mirror of
https://github.com/jtesta/ssh-audit.git
synced 2025-04-05 13:08:06 -05:00
238 lines
11 KiB
Python
238 lines
11 KiB
Python
"""
|
|
The MIT License (MIT)
|
|
|
|
Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com)
|
|
|
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
of this software and associated documentation files (the "Software"), to deal
|
|
in the Software without restriction, including without limitation the rights
|
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
copies of the Software, and to permit persons to whom the Software is
|
|
furnished to do so, subject to the following conditions:
|
|
|
|
The above copyright notice and this permission notice shall be included in
|
|
all copies or substantial portions of the Software.
|
|
|
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
THE SOFTWARE.
|
|
"""
|
|
import traceback
|
|
|
|
# pylint: disable=unused-import
|
|
from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401
|
|
from typing import Callable, Optional, Union, Any # noqa: F401
|
|
|
|
from ssh_audit.kexdh import KexDHException, KexGroupExchange_SHA1, KexGroupExchange_SHA256
|
|
from ssh_audit.ssh2_kexdb import SSH2_KexDB
|
|
from ssh_audit.ssh2_kex import SSH2_Kex
|
|
from ssh_audit.ssh_socket import SSH_Socket
|
|
from ssh_audit.outputbuffer import OutputBuffer
|
|
from ssh_audit import exitcodes
|
|
|
|
|
|
# Performs DH group exchanges to find what moduli are supported, and checks
|
|
# their size.
|
|
class GEXTest:
|
|
|
|
# Creates a new connection to the server. Returns True on success, or False.
|
|
@staticmethod
|
|
def reconnect(out: 'OutputBuffer', s: 'SSH_Socket', kex: 'SSH2_Kex', gex_alg: str) -> bool:
|
|
if s.is_connected():
|
|
return True
|
|
|
|
err = s.connect()
|
|
if err is not None:
|
|
out.v(err, write_now=True)
|
|
return False
|
|
|
|
_, _, err = s.get_banner()
|
|
if err is not None:
|
|
out.v(err, write_now=True)
|
|
s.close()
|
|
return False
|
|
|
|
# Send our KEX using the specified group-exchange and most of the
|
|
# server's own values.
|
|
s.send_kexinit(key_exchanges=[gex_alg], hostkeys=kex.key_algorithms, ciphers=kex.server.encryption, macs=kex.server.mac, compressions=kex.server.compression, languages=kex.server.languages)
|
|
|
|
try:
|
|
# Parse the server's KEX.
|
|
_, payload = s.read_packet(2)
|
|
SSH2_Kex.parse(out, payload)
|
|
except KexDHException:
|
|
out.v("Failed to parse server's kex. Stack trace:\n%s" % str(traceback.format_exc()), write_now=True)
|
|
return False
|
|
|
|
return True
|
|
|
|
@staticmethod
|
|
def granular_modulus_size_test(out: 'OutputBuffer', s: 'SSH_Socket', kex: 'SSH2_Kex', bits_min: int, bits_pref: int, bits_max: int, modulus_dict: Dict[str, List[int]]) -> int:
|
|
'''
|
|
Tests for granular modulus sizes.
|
|
Builds a dictionary, where a key represents a DH algorithm name and the
|
|
values are the modulus sizes (in bits) that have been returned by the
|
|
target server.
|
|
Returns an exitcodes.* flag.
|
|
'''
|
|
|
|
retval = exitcodes.GOOD
|
|
|
|
out.d("Starting modulus_size_test...")
|
|
out.d("Bits Min: " + str(bits_min))
|
|
out.d("Bits Pref: " + str(bits_pref))
|
|
out.d("Bits Max: " + str(bits_max))
|
|
|
|
GEX_ALGS = {
|
|
'diffie-hellman-group-exchange-sha1': KexGroupExchange_SHA1,
|
|
'diffie-hellman-group-exchange-sha256': KexGroupExchange_SHA256,
|
|
}
|
|
|
|
# Check if the server supports any of the group-exchange
|
|
# algorithms. If so, test each one.
|
|
for gex_alg, kex_group_class in GEX_ALGS.items():
|
|
if gex_alg not in kex.kex_algorithms:
|
|
out.d('Server does not support the algorithm "' + gex_alg + '".', write_now=True)
|
|
else:
|
|
kex_group = kex_group_class(out)
|
|
out.d('Preparing to perform DH group exchange using ' + gex_alg + ' with min, pref and max modulus sizes of ' + str(bits_min) + ' bits, ' + str(bits_pref) + ' bits and ' + str(bits_max) + ' bits...', write_now=True)
|
|
|
|
# It has been observed that reconnecting to some SSH servers
|
|
# multiple times in quick succession can eventually result
|
|
# in a "connection reset by peer" error. It may be possible
|
|
# to recover from such an error by sleeping for some time
|
|
# before continuing to issue reconnects.
|
|
if GEXTest.reconnect(out, s, kex, gex_alg) is False:
|
|
out.fail('Reconnect failed.')
|
|
return exitcodes.FAILURE
|
|
try:
|
|
modulus_size_returned = None
|
|
kex_group.send_init_gex(s, bits_min, bits_pref, bits_max)
|
|
kex_group.recv_reply(s, False)
|
|
modulus_size_returned = kex_group.get_dh_modulus_size()
|
|
out.d('Modulus size returned by server: ' + str(modulus_size_returned) + ' bits', write_now=True)
|
|
except KexDHException:
|
|
out.d('[exception] ' + str(traceback.format_exc()), write_now=True)
|
|
finally:
|
|
# The server is in a state that is not re-testable,
|
|
# so there's nothing else to do with this open
|
|
# connection.
|
|
s.close()
|
|
|
|
if modulus_size_returned is not None:
|
|
if gex_alg in modulus_dict:
|
|
if modulus_size_returned not in modulus_dict[gex_alg]:
|
|
modulus_dict[gex_alg].append(modulus_size_returned)
|
|
else:
|
|
modulus_dict[gex_alg] = [modulus_size_returned]
|
|
|
|
return retval
|
|
|
|
# Runs the DH moduli test against the specified target.
|
|
@staticmethod
|
|
def run(out: 'OutputBuffer', s: 'SSH_Socket', kex: 'SSH2_Kex') -> None:
|
|
GEX_ALGS = {
|
|
'diffie-hellman-group-exchange-sha1': KexGroupExchange_SHA1,
|
|
'diffie-hellman-group-exchange-sha256': KexGroupExchange_SHA256,
|
|
}
|
|
|
|
# The previous RSA tests put the server in a state we can't
|
|
# test. So we need a new connection to start with a clean
|
|
# slate.
|
|
if s.is_connected():
|
|
s.close()
|
|
|
|
# Check if the server supports any of the group-exchange
|
|
# algorithms. If so, test each one.
|
|
for gex_alg, kex_group_class in GEX_ALGS.items():
|
|
if gex_alg in kex.kex_algorithms:
|
|
out.d('Preparing to perform DH group exchange using ' + gex_alg + ' with min, pref and max modulus sizes of 512 bits, 1024 bits and 1536 bits...', write_now=True)
|
|
|
|
if GEXTest.reconnect(out, s, kex, gex_alg) is False:
|
|
break
|
|
|
|
kex_group = kex_group_class(out)
|
|
smallest_modulus = -1
|
|
|
|
# First try a range of weak sizes.
|
|
try:
|
|
kex_group.send_init_gex(s, 512, 1024, 1536)
|
|
kex_group.recv_reply(s, False)
|
|
|
|
# Its been observed that servers will return a group
|
|
# larger than the requested max. So just because we
|
|
# got here, doesn't mean the server is vulnerable...
|
|
smallest_modulus = kex_group.get_dh_modulus_size()
|
|
out.d('Modulus size returned by server: ' + str(smallest_modulus) + ' bits', write_now=True)
|
|
|
|
except KexDHException:
|
|
out.d('[exception] ' + str(traceback.format_exc()), write_now=True)
|
|
finally:
|
|
s.close()
|
|
|
|
# Try an array of specific modulus sizes... one at a time.
|
|
reconnect_failed = False
|
|
for bits in [512, 768, 1024, 1536, 2048, 3072, 4096]:
|
|
|
|
# If we found one modulus size already, but we're about
|
|
# to test a larger one, don't bother.
|
|
if bits >= smallest_modulus > 0:
|
|
break
|
|
|
|
out.d('Preparing to perform DH group exchange using ' + gex_alg + ' with min, pref and max modulus sizes of ' + str(bits) + ' bits...', write_now=True)
|
|
|
|
if GEXTest.reconnect(out, s, kex, gex_alg) is False:
|
|
reconnect_failed = True
|
|
break
|
|
|
|
try:
|
|
kex_group.send_init_gex(s, bits, bits, bits)
|
|
kex_group.recv_reply(s, False)
|
|
smallest_modulus = kex_group.get_dh_modulus_size()
|
|
out.d('Modulus size returned by server: ' + str(smallest_modulus) + ' bits', write_now=True)
|
|
except KexDHException as e:
|
|
out.d('Exception when testing DH group exchange ' + gex_alg + ' with modulus size ' + str(bits) + '. (Hint: this is probably normal since the server does not support this modulus size.): ' + str(e), write_now=True)
|
|
finally:
|
|
# The server is in a state that is not re-testable,
|
|
# so there's nothing else to do with this open
|
|
# connection.
|
|
s.close()
|
|
|
|
if smallest_modulus > 0:
|
|
kex.set_dh_modulus_size(gex_alg, smallest_modulus)
|
|
|
|
# We flag moduli smaller than 2048 as a failure.
|
|
if smallest_modulus < 2048:
|
|
text = 'using small %d-bit modulus' % smallest_modulus
|
|
lst = SSH2_KexDB.get_db()['kex'][gex_alg]
|
|
# For 'diffie-hellman-group-exchange-sha256', add
|
|
# a failure reason.
|
|
if len(lst) == 1:
|
|
lst.append([text])
|
|
# For 'diffie-hellman-group-exchange-sha1', delete
|
|
# the existing failure reason (which is vague), and
|
|
# insert our own.
|
|
else:
|
|
del lst[1]
|
|
lst.insert(1, [text])
|
|
|
|
# Moduli smaller than 3072 get flagged as a warning.
|
|
elif smallest_modulus < 3072:
|
|
lst = SSH2_KexDB.get_db()['kex'][gex_alg]
|
|
|
|
# Ensure that a warning list exists for us to append to, below.
|
|
while len(lst) < 3:
|
|
lst.append([])
|
|
|
|
# Ensure this is only added once.
|
|
text = '2048-bit modulus only provides 112-bits of symmetric strength'
|
|
if text not in lst[2]:
|
|
lst[2].append(text)
|
|
|
|
if reconnect_failed:
|
|
break
|