Added MD5 fingerprints to verbose output.
  • Added -d/--debug option for getting debugging output; credit Adam Russell.
  • Updated JSON output to include MD5 fingerprints. Note that this results in a breaking change in the 'fingerprints' dictionary format.
  • Updated OpenSSH 8.1 (and earlier) policies to include rsa-sha2-512 and rsa-sha2-256.
  • Added OpenSSH v8.6 & v8.7 policies.
  • Added 3 new key exchanges: gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==, gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==, and gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==.
  • Added 3 new MACs: hmac-ripemd160-96, AEAD_AES_128_GCM, and AEAD_AES_256_GCM.

v2.4.0 (2021-02-23)

  • Added multi-threaded scanning support.
  • Added built-in Windows manual page (see -m/--manual); credit Adam Russell.
  • Added version check for OpenSSH user enumeration (CVE-2018-15473).
  • Added deprecation note to host key types based on SHA-1.
  • Added extra warnings for SSHv1.
  • Added built-in hardened OpenSSH v8.5 policy.
  • Upgraded warnings to failures for host key types based on SHA-1.
  • Fixed crash when receiving unexpected response during host key test.
  • Fixed hang against older Cisco devices during host key test & gex test.
  • Fixed improper termination while scanning multiple targets when one target returns an error.
  • Dropped support for Python 3.5 (which reached EOL in Sept. 2020).
  • Added 1 new key exchange: [email protected].

v2.3.1 (2020-10-28)

  • Now parses public key sizes for [email protected] and [email protected] host key types.
  • Flag [email protected] as a failure due to SHA-1 hash.
  • Fixed bug in recommendation output which suppressed some algorithms inappropriately.
  • Built-in policies now include CA key requirements (if certificates are in use).
  • Lookup function (--lookup) now performs case-insensitive lookups of similar algorithms; credit Adam Russell.
  • Migrated pre-made policies from external files to internal database.
  • Split single 3,500 line script into many files (by class).
  • Added setup.py support; credit Ganden Schaffner.
  • Added 1 new cipher: [email protected].

v2.3.0 (2020-09-27)

  • Added new policy auditing functionality to test adherence to a hardening guide/standard configuration (see -L/--list-policies, -M/--make-policy and -P/--policy). For an in-depth tutorial, see https://www.positronsecurity.com/blog/2020-09-27-ssh-policy-configuration-checks-with-ssh-audit/.
  • Created new man page (see ssh-audit.1 file).
  • 1024-bit moduli upgraded from warnings to failures.
  • Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit Jürgen Gmach.
  • Added feature to look up algorithms in internal database (see --lookup); credit Adam Russell.
  • Suppress recommendation of token host key types.
  • Added check for use-after-free vulnerability in PuTTY v0.73.
  • Added 11 new host key types: ssh-rsa1, [email protected], ssh-gost2001, ssh-gost2012-256, ssh-gost2012-512, spki-sign-rsa, ssh-ed448, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521, x509v3-rsa2048-sha256.
  • Added 8 new key exchanges: diffie-hellman-group1-sha256, kexAlgoCurve25519SHA256, Curve25519SHA256, gss-group14-sha256-, gss-group15-sha512-, gss-group16-sha512-, gss-nistp256-sha256-, gss-curve25519-sha256-.
  • Added 5 new ciphers: blowfish, AEAD_AES_128_GCM, AEAD_AES_256_GCM, [email protected], [email protected].
  • Added 3 new MACs: [email protected], hmac-sha3-224, [email protected].

v2.2.0 (2020-03-11)

v2.1.1 (2019-11-26)

  • Added 2 new host key types: [email protected], [email protected].
  • Added 2 new ciphers: des, 3des.
  • Added 3 new PuTTY vulnerabilities.
  • During client testing, client IP address is now listed in output.

v2.1.0 (2019-11-14)

  • Added client software auditing functionality (see -c / --client-audit option).
  • Added JSON output option (see -j / --json option; credit Andreas Jaggi).
  • Fixed crash while scanning Solaris Sun_SSH.
  • Added 9 new key exchanges: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==, gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==, gss-group14-sha1-, gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==, gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==, gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==, diffie-hellman-group15-sha256, ecdh-sha2-1.3.132.0.10, curve448-sha512.
  • Added 1 new host key type: ecdsa-sha2-1.3.132.0.10.
  • Added 4 new ciphers: idea-cbc, serpent128-cbc, serpent192-cbc, serpent256-cbc.
  • Added 6 new MACs: [email protected], [email protected], hmac-ripemd, [email protected], [email protected], [email protected].

v2.0.0 (2019-08-29)

  • Forked from https://github.com/arthepsy/ssh-audit (development was stalled, and developer went MIA).
  • Added RSA host key length test.
  • Added RSA certificate key length test.
  • Added Diffie-Hellman modulus size test.
  • Now outputs host key fingerprints for RSA and ED25519.
  • Added 5 new key exchanges: [email protected], [email protected], [email protected], diffie-hellman-group16-sha256, diffie-hellman-group17-sha512.
  • Added 3 new encryption algorithms: des-cbc-ssh1, blowfish-ctr, twofish-ctr.
  • Added 10 new MACs: hmac-sha2-56, hmac-sha2-224, hmac-sha2-384, hmac-sha3-256, hmac-sha3-384, hmac-sha3-512, hmac-sha256, [email protected], hmac-sha512, [email protected].
  • Added command line argument (-t / --timeout) for connection & reading timeouts.
  • Updated CVEs for libssh & Dropbear.

v1.7.0 (2016-10-26)

  • implement options to allow specify IPv4/IPv6 usage and order of precedence
  • implement option to specify remote port (old behavior kept for compatibility)
  • add colors support for Microsoft Windows via optional colorama dependency
  • fix encoding and decoding issues, add tests, do not crash on encoding errors
  • use mypy-lang for static type checking and verify all code

v1.6.0 (2016-10-14)

  • implement algorithm recommendations section (based on recognized software)
  • implement full libssh support (version history, algorithms, security, etc)
  • fix SSH-1.99 banner recognition and version comparison functionality
  • do not output empty algorithms (happens for misconfigured servers)
  • make consistent output for Python 3.x versions
  • add a lot more tests (conf, banner, software, SSH1/SSH2, output, etc)
  • use Travis CI to test for multiple Python versions (2.6-3.5, pypy, pypy3)

v1.5.0 (2016-09-20)

  • create security section for related security information
  • match and output assigned CVE list and security issues for Dropbear SSH
  • implement full SSH1 support with fingerprint information
  • automatically fallback to SSH1 on protocol mismatch
  • add new options to force SSH1 or SSH2 (both allowed by default)
  • parse banner information and convert it to specific software and OS version
  • do not use padding in batch mode
  • several fixes (Cisco sshd, rare hangs, error handling, etc)

v1.0.20160902

  • implement batch output option
  • implement minimum output level option
  • fix compatibility with Python 2.6

v1.0.20160812

  • implement SSH version compatibility feature
  • fix wrong mac algorithm warning
  • fix Dropbear SSH version typo
  • parse pre-banner header
  • better errors handling

v1.0.20160803

  • use OpenSSH 7.3 banner
  • add new key-exchange algorithms

v1.0.20160207

  • use OpenSSH 7.2 banner
  • additional warnings for OpenSSH 7.2
  • fix OpenSSH 7.0 failure messages
  • add rijndael-cbc failure message from OpenSSH 6.7

v1.0.20160105

  • multiple additional warnings
  • support for none algorithm
  • better compression handling
  • ensure reading enough data (fixes few Linux SSH)

v1.0.20151230

  • Dropbear SSH support

v1.0.20151223

  • initial version
Comments
  • Man Page on Windows

    Man Page on Windows

    I'm contemplating whether it would be possible make the man page available in Windows.

    This is not a complete solution, these are just my initial thoughts exploring what would be required and how we might go about doing it... Any thoughts, feedback or suggestions would be welcome...

    Converting the man page to a readable format for the Windows console

    Since Windows doesn't have a manual reader, the man page would need to be converted to a format that can be rendered in the Windows console. This would have to be performed as part of the build process when there's a new release.

    One option would be to simply convert it to plain text output. This conversion can be achieved as follows:

    MANWIDTH=80 man ./ssh-audit.1 > ssh_audit_windows_man.txt

    In Windows 10, the console is capable of interpreting ANSI escape sequences (also known as VT escape sequences). So another option would be to convert the man page to ANSI escape sequence formatted output, this would preserve any typographical emphasis that's present in the original man page, such as bold and underlined text. This conversion can be achieved as follows:

    # * man outputs a backspace-overwrite sequence rather than an ANSI escape 
#   sequence.
# * 'MAN_KEEP_FORMATTING' preserves the backspace-overwrite sequence when 
#   redirected to a file or a pipe.
# * The 'ul' command converts the backspace-overwrite sequence to an ANSI escape 
#   sequence.

MANWIDTH=80 MAN_KEEP_FORMATTING=1 man ./ssh-audit.1 | ul > ssh_audit_windows_man.txt

    Example of an ANSI escape sequence formatted man page on Windows 10

    import os
os.system("color")

f = open('c:\\bitbucket\\ssh_audit_windows_man.txt', encoding="utf-8")
file_contents = f.read()
print (file_contents)
f.close()

    man-page-on-windows

    Displaying the man page

    Displaying the man page could perhaps be invoked using a command line parameter such as:

    ssh-audit.exe --manual

    Packaging the converted man page

    Currently the Windows package is a standalone executable with no external dependencies. Ideally any solution that's adopted would preserve this.

    Does anyone know of a way that the man page (in its converted format) could be embedded into the ssh-audit executable without having to ship an external text file?

    opened by thecliguy 35
  • Group Size Enumeration of diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256

    Group Size Enumeration of diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256

    I've encountered an SSH server where the Diffie-Hellman group size used by the key exchange algorithm diffie-hellman-group-exchange-sha256 is hardcoded and cannot be seen or configured by an administrator.

    My plan was to use ssh-audit to scan the server and find out more information about the supported group size(s) but then I realised that ssh-audit only returns the minimum value.

    I studied RFC 4419 which explains how the client requests a modulus from the server by specifying a minimum, a preferred and a maximum value (expressed in bits). The send_init_gex function in ssh-audit has been implemented as per the explanation in RFC 4419, it accepts minbits, prefbits and maxbits.

    I was able to modify gextest.py to invoke send_init_gex with minbits, prefbits and maxbits of the same value from 0 to 8192. This gave me the answer I was looking for, it showed that the server was configured with group sizes of 1024, 2048, 3072, 4096 and 6144. Using this information I can now contact the manufacturer of the SSH server software and ask if they will consider removing 1024.

    @jtesta What do you think about about adding group size enumeration as a feature to ssh-audit? I could submit my patch as a draft for you to review?

    Enumerating every value from 0 to 8192 is a slow process because it has to make a new connection to the target server each time. In my case this was not a problem because I ran the patched version of ssh-audit on the SSH server itself. However, if someone were to attempt this over a network it may cause a firewall's rate control to be triggered resulting in requests being blocked. So we'd probably need to mention this as a potential caveat in the documentation.

    opened by thecliguy 26
  • Show MD5 Hash of Fingerprint in Verbose Output

    Show MD5 Hash of Fingerprint in Verbose Output

    When when verifying host keys, PuTTY, plink and psftp use an md5 hash rather than a sha256 hash.

    plink 0.74 - Example Output (click to expand): 

    C:\sandbox>plink.exe -v scanme.nmap.org
Looking up host "scanme.nmap.org" for SSH connection
Connecting to 45.33.32.156 port 22
We claim version: SSH-2.0-PuTTY_Release_0.74
Remote version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13
We believe remote version has SSH-2 channel request bug
Using SSH protocol version 2
No GSSAPI security context available
Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
Server also has ecdsa-sha2-nistp256/ssh-dss/ssh-rsa host keys, but we don't know any of them
Host key fingerprint is:
ssh-ed25519 255 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's ssh-ed25519 key fingerprint is:
ssh-ed25519 255 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n)

    Currently ssh-audit only shows fingerprints in the form of a sha256 hash. Do you have any objection to also showing the md5 hash if the verbose (-v/--verbose) parameter has been provided?

    I've built a proof-of-concept that I can share.

    By the way, the Fingerprint class is already capable of producing an md5 hash, it's just not currently used: https://github.com/jtesta/ssh-audit/blob/2f1a2a60b153509612a450173041fb698177dc45/src/ssh_audit/fingerprint.py#L33-L37

    opened by thecliguy 14
  • client audit vs client hardening guide

    client audit vs client hardening guide

    Hi @jtesta

    I just discovered the client hardening mode.

    I run Ubuntu 18.04 on my laptop.

    I applied the changes from your hardening guide

    https://www.ssh-audit.com/hardening_guides.html#ubuntu_18_04_linux_mint_19

    and then I started the client audit via python3.8 ssh-audit.py -c and then on a second terminal, I sshed into localhost port 2222.

    Expected I expected all output to be green.

    what I got

    # general
(gen) client IP: 127.0.0.1
(gen) banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
(gen) software: OpenSSH 7.6p1
(gen) compression: enabled ([email protected], zlib)

# key exchange algorithms
(kex) curve25519-sha256                         -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
(kex) [email protected]              -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256                        -- [fail] using weak elliptic curves
                                                `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384                        -- [fail] using weak elliptic curves
                                                `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521                        -- [fail] using weak elliptic curves
                                                `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256      -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group16-sha512             -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512             -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha1        -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
                                                `- [warn] using weak hashing algorithm
                                                `- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group14-sha256             -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1               -- [warn] using weak hashing algorithm
                                                `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) ext-info-c

# host-key algorithms
(key) [email protected]  -- [fail] using weak elliptic curves
                                                `- [warn] using weak random number generator could reveal the key
                                                `- [info] available since OpenSSH 5.7
(key) [email protected]  -- [fail] using weak elliptic curves
                                                `- [warn] using weak random number generator could reveal the key
                                                `- [info] available since OpenSSH 5.7
(key) [email protected]  -- [fail] using weak elliptic curves
                                                `- [warn] using weak random number generator could reveal the key
                                                `- [info] available since OpenSSH 5.7
(key) [email protected]          -- [info] available since OpenSSH 6.5
(key) [email protected]              -- [info] available since OpenSSH 5.6
(key) ecdsa-sha2-nistp256                       -- [fail] using weak elliptic curves
                                                `- [warn] using weak random number generator could reveal the key
                                                `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ecdsa-sha2-nistp384                       -- [fail] using weak elliptic curves
                                                `- [warn] using weak random number generator could reveal the key
                                                `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ecdsa-sha2-nistp521                       -- [fail] using weak elliptic curves
                                                `- [warn] using weak random number generator could reveal the key
                                                `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ssh-ed25519                               -- [info] available since OpenSSH 6.5
(key) rsa-sha2-512                              -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256                              -- [info] available since OpenSSH 7.2
(key) ssh-rsa                                   -- [fail] using weak hashing algorithm
                                                `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28

# encryption algorithms (ciphers)
(enc) [email protected]             -- [info] available since OpenSSH 6.5
                                                `- [info] default cipher since OpenSSH 6.9.
(enc) aes128-ctr                                -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr                                -- [info] available since OpenSSH 3.7
(enc) aes256-ctr                                -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) [email protected]                    -- [info] available since OpenSSH 6.2
(enc) [email protected]                    -- [info] available since OpenSSH 6.2

# message authentication code algorithms
(mac) [email protected]                   -- [warn] using small 64-bit tag size
                                                `- [info] available since OpenSSH 6.2
(mac) [email protected]                  -- [info] available since OpenSSH 6.2
(mac) [email protected]             -- [info] available since OpenSSH 6.2
(mac) [email protected]             -- [info] available since OpenSSH 6.2
(mac) [email protected]                 -- [warn] using weak hashing algorithm
                                                `- [info] available since OpenSSH 6.2
(mac) [email protected]                       -- [warn] using encrypt-and-MAC mode
                                                `- [warn] using small 64-bit tag size
                                                `- [info] available since OpenSSH 4.7
(mac) [email protected]                      -- [warn] using encrypt-and-MAC mode
                                                `- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256                             -- [warn] using encrypt-and-MAC mode
                                                `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-512                             -- [warn] using encrypt-and-MAC mode
                                                `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1                                 -- [warn] using encrypt-and-MAC mode
                                                `- [warn] using weak hashing algorithm
                                                `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28

# algorithm recommendations (for OpenSSH 7.6)
(rec) -diffie-hellman-group-exchange-sha1       -- kex algorithm to remove 
(rec) -ecdh-sha2-nistp256                       -- kex algorithm to remove 
(rec) -ecdh-sha2-nistp384                       -- kex algorithm to remove 
(rec) -ecdh-sha2-nistp521                       -- kex algorithm to remove 
(rec) -ecdsa-sha2-nistp256                      -- key algorithm to remove 
(rec) -ecdsa-sh[email protected] -- key algorithm to remove 
(rec) -ecdsa-sha2-nistp384                      -- key algorithm to remove 
(rec) [email protected] -- key algorithm to remove 
(rec) -ecdsa-sha2-nistp521                      -- key algorithm to remove 
(rec) [email protected] -- key algorithm to remove 
(rec) -ssh-rsa                                  -- key algorithm to remove 
(rec) -diffie-hellman-group14-sha1              -- kex algorithm to remove 
(rec) -hmac-sha1                                -- mac algorithm to remove 
(rec) [email protected]                -- mac algorithm to remove 
(rec) -hmac-sha2-256                            -- mac algorithm to remove 
(rec) -hmac-sha2-512                            -- mac algorithm to remove 
(rec) [email protected]                     -- mac algorithm to remove 
(rec) [email protected]                  -- mac algorithm to remove 
(rec) [email protected]                      -- mac algorithm to remove 

# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>

    My ssh config contains some jumphost configurtations, and then on the bottom your suggested changes which I echoed into the file.

    # lots of hosts...

Host xxx
    Hostname 192.168.1.220
    ProxyJump yyy

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms ssh-ed25519,[email protected],rsa-sha2-256,rsa-sha2-512,[email protected]

    I tried to google about client hardening, but almost all information out there is about server hardening.

    Any hint for me what to do?

    Thanks!

    opened by jugmac00 11
  • Add OpenSSH 8 recommendations

    Add OpenSSH 8 recommendations

    Hi Joe,

    The tool currently suggests recommended settings for OpenSSH 7.6 but I currently have OpenSSH_8.0p1, OpenSSL 1.1.1c 28 May 2019, so it would be great to have up-to-date kex/mac/etc recommendations what to enable, disable, and so on. There might be such in the official docs but the tool should make it easy to find them via its output.

    # algorithm recommendations (for OpenSSH 7.6)
...
    opened by immanuelfodor 11
  • Feature request: Consider host entries in .ssh/config

    Feature request: Consider host entries in .ssh/config

    It would be convenient if host entries in .ssh/config (hostname, port) could be recognised and automatically be used, so an entry like

    Host staging
	PubkeyAuthentication yes
	IdentitiesOnly yes
	IdentityFile ~/.ssh/id_ed25519
	Hostname mystagingserver.domain.com
	User dummy
	Port 54321

    would allow a simple

    ssh-audit.py staging

    instead of a

    ssh-audit.py -p 54321 mystagingserver.domain.com

    opened by shoopdawoop 10
  • Add an OPNsense SSH hardening guide

    Add an OPNsense SSH hardening guide

    Hi @jtesta,

    According to https://github.com/opnsense/core/issues/3975, there will be new SSH config options in OPNsense 20.7, so it'd be great to add these to the common OS list at https://www.ssh-audit.com/hardening_guides.html maybe below pfSense (as OPNsense is its fork).

    Until the new settings are released, users can enable them by running these commands on their OPNsense box/vm:

    opnsense-patch 5df590c
opnsense-patch 1165119
service configd restart

    As there are no ordering in the chosen algos (limitation of the UI), advanced users that mess with these settings should pick their choices to be the most hard that their SSH clients support. I'm happy that they added support to tweaking these at least.

    opened by immanuelfodor 10
  • v2.3.0 Milestones

    v2.3.0 Milestones

    @jtesta Hi Joe,

    At the end of July you mentioned that you were hoping to release v2.3.0.

    Are there some specific issues that you want to close before releasing v2.3.0? If so, perhaps they could be tagged as milestones.

    opened by thecliguy 9
  • SSH Connections - Additional Logging and Visibility of Errors

    SSH Connections - Additional Logging and Visibility of Errors

    ADDITIONAL LOGGING

    I'm planning on using ssh-audit in a production environment and would like to be able to demonstrate and record how aggressive a typical audit is.

    Currently verbose output only shows the initial SSH connection that's made to a target server:

    https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/ssh_audit.py#L823

    However an audit actually makes multiple connections to a target server:

    1. The initial connection:
      ssh_audit.py: main --> audit --> err = s.connect()

    2. Obtaining host key(s):
      ssh_audit.py: main --> audit --> HostKeyTest.run(s, kex) hostkeytest.py: run --> perform_test --> err = s.connect() (err = s.connect() runs once per key type [rsa, ed25519, etc])

    3. Performing DH group exchange: ssh_audit.py: main --> audit --> GEXTest.run(s, kex) gextest.py: run --> GEXTest.reconnect --> err = s.connect() (GEXTest.reconnect runs once per group-exchange alg and once per modulus length for each group-exchange alg)

    @jtesta Would you be happy to entertain the idea of adding some additional logging so that each SSH connection is output? If that sounds OK, do you want this to be added to the existing verbose output or would it be more appropriate to add a new --debug parameter?

    VISIBILITY OF ERRORS

    When obtaining host key(s) and performing DH group exchange, if s.connect() or get_banner() produce an error then currently the error message is suppressed:

    https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/hostkeytest.py#L109-L116

    https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/gextest.py#L45-L52

    Should we at least display a warning rather than hiding errors?

    opened by thecliguy 8
  • ssh-rsa Host Key Algorithm

    ssh-rsa Host Key Algorithm

    @jtesta Hi Joe

    The OpenSSH 8.3 release notes includes a future deprecation notice where it says: "...we will be disabling the "ssh-rsa" public key signature algorithm by default in a near-future release".

    Is it worth updating ssh-rsa in ssh2_kexdb.py to mention something like "A future deprecation notice has been issued in OpenSSH 8.3, see https://www.openssh.com/txt/release-8.3." ?

    When I researched the deprecation of ssh-rsa, there seems to be a degree of confusion about the whole thing. So before you do anything, it's probably a good idea to check and make sure that you agree with my interpretation and that I'm not perpetuating incorrect information.

    opened by thecliguy 8
  • Batch scanning fail

    Batch scanning fail

    Hello,

    When i try to scan a batch of targets in a file if one of those get a [exception] cannot connect to 127.0.0.1 port 22 : timed out or connection refused the scan fails. i tried specifying the -b flag but that did not help much. The work around was to just cat the file and run it in parallel/xargs. But i still figured i should let you know.

    opened by gbiagomba 8
  • Dropbear ssh hardening guide addition

    Dropbear ssh hardening guide addition

    The current release of dropbear can be hardened by building it adding the following three lines to localoptions.h:

    #define DROPBEAR_RSA_SHA1 0
#define DROPBEAR_DH_GROUP14_SHA1 0
#define DROPBEAR_SHA1_HMAC 0

    Wondering if you would like to add this to your hardening guide.

    Reference: https://github.com/mkj/dropbear/issues/138

    opened by graysky2 0
  • Only SHA256 fingerprints are calculated - no MD5 and SHA512

    Only SHA256 fingerprints are calculated - no MD5 and SHA512

    When scanning a remote server, only the sha256 fingerprints are shown.

    It would make sense, to calculate the fingerprint with different hash algorithms, because not every client uses a sha256 hash for fingerprint calculation.

    Following hash algorithms should be used:

    • MD5 (deprecated but there are still clients which are using MD5)
    • SHA512 (rarely used but some clients exist which are using SHA512 fingerprints)

    I know those algorithms are not common, but as long as some clients are using those, ssh-audit should calculate the fingerprints.

    opened by hmaier1996 2
  • LookupError: unknown encoding: idna

    LookupError: unknown encoding: idna

    I get an exception when scanning some targets using targets file. When scanning these targets manually, it works fine.

    I'm using the ssh-audit.exe in Version 2.5 on a Windows 10 VM. For me it looks like to be an issue of missing import: import encodings.idna

    An exception occurred while scanning 10.2xx.xx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna

    An exception occurred while scanning 10.2xx.xxx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna

    An exception occurred while scanning 10.2xx.xxx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna

    An exception occurred while scanning 10.2xx.xx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna

    An exception occurred while scanning 10.2xx.xxx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna

    opened by kastahl 6
  • Python file

    Python file

    (output truncated)

    $ pip3 show -f ssh-audit
Version: 2.5.0
License: UNKNOWN
Location: /usr/local/lib/python3.10/site-packages
Requires: 
Required-by: 
Files:
  ../../../bin/ssh-audit
  ssh_audit-2.5.0.dist-info/LICENSE

    Hello. Be it unknown or not to Python, the license is dully mentioned here

    $ cat /usr/local/lib/python3.10/site-packages/ssh_audit-2.5.0.dist-info/LICENSE | awk 'NF'| head -2
The MIT License (MIT)
Copyright (C) 2017-2020 Joe Testa ([email protected])

    Whatever the side the issue has root, it is worth fixing. Copyright's end-year might require up-to-date number. Worth noting that an en-dash (–), is what the usage defines as applying to range of dates, not a hyphen (-), which is commonly misused by developers.

    opened by Ricky-Tigg 2
  • [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1)

    [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1)

    Hi!

    I'm working on a product, that needs to implement ssh / scp themselves. I've read a dozens of rfc's myself already, but still would rather not implement everything myself. As such I've opted to use Apache Mina SSHD.

    Trying to disable the ecdsa-sha2-nistp521 Signature however seems to be problematic. I can see, that ssh-audit tries connecting with only that signature algorithm and then see that the server implementation concludes, that a session cannot be negotiated properly. As such it sends the Message SSH_MSG_DISCONNECT (1), while logging the error message: "SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE - sendKexInit() no resolved signatures available".

    However ssh-audit then fails to execute with the following message: [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1). While reading the RFC 4253 i would say, that this is to be expected though, as on Page 18 it says:

      If no algorithm satisfying all these conditions can be found, the
  connection fails, and both sides MUST disconnect.

    My Test Code utilizes Containers (testContainers-java) and JUnit. For reference:

    import lombok.Cleanup;
import lombok.extern.slf4j.Slf4j;
import org.junit.jupiter.api.Test;
import org.testcontainers.containers.GenericContainer;
import org.testcontainers.containers.output.Slf4jLogConsumer;
import org.testcontainers.containers.startupcheck.IndefiniteWaitOneShotStartupCheckStrategy;
import org.testcontainers.junit.jupiter.Testcontainers;
import org.testcontainers.utility.MountableFile;

import java.io.IOException;

import static org.testcontainers.Testcontainers.exposeHostPorts;

@Slf4j
@Testcontainers
public final class SSHTest {
    private static final int SSH_PORT = 2222;


    @Test
    public void testAudit() throws Exception {
        @Cleanup final var launcher = createLauncher();
        launcher.start();

        exposeHostPorts(SSH_PORT);

        @Cleanup final var container = createContainerAudit();
        container.start();
    }

    private static GenericContainer<?> createContainerAudit() {
        return new SSHAudit(new SSHAudit.Config(SSH_URL, SSH_PORT))
            .withLogConsumer(new Slf4jLogConsumer(log))
            .withStartupCheckStrategy(new IndefiniteWaitOneShotStartupCheckStrategy());
    }
}

import org.testcontainers.containers.GenericContainer;
import org.testcontainers.utility.DockerImageName;

final class SSHAudit extends GenericContainer<SSHAudit> {
    public SSHAudit(final Config config) {
        super(DockerImageName.parse("positronsecurity/ssh-audit"));
        this.setCommand(
            "-b",
//            "-l", "warn",
            config.url()
        );
    }

    public record Config(
        String host,
        int port
    ) {
        String url() {
            return this.host + ":" + this.port;
        }
    }
}

    The cause of the error is linked here

    I'm unsure on how one would approach this though. As I have not yet understood the code base here. My suggestion would be to check if the server disconnected, but i can see. that the protocol definition currently has no such field.

    EDIT:

    Output of Help Menu running in Docker Container 
    [main] INFO 🐳 [positronsecurity/ssh-audit:latest] - Container positronsecurity/ssh-audit:latest started in PT1.5658137S

STDOUT # ssh-audit.py v2.5.0, https://github.com/jtesta/ssh-audit
STDOUT 
STDOUT usage: ssh-audit.py [options] <host>
STDOUT 
STDOUT    -h,  --help             print this help
STDOUT    -1,  --ssh1             force ssh version 1 only
STDOUT    -2,  --ssh2             force ssh version 2 only
STDOUT    -4,  --ipv4             enable IPv4 (order of precedence)
STDOUT    -6,  --ipv6             enable IPv6 (order of precedence)
STDOUT    -b,  --batch            batch output
STDOUT    -c,  --client-audit     starts a server on port 2222 to audit client
STDOUT                                software config (use -p to change port;
STDOUT                                use -t to change timeout)
STDOUT    -d,  --debug            debug output
STDOUT    -j,  --json             JSON output (use -jj to enable indents)
STDOUT    -l,  --level=<level>    minimum output level (info|warn|fail)
STDOUT    -L,  --list-policies    list all the official, built-in policies
STDOUT         --lookup=<alg1,alg2,...>    looks up an algorithm(s) without
STDOUT                                     connecting to a server
STDOUT    -M,  --make-policy=<policy.txt>  creates a policy based on the target server
STDOUT                                     (i.e.: the target server has the ideal
STDOUT                                     configuration that other servers should
STDOUT                                     adhere to)
STDOUT    -m,  --manual           print the man page (Windows only)
STDOUT    -n,  --no-colors        disable colors
STDOUT    -p,  --port=<port>      port to connect
STDOUT    -P,  --policy=<policy.txt>  run a policy test using the specified policy
STDOUT    -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
STDOUT                                (default: 5)
STDOUT    -T,  --targets=<hosts.txt>  a file containing a list of target hosts (one
STDOUT                                    per line, format HOST[:PORT]).  Use --threads
STDOUT                                    to control concurrent scans.
STDOUT         --threads=<threads>    number of threads to use when scanning multiple
STDOUT                                    targets (-T/--targets) (default: 32)
STDOUT    -v,  --verbose          verbose output
STDOUT 
END
    Output of --debug running in Docker Container (Error).

    Supported Signatures: ssh-dss [email protected] ssh-rsa [email protected] rsa-sha2-256 [email protected] rsa-sha2-512 [email protected] ecdsa-sha2-nistp256 [email protected] ecdsa-sha2-nistp384 [email protected] [email protected] ssh-ed25519 [email protected] [email protected]

    STDOUT Starting audit of host.testcontainers.internal:2222...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT (gen) banner: SSH-2.0-APACHE-SSHD-2.8.0
STDOUT [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1)
END 
...
    Output of --debug running in Docker Container (Successful, but audit fails).

    Supported Signatures: ssh-dss [email protected] ssh-rsa [email protected] rsa-sha2-256 [email protected] rsa-sha2-512 [email protected] ecdsa-sha2-nistp256 [email protected] ecdsa-sha2-nistp384 [email protected] ecdsa-sha2-nistp521 [email protected] [email protected] ssh-ed25519 [email protected] [email protected]

    
STDOUT Starting audit of host.testcontainers.internal:2222...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 512...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 768...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 1024...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 1536...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 2048...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT (gen) banner: SSH-2.0-APACHE-SSHD-2.8.0
STDOUT (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
STDOUT (gen) compression: enabled (zlib, [email protected])
STDOUT (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
STDOUT (kex) [email protected] -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
STDOUT (kex) curve448-sha512
STDOUT (kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4
STDOUT (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
STDOUT (kex) diffie-hellman-group17-sha512
STDOUT (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
STDOUT (kex) diffie-hellman-group15-sha512
STDOUT (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
STDOUT (kex) ext-info-s
STDOUT (key) ecdsa-sha2-nistp521 -- [fail] using weak elliptic curves
STDOUT (key) ecdsa-sha2-nistp521 -- [warn] using weak random number generator could reveal the key
STDOUT (key) ecdsa-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
STDOUT (enc) [email protected] -- [info] available since OpenSSH 6.5
STDOUT (enc) [email protected] -- [info] default cipher since OpenSSH 6.9.
STDOUT (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
STDOUT (enc) aes192-ctr -- [info] available since OpenSSH 3.7
STDOUT (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
STDOUT (enc) [email protected] -- [info] available since OpenSSH 6.2
STDOUT (enc) [email protected] -- [info] available since OpenSSH 6.2
STDOUT (mac) [email protected] -- [info] available since OpenSSH 6.2
STDOUT (mac) [email protected] -- [info] available since OpenSSH 6.2
STDOUT (rec) -ecdsa-sha2-nistp521-- key algorithm to remove 
STDOUT (nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
END
    opened by BjoernAkAManf 3
Releases(v2.5.0)
Owner
Joe Testa
Principal penetration tester and founder of Positron Security. @therealjoetesta
Joe Testa
GitHub Repository
Encrypted Python Password Manager

PyPassKeep Encrypted Python Password Manager About PyPassKeep (PPK for short) is an encrypted python password manager used to secure your passwords fr

KrisIsHere 1 Nov 17, 2021
Argument Injection in Dragonfly Ruby Gem

CVE-2021-33564 PoC Exploit script for CVE-2021-33564 (Argument Injection in Dragonfly Ruby Gem). Usage Arbitrary File Read python3 poc.py -u https://

Michael Tsai 12 Nov 09, 2022
HTTP Protocol Stack Remote Code Execution Vulnerability CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability. create by antx at 2022-01-17. Detail HTTP

赛欧思网络安全研究实验室 365 Nov 30, 2022
A Python wrapper around the OpenSSL library

pyOpenSSL -- A Python wrapper around the OpenSSL library Note: The Python Cryptographic Authority strongly suggests the use of pyca/cryptography where

Python Cryptographic Authority 795 Dec 29, 2022
Hashpic - Hashpic creates an image from a MD5 or SHA512 hash

Hashpic Hashpic creates an image from the MD5 hash of your input. Since v0.2.0 i

0xflotus 15 Nov 23, 2022
VMware vCenter earlier v(7.0.2.00100) unauthorized arbitrary file read

vcenter_fileread_exploit VMware vCenter earlier v(7.0.2.00100) unauthorized arbitrary file read Usage python3 vCenter_fileread.py http(s)://ip Referen

Ashish Kunwar 4 Sep 23, 2022
Colin O'Flynn's Hacakday talk at Remoticon 2021 support repo.

Hardware Hacking Resources This repo holds some of the examples used in Colin's Hardware Hacking talk at Remoticon 2021. You can see the very sketchy

Colin O'Flynn 19 Sep 12, 2022
Confluence Server Webwork OGNL injection

CVE-2021-26084 - Confluence Server Webwork OGNL injection An OGNL injection vulnerability exists that would allow an authenticated user and in some in

Fellipe Oliveira 295 Jan 06, 2023
IDA plugin for quickly copying disassembly as encoded hex bytes

HexCopy IDA plugin for quickly copying disassembly as encoded hex bytes. This whole plugin just saves you two extra clicks... but if you are frequentl

OALabs 46 Oct 30, 2022
Infection Monkey - An automated pentest tool

Infection Monkey Data center Security Testing Tool Welcome to the Infection Monkey! The Infection Monkey is an open source security tool for testing a

Guardicore Ltd. 6k Jan 09, 2023
Privilege escalation with polkit - CVE-2021-3560

Polkit-exploit - CVE-2021-3560 Privilege escalation with polkit - CVE-2021-3560 Summary CVE-2021-3560 is an authentication bypass on polkit, which all

Ahmad Almorabea 95 Dec 27, 2022
ShoLister - a tool that collects all available subdomains for specific hostname or organization from Shodan

ShoLister is a tool that collects all available subdomains for specific hostname or organization from Shodan. The tool is designed to be used from Penetration Tester and Bug Bounty Hunters.

Eslam Akl 45 Dec 28, 2022
I hacked my own webcam from a Kali Linux VM in my local network, using Ettercap to do the MiTM ARP poisoning attack, sniffing with Wireshark, and using metasploit

plan I - Linux Fundamentals Les utilisateurs et les droits Installer des programmes avec apt-get Surveiller l'activité du système Exécuter des program

148 Dec 22, 2022
Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

PrintNightmare Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket. Installtion $ pip3 install impacket

Oliver Lyak 140 Dec 27, 2022
Yet another web fuzzer

yafuzz Yet another web fuzzer Usage This script can run in two modes of operation. Supplying a wordlist -W argument will initiate a multithreaded fuzz

FooBallZ 5 Feb 02, 2022
Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1

CVE-2021-22911 Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1 The getPasswordPolicy method is vulnerable to NoS

Enox 47 Nov 09, 2022
PortSwigger Burp Plugin for the Log4j (CVE-2021-44228)

yLog4j This is Y-Sec's @PortSwigger Burp Plugin for the Log4j CVE-2021-44228 vulnerability. The focus of yLog4j is to support mass-scanning of the Log

Y-Security 1 Jan 31, 2022
A python implementation of the windows 95 product key check.

Windows 95 Product Key Check Info: This is a python implementation of the windows 95 product key check. This was just a bit of fun and a massive 5 hou

11 Aug 07, 2022
A GitHub action for organizations that enables advanced security code scanning on all new repos

Advanced-Security-Enforcer What this repository does This code is for an active GitHub Action written in Python to check (on a schedule) for new repos

Zack Koppert 30 May 17, 2022
Raphael is a vulnerability scanning tool based on Python3.

Raphael Raphael是一款基于Python3开发的插件式漏洞扫描工具。 Raphael is a vulnerability scanning too

b4zinga 5 Mar 21, 2022