ssh-audit is a tool for ssh server & client configuration auditing.

Overview

ssh-audit

License PyPI Downloads Docker Pulls Build Status PRs Welcome

ssh-audit is a tool for ssh server & client configuration auditing.

jtesta/ssh-audit (v2.0+) is the updated and maintained version of ssh-audit forked from arthepsy/ssh-audit (v1.x) due to inactivity.

Features

  • SSH1 and SSH2 protocol server support;
  • analyze SSH client configuration;
  • grab banner, recognize device or software and operating system, detect compression;
  • gather key-exchange, host-key, encryption and message authentication code algorithms;
  • output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
  • output algorithm recommendations (append or remove based on recognized software version);
  • output security information (related issues, assigned CVE list, etc);
  • analyze SSH version compatibility based on algorithm information;
  • historical information from OpenSSH, Dropbear SSH and libssh;
  • policy scans to ensure adherence to a hardened/standard configuration;
  • runs on Linux and Windows;
  • supports Python 3.6 - 3.9;
  • no dependencies

Usage

run a policy test using the specified policy -t, --timeout= timeout (in seconds) for connection and reading (default: 5) -T, --targets= a file containing a list of target hosts (one per line, format HOST[:PORT]) --threads= number of threads to use when scanning multiple targets (-T/--targets) (default: 32) -v, --verbose verbose output ">
usage: ssh-audit.py [options] 
      
       

   -h,  --help             print this help
   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -4,  --ipv4             enable IPv4 (order of precedence)
   -6,  --ipv6             enable IPv6 (order of precedence)
   -b,  --batch            batch output
   -c,  --client-audit     starts a server on port 2222 to audit client
                               software config (use -p to change port;
                               use -t to change timeout)
   -d,  --debug            Enable debug output.
   -j,  --json             JSON output (use -jj to enable indents)
   -l,  --level=
       
            minimum output level (info|warn|fail)
   -L,  --list-policies    list all the official, built-in policies
        --lookup=
        
             looks up an algorithm(s) without
                                    connecting to a server
   -m,  --manual           print the man page (Windows only)
   -M,  --make-policy=
         
            creates a policy based on the target server
                                    (i.e.: the target server has the ideal
                                    configuration that other servers should
                                    adhere to)
   -n,  --no-colors        disable colors
   -p,  --port=
          
            port to connect -P, --policy=<"policy name" | policy.txt> run a policy test using the specified policy -t, --timeout=
           
             timeout (in seconds) for connection and reading (default: 5) -T, --targets=
            
              a file containing a list of target hosts (one per line, format HOST[:PORT]) --threads=
             
               number of threads to use when scanning multiple targets (-T/--targets) (default: 32) -v, --verbose verbose output 
             
            
           
          
         
        
       
      
  • if both IPv4 and IPv6 are used, order of precedence can be set by using either -46 or -64.
  • batch flag -b will output sections without header and without empty lines (implies verbose flag).
  • verbose flag -v will prefix each line with section type and algorithm name.
  • an exit code of 0 is returned when all algorithms are considered secure (for a standard audit), or when a policy check passes (for a policy audit).

Basic server auditing:

ssh-audit localhost
ssh-audit 127.0.0.1
ssh-audit 127.0.0.1:222
ssh-audit ::1
ssh-audit [::1]:222

To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]):

ssh-audit -T servers.txt

To audit a client configuration (listens on port 2222 by default; connect using ssh -p 2222 [email protected]):

ssh-audit -c

To audit a client configuration, with a listener on port 4567:

ssh-audit -c -p 4567

To list all official built-in policies (hint: use resulting policy names with -P/--policy):

ssh-audit -L

To run a policy audit against a server:

ssh-audit -P ["policy name" | path/to/server_policy.txt] targetserver

To run a policy audit against a client:

ssh-audit -c -P ["policy name" | path/to/client_policy.txt]

To run a policy audit against many servers:

ssh-audit -T servers.txt -P ["policy name" | path/to/server_policy.txt]

To create a policy based on a target server (which can be manually edited):

ssh-audit -M new_policy.txt targetserver

Screenshots

Server Standard Audit Example

Below is a screen shot of the standard server-auditing output when connecting to an unhardened OpenSSH v5.3 service: screenshot

Server Policy Audit Example

Below is a screen shot of the policy auditing output when connecting to an un-hardened Ubuntu Server 20.04 machine (hint: use -L/--list-policies to see names of built-in policies to use with -P/--policy): screenshot

After applying the steps in the hardening guide (see below), the output changes to the following: screenshot

Client Standard Audit Example

Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects: client_screenshot

Hardening Guides

Guides to harden server & client configuration can be found here: https://www.ssh-audit.com/hardening_guides.html

Pre-Built Packages

Pre-built packages are available for Windows (see the releases page), PyPI, Snap, and Docker.

To install from PyPI:

$ pip3 install ssh-audit

To install the Snap package:

$ snap install ssh-audit

To install from Dockerhub:

$ docker pull positronsecurity/ssh-audit

(Then run with: docker run -it -p 2222:2222 positronsecurity/ssh-audit 10.1.1.1)

Web Front-End

For convenience, a web front-end on top of the command-line tool is available at https://www.ssh-audit.com/.

ChangeLog

v2.6.0-dev

  • Snap packages now print more user-friendly error messages when permission errors are encountered.
  • JSON 'target' field now always includes port number; credit tomatohater1337.
  • Added 24 new key exchanges: ecdh-sha2-1.3.132.0.1, ecdh-sha2-1.2.840.10045.3.1.1, ecdh-sha2-1.3.132.0.33, ecdh-sha2-1.3.132.0.26, ecdh-sha2-1.3.132.0.27, ecdh-sha2-1.2.840.10045.3.1.7, ecdh-sha2-1.3.132.0.16, ecdh-sha2-1.3.132.0.34, ecdh-sha2-1.3.132.0.36, ecdh-sha2-1.3.132.0.37, ecdh-sha2-1.3.132.0.35, ecdh-sha2-1.3.132.0.38, ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==, ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==, ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==, ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==, ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==, ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==, ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==, ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==, ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==, ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==, ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==, ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==.

v2.5.0 (2021-08-26)

  • Fixed crash when running host key tests.
  • Handles server connection failures more gracefully.
  • Now prints JSON with indents when -jj is used (useful for debugging).
  • Added MD5 fingerprints to verbose output.
  • Added -d/--debug option for getting debugging output; credit Adam Russell.
  • Updated JSON output to include MD5 fingerprints. Note that this results in a breaking change in the 'fingerprints' dictionary format.
  • Updated OpenSSH 8.1 (and earlier) policies to include rsa-sha2-512 and rsa-sha2-256.
  • Added OpenSSH v8.6 & v8.7 policies.
  • Added 3 new key exchanges: gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==, gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==, and gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==.
  • Added 3 new MACs: hmac-ripemd160-96, AEAD_AES_128_GCM, and AEAD_AES_256_GCM.

v2.4.0 (2021-02-23)

  • Added multi-threaded scanning support.
  • Added built-in Windows manual page (see -m/--manual); credit Adam Russell.
  • Added version check for OpenSSH user enumeration (CVE-2018-15473).
  • Added deprecation note to host key types based on SHA-1.
  • Added extra warnings for SSHv1.
  • Added built-in hardened OpenSSH v8.5 policy.
  • Upgraded warnings to failures for host key types based on SHA-1.
  • Fixed crash when receiving unexpected response during host key test.
  • Fixed hang against older Cisco devices during host key test & gex test.
  • Fixed improper termination while scanning multiple targets when one target returns an error.
  • Dropped support for Python 3.5 (which reached EOL in Sept. 2020).
  • Added 1 new key exchange: [email protected].

v2.3.1 (2020-10-28)

  • Now parses public key sizes for [email protected] and [email protected] host key types.
  • Flag [email protected] as a failure due to SHA-1 hash.
  • Fixed bug in recommendation output which suppressed some algorithms inappropriately.
  • Built-in policies now include CA key requirements (if certificates are in use).
  • Lookup function (--lookup) now performs case-insensitive lookups of similar algorithms; credit Adam Russell.
  • Migrated pre-made policies from external files to internal database.
  • Split single 3,500 line script into many files (by class).
  • Added setup.py support; credit Ganden Schaffner.
  • Added 1 new cipher: [email protected].

v2.3.0 (2020-09-27)

  • Added new policy auditing functionality to test adherence to a hardening guide/standard configuration (see -L/--list-policies, -M/--make-policy and -P/--policy). For an in-depth tutorial, see https://www.positronsecurity.com/blog/2020-09-27-ssh-policy-configuration-checks-with-ssh-audit/.
  • Created new man page (see ssh-audit.1 file).
  • 1024-bit moduli upgraded from warnings to failures.
  • Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit Jürgen Gmach.
  • Added feature to look up algorithms in internal database (see --lookup); credit Adam Russell.
  • Suppress recommendation of token host key types.
  • Added check for use-after-free vulnerability in PuTTY v0.73.
  • Added 11 new host key types: ssh-rsa1, [email protected], ssh-gost2001, ssh-gost2012-256, ssh-gost2012-512, spki-sign-rsa, ssh-ed448, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521, x509v3-rsa2048-sha256.
  • Added 8 new key exchanges: diffie-hellman-group1-sha256, kexAlgoCurve25519SHA256, Curve25519SHA256, gss-group14-sha256-, gss-group15-sha512-, gss-group16-sha512-, gss-nistp256-sha256-, gss-curve25519-sha256-.
  • Added 5 new ciphers: blowfish, AEAD_AES_128_GCM, AEAD_AES_256_GCM, [email protected], [email protected].
  • Added 3 new MACs: [email protected], hmac-sha3-224, [email protected].

v2.2.0 (2020-03-11)

v2.1.1 (2019-11-26)

  • Added 2 new host key types: [email protected], [email protected].
  • Added 2 new ciphers: des, 3des.
  • Added 3 new PuTTY vulnerabilities.
  • During client testing, client IP address is now listed in output.

v2.1.0 (2019-11-14)

  • Added client software auditing functionality (see -c / --client-audit option).
  • Added JSON output option (see -j / --json option; credit Andreas Jaggi).
  • Fixed crash while scanning Solaris Sun_SSH.
  • Added 9 new key exchanges: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==, gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==, gss-group14-sha1-, gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==, gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==, gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==, diffie-hellman-group15-sha256, ecdh-sha2-1.3.132.0.10, curve448-sha512.
  • Added 1 new host key type: ecdsa-sha2-1.3.132.0.10.
  • Added 4 new ciphers: idea-cbc, serpent128-cbc, serpent192-cbc, serpent256-cbc.
  • Added 6 new MACs: [email protected], [email protected], hmac-ripemd, [email protected], [email protected], [email protected].

v2.0.0 (2019-08-29)

  • Forked from https://github.com/arthepsy/ssh-audit (development was stalled, and developer went MIA).
  • Added RSA host key length test.
  • Added RSA certificate key length test.
  • Added Diffie-Hellman modulus size test.
  • Now outputs host key fingerprints for RSA and ED25519.
  • Added 5 new key exchanges: [email protected], [email protected], [email protected], diffie-hellman-group16-sha256, diffie-hellman-group17-sha512.
  • Added 3 new encryption algorithms: des-cbc-ssh1, blowfish-ctr, twofish-ctr.
  • Added 10 new MACs: hmac-sha2-56, hmac-sha2-224, hmac-sha2-384, hmac-sha3-256, hmac-sha3-384, hmac-sha3-512, hmac-sha256, [email protected], hmac-sha512, [email protected].
  • Added command line argument (-t / --timeout) for connection & reading timeouts.
  • Updated CVEs for libssh & Dropbear.

v1.7.0 (2016-10-26)

  • implement options to allow specify IPv4/IPv6 usage and order of precedence
  • implement option to specify remote port (old behavior kept for compatibility)
  • add colors support for Microsoft Windows via optional colorama dependency
  • fix encoding and decoding issues, add tests, do not crash on encoding errors
  • use mypy-lang for static type checking and verify all code

v1.6.0 (2016-10-14)

  • implement algorithm recommendations section (based on recognized software)
  • implement full libssh support (version history, algorithms, security, etc)
  • fix SSH-1.99 banner recognition and version comparison functionality
  • do not output empty algorithms (happens for misconfigured servers)
  • make consistent output for Python 3.x versions
  • add a lot more tests (conf, banner, software, SSH1/SSH2, output, etc)
  • use Travis CI to test for multiple Python versions (2.6-3.5, pypy, pypy3)

v1.5.0 (2016-09-20)

  • create security section for related security information
  • match and output assigned CVE list and security issues for Dropbear SSH
  • implement full SSH1 support with fingerprint information
  • automatically fallback to SSH1 on protocol mismatch
  • add new options to force SSH1 or SSH2 (both allowed by default)
  • parse banner information and convert it to specific software and OS version
  • do not use padding in batch mode
  • several fixes (Cisco sshd, rare hangs, error handling, etc)

v1.0.20160902

  • implement batch output option
  • implement minimum output level option
  • fix compatibility with Python 2.6

v1.0.20160812

  • implement SSH version compatibility feature
  • fix wrong mac algorithm warning
  • fix Dropbear SSH version typo
  • parse pre-banner header
  • better errors handling

v1.0.20160803

  • use OpenSSH 7.3 banner
  • add new key-exchange algorithms

v1.0.20160207

  • use OpenSSH 7.2 banner
  • additional warnings for OpenSSH 7.2
  • fix OpenSSH 7.0 failure messages
  • add rijndael-cbc failure message from OpenSSH 6.7

v1.0.20160105

  • multiple additional warnings
  • support for none algorithm
  • better compression handling
  • ensure reading enough data (fixes few Linux SSH)

v1.0.20151230

  • Dropbear SSH support

v1.0.20151223

  • initial version
Comments
  • Man Page on Windows

    Man Page on Windows

    I'm contemplating whether it would be possible make the man page available in Windows.

    This is not a complete solution, these are just my initial thoughts exploring what would be required and how we might go about doing it... Any thoughts, feedback or suggestions would be welcome...

    Converting the man page to a readable format for the Windows console

    Since Windows doesn't have a manual reader, the man page would need to be converted to a format that can be rendered in the Windows console. This would have to be performed as part of the build process when there's a new release.

    One option would be to simply convert it to plain text output. This conversion can be achieved as follows:

    MANWIDTH=80 man ./ssh-audit.1 > ssh_audit_windows_man.txt
    

    In Windows 10, the console is capable of interpreting ANSI escape sequences (also known as VT escape sequences). So another option would be to convert the man page to ANSI escape sequence formatted output, this would preserve any typographical emphasis that's present in the original man page, such as bold and underlined text. This conversion can be achieved as follows:

    # * man outputs a backspace-overwrite sequence rather than an ANSI escape 
    #   sequence.
    # * 'MAN_KEEP_FORMATTING' preserves the backspace-overwrite sequence when 
    #   redirected to a file or a pipe.
    # * The 'ul' command converts the backspace-overwrite sequence to an ANSI escape 
    #   sequence.
    
    MANWIDTH=80 MAN_KEEP_FORMATTING=1 man ./ssh-audit.1 | ul > ssh_audit_windows_man.txt
    

    Example of an ANSI escape sequence formatted man page on Windows 10

    import os
    os.system("color")
    
    f = open('c:\\bitbucket\\ssh_audit_windows_man.txt', encoding="utf-8")
    file_contents = f.read()
    print (file_contents)
    f.close()
    

    man-page-on-windows

    Displaying the man page

    Displaying the man page could perhaps be invoked using a command line parameter such as:

    ssh-audit.exe --manual
    

    Packaging the converted man page

    Currently the Windows package is a standalone executable with no external dependencies. Ideally any solution that's adopted would preserve this.

    Does anyone know of a way that the man page (in its converted format) could be embedded into the ssh-audit executable without having to ship an external text file?

    opened by thecliguy 35
  • Group Size Enumeration of diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256

    Group Size Enumeration of diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256

    I've encountered an SSH server where the Diffie-Hellman group size used by the key exchange algorithm diffie-hellman-group-exchange-sha256 is hardcoded and cannot be seen or configured by an administrator.

    My plan was to use ssh-audit to scan the server and find out more information about the supported group size(s) but then I realised that ssh-audit only returns the minimum value.

    I studied RFC 4419 which explains how the client requests a modulus from the server by specifying a minimum, a preferred and a maximum value (expressed in bits). The send_init_gex function in ssh-audit has been implemented as per the explanation in RFC 4419, it accepts minbits, prefbits and maxbits.

    I was able to modify gextest.py to invoke send_init_gex with minbits, prefbits and maxbits of the same value from 0 to 8192. This gave me the answer I was looking for, it showed that the server was configured with group sizes of 1024, 2048, 3072, 4096 and 6144. Using this information I can now contact the manufacturer of the SSH server software and ask if they will consider removing 1024.

    @jtesta What do you think about about adding group size enumeration as a feature to ssh-audit? I could submit my patch as a draft for you to review?

    Enumerating every value from 0 to 8192 is a slow process because it has to make a new connection to the target server each time. In my case this was not a problem because I ran the patched version of ssh-audit on the SSH server itself. However, if someone were to attempt this over a network it may cause a firewall's rate control to be triggered resulting in requests being blocked. So we'd probably need to mention this as a potential caveat in the documentation.

    opened by thecliguy 26
  • Show MD5 Hash of Fingerprint in Verbose Output

    Show MD5 Hash of Fingerprint in Verbose Output

    When when verifying host keys, PuTTY, plink and psftp use an md5 hash rather than a sha256 hash.

    plink 0.74 - Example Output (click to expand):

    C:\sandbox>plink.exe -v scanme.nmap.org
    Looking up host "scanme.nmap.org" for SSH connection
    Connecting to 45.33.32.156 port 22
    We claim version: SSH-2.0-PuTTY_Release_0.74
    Remote version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13
    We believe remote version has SSH-2 channel request bug
    Using SSH protocol version 2
    No GSSAPI security context available
    Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
    Server also has ecdsa-sha2-nistp256/ssh-dss/ssh-rsa host keys, but we don't know any of them
    Host key fingerprint is:
    ssh-ed25519 255 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56
    The server's host key is not cached in the registry. You
    have no guarantee that the server is the computer you
    think it is.
    The server's ssh-ed25519 key fingerprint is:
    ssh-ed25519 255 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56
    If you trust this host, enter "y" to add the key to
    PuTTY's cache and carry on connecting.
    If you want to carry on connecting just once, without
    adding the key to the cache, enter "n".
    If you do not trust this host, press Return to abandon the
    connection.
    Store key in cache? (y/n) 
    

    Currently ssh-audit only shows fingerprints in the form of a sha256 hash. Do you have any objection to also showing the md5 hash if the verbose (-v/--verbose) parameter has been provided?

    I've built a proof-of-concept that I can share.

    By the way, the Fingerprint class is already capable of producing an md5 hash, it's just not currently used: https://github.com/jtesta/ssh-audit/blob/2f1a2a60b153509612a450173041fb698177dc45/src/ssh_audit/fingerprint.py#L33-L37

    opened by thecliguy 14
  • client audit vs client hardening guide

    client audit vs client hardening guide

    Hi @jtesta

    I just discovered the client hardening mode.

    I run Ubuntu 18.04 on my laptop.

    I applied the changes from your hardening guide

    https://www.ssh-audit.com/hardening_guides.html#ubuntu_18_04_linux_mint_19

    and then I started the client audit via python3.8 ssh-audit.py -c and then on a second terminal, I sshed into localhost port 2222.

    Expected I expected all output to be green.

    what I got

    # general
    (gen) client IP: 127.0.0.1
    (gen) banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
    (gen) software: OpenSSH 7.6p1
    (gen) compression: enabled ([email protected], zlib)
    
    # key exchange algorithms
    (kex) curve25519-sha256                         -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
    (kex) [email protected]              -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
    (kex) ecdh-sha2-nistp256                        -- [fail] using weak elliptic curves
                                                    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (kex) ecdh-sha2-nistp384                        -- [fail] using weak elliptic curves
                                                    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (kex) ecdh-sha2-nistp521                        -- [fail] using weak elliptic curves
                                                    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (kex) diffie-hellman-group-exchange-sha256      -- [info] available since OpenSSH 4.4
    (kex) diffie-hellman-group16-sha512             -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
    (kex) diffie-hellman-group18-sha512             -- [info] available since OpenSSH 7.3
    (kex) diffie-hellman-group-exchange-sha1        -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
                                                    `- [warn] using weak hashing algorithm
                                                    `- [info] available since OpenSSH 2.3.0
    (kex) diffie-hellman-group14-sha256             -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
    (kex) diffie-hellman-group14-sha1               -- [warn] using weak hashing algorithm
                                                    `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
    (kex) ext-info-c
    
    # host-key algorithms
    (key) [email protected]  -- [fail] using weak elliptic curves
                                                    `- [warn] using weak random number generator could reveal the key
                                                    `- [info] available since OpenSSH 5.7
    (key) [email protected]  -- [fail] using weak elliptic curves
                                                    `- [warn] using weak random number generator could reveal the key
                                                    `- [info] available since OpenSSH 5.7
    (key) [email protected]  -- [fail] using weak elliptic curves
                                                    `- [warn] using weak random number generator could reveal the key
                                                    `- [info] available since OpenSSH 5.7
    (key) [email protected]          -- [info] available since OpenSSH 6.5
    (key) [email protected]              -- [info] available since OpenSSH 5.6
    (key) ecdsa-sha2-nistp256                       -- [fail] using weak elliptic curves
                                                    `- [warn] using weak random number generator could reveal the key
                                                    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (key) ecdsa-sha2-nistp384                       -- [fail] using weak elliptic curves
                                                    `- [warn] using weak random number generator could reveal the key
                                                    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (key) ecdsa-sha2-nistp521                       -- [fail] using weak elliptic curves
                                                    `- [warn] using weak random number generator could reveal the key
                                                    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (key) ssh-ed25519                               -- [info] available since OpenSSH 6.5
    (key) rsa-sha2-512                              -- [info] available since OpenSSH 7.2
    (key) rsa-sha2-256                              -- [info] available since OpenSSH 7.2
    (key) ssh-rsa                                   -- [fail] using weak hashing algorithm
                                                    `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
    
    # encryption algorithms (ciphers)
    (enc) [email protected]             -- [info] available since OpenSSH 6.5
                                                    `- [info] default cipher since OpenSSH 6.9.
    (enc) aes128-ctr                                -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
    (enc) aes192-ctr                                -- [info] available since OpenSSH 3.7
    (enc) aes256-ctr                                -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
    (enc) [email protected]                    -- [info] available since OpenSSH 6.2
    (enc) [email protected]                    -- [info] available since OpenSSH 6.2
    
    # message authentication code algorithms
    (mac) [email protected]                   -- [warn] using small 64-bit tag size
                                                    `- [info] available since OpenSSH 6.2
    (mac) [email protected]                  -- [info] available since OpenSSH 6.2
    (mac) [email protected]             -- [info] available since OpenSSH 6.2
    (mac) [email protected]             -- [info] available since OpenSSH 6.2
    (mac) [email protected]                 -- [warn] using weak hashing algorithm
                                                    `- [info] available since OpenSSH 6.2
    (mac) [email protected]                       -- [warn] using encrypt-and-MAC mode
                                                    `- [warn] using small 64-bit tag size
                                                    `- [info] available since OpenSSH 4.7
    (mac) [email protected]                      -- [warn] using encrypt-and-MAC mode
                                                    `- [info] available since OpenSSH 6.2
    (mac) hmac-sha2-256                             -- [warn] using encrypt-and-MAC mode
                                                    `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
    (mac) hmac-sha2-512                             -- [warn] using encrypt-and-MAC mode
                                                    `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
    (mac) hmac-sha1                                 -- [warn] using encrypt-and-MAC mode
                                                    `- [warn] using weak hashing algorithm
                                                    `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
    
    # algorithm recommendations (for OpenSSH 7.6)
    (rec) -diffie-hellman-group-exchange-sha1       -- kex algorithm to remove 
    (rec) -ecdh-sha2-nistp256                       -- kex algorithm to remove 
    (rec) -ecdh-sha2-nistp384                       -- kex algorithm to remove 
    (rec) -ecdh-sha2-nistp521                       -- kex algorithm to remove 
    (rec) -ecdsa-sha2-nistp256                      -- key algorithm to remove 
    (rec) -ecdsa-sh[email protected] -- key algorithm to remove 
    (rec) -ecdsa-sha2-nistp384                      -- key algorithm to remove 
    (rec) [email protected] -- key algorithm to remove 
    (rec) -ecdsa-sha2-nistp521                      -- key algorithm to remove 
    (rec) [email protected] -- key algorithm to remove 
    (rec) -ssh-rsa                                  -- key algorithm to remove 
    (rec) -diffie-hellman-group14-sha1              -- kex algorithm to remove 
    (rec) -hmac-sha1                                -- mac algorithm to remove 
    (rec) [email protected]                -- mac algorithm to remove 
    (rec) -hmac-sha2-256                            -- mac algorithm to remove 
    (rec) -hmac-sha2-512                            -- mac algorithm to remove 
    (rec) [email protected]                     -- mac algorithm to remove 
    (rec) [email protected]                  -- mac algorithm to remove 
    (rec) [email protected]                      -- mac algorithm to remove 
    
    # additional info
    (nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
    

    My ssh config contains some jumphost configurtations, and then on the bottom your suggested changes which I echoed into the file.

    # lots of hosts...
    
    Host xxx
        Hostname 192.168.1.220
        ProxyJump yyy
    
    Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
    KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
    MACs [email protected],[email protected],[email protected]
    HostKeyAlgorithms ssh-ed25519,[email protected],rsa-sha2-256,rsa-sha2-512,[email protected]
    
    

    I tried to google about client hardening, but almost all information out there is about server hardening.

    Any hint for me what to do?

    Thanks!

    opened by jugmac00 11
  • Add OpenSSH 8 recommendations

    Add OpenSSH 8 recommendations

    Hi Joe,

    The tool currently suggests recommended settings for OpenSSH 7.6 but I currently have OpenSSH_8.0p1, OpenSSL 1.1.1c 28 May 2019, so it would be great to have up-to-date kex/mac/etc recommendations what to enable, disable, and so on. There might be such in the official docs but the tool should make it easy to find them via its output.

    # algorithm recommendations (for OpenSSH 7.6)
    ...
    
    opened by immanuelfodor 11
  • Feature request: Consider host entries in .ssh/config

    Feature request: Consider host entries in .ssh/config

    It would be convenient if host entries in .ssh/config (hostname, port) could be recognised and automatically be used, so an entry like

    Host staging
    	PubkeyAuthentication yes
    	IdentitiesOnly yes
    	IdentityFile ~/.ssh/id_ed25519
    	Hostname mystagingserver.domain.com
    	User dummy
    	Port 54321
    

    would allow a simple

    ssh-audit.py staging

    instead of a

    ssh-audit.py -p 54321 mystagingserver.domain.com

    opened by shoopdawoop 10
  • Add an OPNsense SSH hardening guide

    Add an OPNsense SSH hardening guide

    Hi @jtesta,

    According to https://github.com/opnsense/core/issues/3975, there will be new SSH config options in OPNsense 20.7, so it'd be great to add these to the common OS list at https://www.ssh-audit.com/hardening_guides.html maybe below pfSense (as OPNsense is its fork).

    Until the new settings are released, users can enable them by running these commands on their OPNsense box/vm:

    opnsense-patch 5df590c
    opnsense-patch 1165119
    service configd restart
    

    As there are no ordering in the chosen algos (limitation of the UI), advanced users that mess with these settings should pick their choices to be the most hard that their SSH clients support. I'm happy that they added support to tweaking these at least.

    opened by immanuelfodor 10
  • v2.3.0 Milestones

    v2.3.0 Milestones

    @jtesta Hi Joe,

    At the end of July you mentioned that you were hoping to release v2.3.0.

    Are there some specific issues that you want to close before releasing v2.3.0? If so, perhaps they could be tagged as milestones.

    opened by thecliguy 9
  • SSH Connections - Additional Logging and Visibility of Errors

    SSH Connections - Additional Logging and Visibility of Errors

    ADDITIONAL LOGGING

    I'm planning on using ssh-audit in a production environment and would like to be able to demonstrate and record how aggressive a typical audit is.

    Currently verbose output only shows the initial SSH connection that's made to a target server:

    https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/ssh_audit.py#L823

    However an audit actually makes multiple connections to a target server:

    1. The initial connection:
      ssh_audit.py: main --> audit --> err = s.connect()

    2. Obtaining host key(s):
      ssh_audit.py: main --> audit --> HostKeyTest.run(s, kex) hostkeytest.py: run --> perform_test --> err = s.connect() (err = s.connect() runs once per key type [rsa, ed25519, etc])

    3. Performing DH group exchange: ssh_audit.py: main --> audit --> GEXTest.run(s, kex) gextest.py: run --> GEXTest.reconnect --> err = s.connect() (GEXTest.reconnect runs once per group-exchange alg and once per modulus length for each group-exchange alg)

    @jtesta Would you be happy to entertain the idea of adding some additional logging so that each SSH connection is output? If that sounds OK, do you want this to be added to the existing verbose output or would it be more appropriate to add a new --debug parameter?

    VISIBILITY OF ERRORS

    When obtaining host key(s) and performing DH group exchange, if s.connect() or get_banner() produce an error then currently the error message is suppressed:

    https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/hostkeytest.py#L109-L116

    https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/gextest.py#L45-L52

    Should we at least display a warning rather than hiding errors?

    opened by thecliguy 8
  • ssh-rsa Host Key Algorithm

    ssh-rsa Host Key Algorithm

    @jtesta Hi Joe

    The OpenSSH 8.3 release notes includes a future deprecation notice where it says: "...we will be disabling the "ssh-rsa" public key signature algorithm by default in a near-future release".

    Is it worth updating ssh-rsa in ssh2_kexdb.py to mention something like "A future deprecation notice has been issued in OpenSSH 8.3, see https://www.openssh.com/txt/release-8.3." ?

    When I researched the deprecation of ssh-rsa, there seems to be a degree of confusion about the whole thing. So before you do anything, it's probably a good idea to check and make sure that you agree with my interpretation and that I'm not perpetuating incorrect information.

    opened by thecliguy 8
  • Batch scanning fail

    Batch scanning fail

    Hello,

    When i try to scan a batch of targets in a file if one of those get a [exception] cannot connect to 127.0.0.1 port 22 : timed out or connection refused the scan fails. i tried specifying the -b flag but that did not help much. The work around was to just cat the file and run it in parallel/xargs. But i still figured i should let you know.

    opened by gbiagomba 8
  • Dropbear ssh hardening guide addition

    Dropbear ssh hardening guide addition

    The current release of dropbear can be hardened by building it adding the following three lines to localoptions.h:

    #define DROPBEAR_RSA_SHA1 0
    #define DROPBEAR_DH_GROUP14_SHA1 0
    #define DROPBEAR_SHA1_HMAC 0
    

    Wondering if you would like to add this to your hardening guide.

    Reference: https://github.com/mkj/dropbear/issues/138

    opened by graysky2 0
  • Only SHA256 fingerprints are calculated - no MD5 and SHA512

    Only SHA256 fingerprints are calculated - no MD5 and SHA512

    When scanning a remote server, only the sha256 fingerprints are shown.

    It would make sense, to calculate the fingerprint with different hash algorithms, because not every client uses a sha256 hash for fingerprint calculation.

    Following hash algorithms should be used:

    • MD5 (deprecated but there are still clients which are using MD5)
    • SHA512 (rarely used but some clients exist which are using SHA512 fingerprints)

    I know those algorithms are not common, but as long as some clients are using those, ssh-audit should calculate the fingerprints.

    opened by hmaier1996 2
  • LookupError: unknown encoding: idna

    LookupError: unknown encoding: idna

    I get an exception when scanning some targets using targets file. When scanning these targets manually, it works fine.

    I'm using the ssh-audit.exe in Version 2.5 on a Windows 10 VM. For me it looks like to be an issue of missing import: import encodings.idna

    An exception occurred while scanning 10.2xx.xx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna


    An exception occurred while scanning 10.2xx.xxx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna


    An exception occurred while scanning 10.2xx.xxx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna


    An exception occurred while scanning 10.2xx.xx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna


    An exception occurred while scanning 10.2xx.xxx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna

    opened by kastahl 6
  • Python file

    Python file

    (output truncated)

    $ pip3 show -f ssh-audit
    Version: 2.5.0
    License: UNKNOWN
    Location: /usr/local/lib/python3.10/site-packages
    Requires: 
    Required-by: 
    Files:
      ../../../bin/ssh-audit
      ssh_audit-2.5.0.dist-info/LICENSE
    

    Hello. Be it unknown or not to Python, the license is dully mentioned here

    $ cat /usr/local/lib/python3.10/site-packages/ssh_audit-2.5.0.dist-info/LICENSE | awk 'NF'| head -2
    The MIT License (MIT)
    Copyright (C) 2017-2020 Joe Testa ([email protected])
    

    Whatever the side the issue has root, it is worth fixing. Copyright's end-year might require up-to-date number. Worth noting that an en-dash (–), is what the usage defines as applying to range of dates, not a hyphen (-), which is commonly misused by developers.

    opened by Ricky-Tigg 2
  • [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1)

    [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1)

    Hi!

    I'm working on a product, that needs to implement ssh / scp themselves. I've read a dozens of rfc's myself already, but still would rather not implement everything myself. As such I've opted to use Apache Mina SSHD.

    Trying to disable the ecdsa-sha2-nistp521 Signature however seems to be problematic. I can see, that ssh-audit tries connecting with only that signature algorithm and then see that the server implementation concludes, that a session cannot be negotiated properly. As such it sends the Message SSH_MSG_DISCONNECT (1), while logging the error message: "SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE - sendKexInit() no resolved signatures available".

    However ssh-audit then fails to execute with the following message: [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1). While reading the RFC 4253 i would say, that this is to be expected though, as on Page 18 it says:

      If no algorithm satisfying all these conditions can be found, the
      connection fails, and both sides MUST disconnect.
    

    My Test Code utilizes Containers (testContainers-java) and JUnit. For reference:

    import lombok.Cleanup;
    import lombok.extern.slf4j.Slf4j;
    import org.junit.jupiter.api.Test;
    import org.testcontainers.containers.GenericContainer;
    import org.testcontainers.containers.output.Slf4jLogConsumer;
    import org.testcontainers.containers.startupcheck.IndefiniteWaitOneShotStartupCheckStrategy;
    import org.testcontainers.junit.jupiter.Testcontainers;
    import org.testcontainers.utility.MountableFile;
    
    import java.io.IOException;
    
    import static org.testcontainers.Testcontainers.exposeHostPorts;
    
    @Slf4j
    @Testcontainers
    public final class SSHTest {
        private static final int SSH_PORT = 2222;
    
    
        @Test
        public void testAudit() throws Exception {
            @Cleanup final var launcher = createLauncher();
            launcher.start();
    
            exposeHostPorts(SSH_PORT);
    
            @Cleanup final var container = createContainerAudit();
            container.start();
        }
    
        private static GenericContainer<?> createContainerAudit() {
            return new SSHAudit(new SSHAudit.Config(SSH_URL, SSH_PORT))
                .withLogConsumer(new Slf4jLogConsumer(log))
                .withStartupCheckStrategy(new IndefiniteWaitOneShotStartupCheckStrategy());
        }
    }
    
    import org.testcontainers.containers.GenericContainer;
    import org.testcontainers.utility.DockerImageName;
    
    final class SSHAudit extends GenericContainer<SSHAudit> {
        public SSHAudit(final Config config) {
            super(DockerImageName.parse("positronsecurity/ssh-audit"));
            this.setCommand(
                "-b",
    //            "-l", "warn",
                config.url()
            );
        }
    
        public record Config(
            String host,
            int port
        ) {
            String url() {
                return this.host + ":" + this.port;
            }
        }
    }
    

    The cause of the error is linked here

    I'm unsure on how one would approach this though. As I have not yet understood the code base here. My suggestion would be to check if the server disconnected, but i can see. that the protocol definition currently has no such field.

    EDIT:

    Output of Help Menu running in Docker Container
    [main] INFO 🐳 [positronsecurity/ssh-audit:latest] - Container positronsecurity/ssh-audit:latest started in PT1.5658137S
    
    STDOUT # ssh-audit.py v2.5.0, https://github.com/jtesta/ssh-audit
    STDOUT 
    STDOUT usage: ssh-audit.py [options] <host>
    STDOUT 
    STDOUT    -h,  --help             print this help
    STDOUT    -1,  --ssh1             force ssh version 1 only
    STDOUT    -2,  --ssh2             force ssh version 2 only
    STDOUT    -4,  --ipv4             enable IPv4 (order of precedence)
    STDOUT    -6,  --ipv6             enable IPv6 (order of precedence)
    STDOUT    -b,  --batch            batch output
    STDOUT    -c,  --client-audit     starts a server on port 2222 to audit client
    STDOUT                                software config (use -p to change port;
    STDOUT                                use -t to change timeout)
    STDOUT    -d,  --debug            debug output
    STDOUT    -j,  --json             JSON output (use -jj to enable indents)
    STDOUT    -l,  --level=<level>    minimum output level (info|warn|fail)
    STDOUT    -L,  --list-policies    list all the official, built-in policies
    STDOUT         --lookup=<alg1,alg2,...>    looks up an algorithm(s) without
    STDOUT                                     connecting to a server
    STDOUT    -M,  --make-policy=<policy.txt>  creates a policy based on the target server
    STDOUT                                     (i.e.: the target server has the ideal
    STDOUT                                     configuration that other servers should
    STDOUT                                     adhere to)
    STDOUT    -m,  --manual           print the man page (Windows only)
    STDOUT    -n,  --no-colors        disable colors
    STDOUT    -p,  --port=<port>      port to connect
    STDOUT    -P,  --policy=<policy.txt>  run a policy test using the specified policy
    STDOUT    -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
    STDOUT                                (default: 5)
    STDOUT    -T,  --targets=<hosts.txt>  a file containing a list of target hosts (one
    STDOUT                                    per line, format HOST[:PORT]).  Use --threads
    STDOUT                                    to control concurrent scans.
    STDOUT         --threads=<threads>    number of threads to use when scanning multiple
    STDOUT                                    targets (-T/--targets) (default: 32)
    STDOUT    -v,  --verbose          verbose output
    STDOUT 
    END 
    
    Output of --debug running in Docker Container (Error).

    Supported Signatures: ssh-dss [email protected] ssh-rsa [email protected] rsa-sha2-256 [email protected] rsa-sha2-512 [email protected] ecdsa-sha2-nistp256 [email protected] ecdsa-sha2-nistp384 [email protected] [email protected] ssh-ed25519 [email protected] [email protected]

    STDOUT Starting audit of host.testcontainers.internal:2222...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT (gen) banner: SSH-2.0-APACHE-SSHD-2.8.0
    STDOUT [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1)
    END 
    ...
    
    Output of --debug running in Docker Container (Successful, but audit fails).

    Supported Signatures: ssh-dss [email protected] ssh-rsa [email protected] rsa-sha2-256 [email protected] rsa-sha2-512 [email protected] ecdsa-sha2-nistp256 [email protected] ecdsa-sha2-nistp384 [email protected] ecdsa-sha2-nistp521 [email protected] [email protected] ssh-ed25519 [email protected] [email protected]

    
    STDOUT Starting audit of host.testcontainers.internal:2222...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 512...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 768...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 1024...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 1536...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 2048...
    STDOUT Connecting to 172.17.0.3:2222...
    STDOUT Getting banner...
    STDOUT KEX initialisation...
    STDOUT (gen) banner: SSH-2.0-APACHE-SSHD-2.8.0
    STDOUT (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
    STDOUT (gen) compression: enabled (zlib, [email protected])
    STDOUT (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
    STDOUT (kex) [email protected] -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
    STDOUT (kex) curve448-sha512
    STDOUT (kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4
    STDOUT (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
    STDOUT (kex) diffie-hellman-group17-sha512
    STDOUT (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
    STDOUT (kex) diffie-hellman-group15-sha512
    STDOUT (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
    STDOUT (kex) ext-info-s
    STDOUT (key) ecdsa-sha2-nistp521 -- [fail] using weak elliptic curves
    STDOUT (key) ecdsa-sha2-nistp521 -- [warn] using weak random number generator could reveal the key
    STDOUT (key) ecdsa-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    STDOUT (enc) [email protected] -- [info] available since OpenSSH 6.5
    STDOUT (enc) [email protected] -- [info] default cipher since OpenSSH 6.9.
    STDOUT (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
    STDOUT (enc) aes192-ctr -- [info] available since OpenSSH 3.7
    STDOUT (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
    STDOUT (enc) [email protected] -- [info] available since OpenSSH 6.2
    STDOUT (enc) [email protected] -- [info] available since OpenSSH 6.2
    STDOUT (mac) [email protected] -- [info] available since OpenSSH 6.2
    STDOUT (mac) [email protected] -- [info] available since OpenSSH 6.2
    STDOUT (rec) -ecdsa-sha2-nistp521-- key algorithm to remove 
    STDOUT (nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
    END 
    
    
    opened by BjoernAkAManf 3
Releases(v2.5.0)
Owner
Joe Testa
Principal penetration tester and founder of Positron Security. @therealjoetesta
Joe Testa
SQLi Google Dork Scanner (new version)

XGDork² - ViraX Google Dork Scanner SQLi Google Dork Scanner by ViraX @ 2021 for Python 2.7 - compatible Android(NoRoot) - Termux A simple 'naive' pyt

8 Dec 20, 2022
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

mitmproxy mitmproxy is an interactive, SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets. mitmdump is the

mitmproxy 29.7k Jan 04, 2023
QHack-2022 - Solutions to the Coding Challenges of QHack 2022

QHack 2022 Problems from Coding Challenges 2022. Rules and how it works To test

Isacco Gobbi 1 Feb 14, 2022
This tool help you to check if your Windows machine has hidden miner.

Hidden Miner Detector This tool help you to check if your Windows machine has hidden miner. Miners track when you open antivirus software or task mana

Николай Борщёв 2 Oct 05, 2022
Port scanning tool that uses Python3. Created by Noble Wilson

Hello There! My name is Noble Wilson and I am an aspiring IT/InfoSec coder practicing for my future. ________________________________________________

1 Nov 23, 2021
GitGuardian Shield: protect your secrets with GitGuardian

Detect secret in source code, scan your repo for leaks. Find secrets with GitGuardian and prevent leaked credentials. GitGuardian is an automated secrets detection & remediation service.

GitGuardian 1.2k Dec 27, 2022
To explore creating an application that detects available connections at once from wifi and bluetooth

Signalum A Linux Package to detect and analyze existing connections from wifi and bluetooth. Also checkout the Desktop Application. Signalum Installat

BISOHNS 56 Mar 03, 2021
Fast and customizable vulnerability scanner For JIRA written in Python

Fast and customizable vulnerability scanner For JIRA. 🤔 What is this? Jira-Lens 🔍 is a Python Based vulnerability Scanner for JIRA. Jira is a propri

Mayank Pandey 185 Dec 25, 2022
spring-cloud-gateway-rce CVE-2022-22947

Spring Cloud Gateway Actuator API SpEL表达式注入命令执行(CVE-2022-22947) 1.installation pip3 install -r requirements.txt 2.Usage $ python3 spring-cloud-gateway

k3rwin 10 Sep 28, 2022
Fuck - Multi Brute Force 🚶‍♂

f-mbf Fuck - Multi Brute Force 🚶‍♂ Install Script $ pkg update && pkg upgrade $ pkg install python2 $ pkg install git $ pip2 install requests $ pip2

Yumasaa 1 Dec 03, 2021
CTF framework and exploit development library

pwntools - CTF toolkit Pwntools is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and develo

Gallopsled 9.8k Dec 31, 2022
ONT Analysis Toolkit (OAT)

A toolkit for monitoring ONT MinION sequencing, followed by data analysis, for viral genomes amplified with tiled amplicon sequencing.

6 Jun 14, 2022
Aiminsun 165 Dec 21, 2022
CVE-2021-22205& GitLab CE/EE RCE

Vuln Impact An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files tha

Al1ex 213 Dec 30, 2022
Create a secure tunnel from a custom domain to localhost using Fly and WireGuard.

Fly Dev Tunnel Developers commonly use apps like ngrok, localtunnel, or cloudflared to expose a local web service at a publicly-accessible URL. This i

170 Dec 11, 2022
Finite Volume simulation of the Raleigh-Taylor Instability

finitevolume2-python Finite Volume simulation of the Raleigh-Taylor Instability Create Your Own Finite Volume Fluid Simulation (With Python): Part 2 B

Philip Mocz 12 Sep 01, 2022
RedDrop is a quick and easy web server for capturing and processing encoded and encrypted payloads and tar archives.

RedDrop Exfil Server Check out the accompanying MaverisLabs Blog Post Here! RedDrop Exfil Server is a Python Flask Web Server for Penetration Testers,

53 Nov 01, 2022
python script for hack gmail account using brute force attack

#Creator: johnry #coded by john ry GBrute python script for hack gmail account using brute force attack Commands apt update && apt upgrade git clone h

6 Dec 09, 2022
Fuzzercorn - Bring libfuzzer to Unicorn

Fuzzercorn libfuzzer bindings for Unicorn. API // The main entry point of the fu

lazymio 23 Nov 17, 2022