ssh-audit is a tool for ssh server & client configuration auditing.

Related tags

Security related resourcesssh-audit
Overview

ssh-audit

License PyPI Downloads Docker Pulls Build Status PRs Welcome

ssh-audit is a tool for ssh server & client configuration auditing.

jtesta/ssh-audit (v2.0+) is the updated and maintained version of ssh-audit forked from arthepsy/ssh-audit (v1.x) due to inactivity.

Features

  • SSH1 and SSH2 protocol server support;
  • analyze SSH client configuration;
  • grab banner, recognize device or software and operating system, detect compression;
  • gather key-exchange, host-key, encryption and message authentication code algorithms;
  • output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
  • output algorithm recommendations (append or remove based on recognized software version);
  • output security information (related issues, assigned CVE list, etc);
  • analyze SSH version compatibility based on algorithm information;
  • historical information from OpenSSH, Dropbear SSH and libssh;
  • policy scans to ensure adherence to a hardened/standard configuration;
  • runs on Linux and Windows;
  • supports Python 3.6 - 3.9;
  • no dependencies

Usage

run a policy test using the specified policy -t, --timeout= timeout (in seconds) for connection and reading (default: 5) -T, --targets= a file containing a list of target hosts (one per line, format HOST[:PORT]) --threads= number of threads to use when scanning multiple targets (-T/--targets) (default: 32) -v, --verbose verbose output "> 
usage: ssh-audit.py [options] 
      
       

   -h,  --help             print this help
   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -4,  --ipv4             enable IPv4 (order of precedence)
   -6,  --ipv6             enable IPv6 (order of precedence)
   -b,  --batch            batch output
   -c,  --client-audit     starts a server on port 2222 to audit client
                               software config (use -p to change port;
                               use -t to change timeout)
   -d,  --debug            Enable debug output.
   -j,  --json             JSON output (use -jj to enable indents)
   -l,  --level=
       
            minimum output level (info|warn|fail)
   -L,  --list-policies    list all the official, built-in policies
        --lookup=
        
             looks up an algorithm(s) without
                                    connecting to a server
   -m,  --manual           print the man page (Windows only)
   -M,  --make-policy=
         
            creates a policy based on the target server
                                    (i.e.: the target server has the ideal
                                    configuration that other servers should
                                    adhere to)
   -n,  --no-colors        disable colors
   -p,  --port=
          
            port to connect -P, --policy=<"policy name" | policy.txt> run a policy test using the specified policy -t, --timeout=
           
             timeout (in seconds) for connection and reading (default: 5) -T, --targets=
            
              a file containing a list of target hosts (one per line, format HOST[:PORT]) --threads=
             
               number of threads to use when scanning multiple targets (-T/--targets) (default: 32) -v, --verbose verbose output
  • if both IPv4 and IPv6 are used, order of precedence can be set by using either -46 or -64.
  • batch flag -b will output sections without header and without empty lines (implies verbose flag).
  • verbose flag -v will prefix each line with section type and algorithm name.
  • an exit code of 0 is returned when all algorithms are considered secure (for a standard audit), or when a policy check passes (for a policy audit).

Basic server auditing:

ssh-audit localhost
ssh-audit 127.0.0.1
ssh-audit 127.0.0.1:222
ssh-audit ::1
ssh-audit [::1]:222

To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]):

ssh-audit -T servers.txt

To audit a client configuration (listens on port 2222 by default; connect using ssh -p 2222 [email protected]):

ssh-audit -c

To audit a client configuration, with a listener on port 4567:

ssh-audit -c -p 4567

To list all official built-in policies (hint: use resulting policy names with -P/--policy):

ssh-audit -L

To run a policy audit against a server:

ssh-audit -P ["policy name" | path/to/server_policy.txt] targetserver

To run a policy audit against a client:

ssh-audit -c -P ["policy name" | path/to/client_policy.txt]

To run a policy audit against many servers:

ssh-audit -T servers.txt -P ["policy name" | path/to/server_policy.txt]

To create a policy based on a target server (which can be manually edited):

ssh-audit -M new_policy.txt targetserver

Screenshots

Server Standard Audit Example

Below is a screen shot of the standard server-auditing output when connecting to an unhardened OpenSSH v5.3 service: screenshot

Server Policy Audit Example

Below is a screen shot of the policy auditing output when connecting to an un-hardened Ubuntu Server 20.04 machine (hint: use -L/--list-policies to see names of built-in policies to use with -P/--policy): screenshot

After applying the steps in the hardening guide (see below), the output changes to the following: screenshot

Client Standard Audit Example

Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects: client_screenshot

Hardening Guides

Guides to harden server & client configuration can be found here: https://www.ssh-audit.com/hardening_guides.html

Pre-Built Packages

Pre-built packages are available for Windows (see the releases page), PyPI, Snap, and Docker.

To install from PyPI:

$ pip3 install ssh-audit

To install the Snap package:

$ snap install ssh-audit

To install from Dockerhub:

$ docker pull positronsecurity/ssh-audit

(Then run with: docker run -it -p 2222:2222 positronsecurity/ssh-audit 10.1.1.1)

Web Front-End

For convenience, a web front-end on top of the command-line tool is available at https://www.ssh-audit.com/.

ChangeLog

v2.6.0-dev

  • Snap packages now print more user-friendly error messages when permission errors are encountered.
  • JSON 'target' field now always includes port number; credit tomatohater1337.
  • Added 24 new key exchanges: ecdh-sha2-1.3.132.0.1, ecdh-sha2-1.2.840.10045.3.1.1, ecdh-sha2-1.3.132.0.33, ecdh-sha2-1.3.132.0.26, ecdh-sha2-1.3.132.0.27, ecdh-sha2-1.2.840.10045.3.1.7, ecdh-sha2-1.3.132.0.16, ecdh-sha2-1.3.132.0.34, ecdh-sha2-1.3.132.0.36, ecdh-sha2-1.3.132.0.37, ecdh-sha2-1.3.132.0.35, ecdh-sha2-1.3.132.0.38, ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==, ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==, ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==, ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==, ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==, ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==, ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==, ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==, ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==, ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==, ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==, ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==.

v2.5.0 (2021-08-26)

  • Fixed crash when running host key tests.
  • Handles server connection failures more gracefully.
  • Now prints JSON with indents when -jj is used (useful for debugging).
  • Added MD5 fingerprints to verbose output.
  • Added -d/--debug option for getting debugging output; credit Adam Russell.
  • Updated JSON output to include MD5 fingerprints. Note that this results in a breaking change in the 'fingerprints' dictionary format.
  • Updated OpenSSH 8.1 (and earlier) policies to include rsa-sha2-512 and rsa-sha2-256.
  • Added OpenSSH v8.6 & v8.7 policies.
  • Added 3 new key exchanges: gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==, gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==, and gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==.
  • Added 3 new MACs: hmac-ripemd160-96, AEAD_AES_128_GCM, and AEAD_AES_256_GCM.

v2.4.0 (2021-02-23)

  • Added multi-threaded scanning support.
  • Added built-in Windows manual page (see -m/--manual); credit Adam Russell.
  • Added version check for OpenSSH user enumeration (CVE-2018-15473).
  • Added deprecation note to host key types based on SHA-1.
  • Added extra warnings for SSHv1.
  • Added built-in hardened OpenSSH v8.5 policy.
  • Upgraded warnings to failures for host key types based on SHA-1.
  • Fixed crash when receiving unexpected response during host key test.
  • Fixed hang against older Cisco devices during host key test & gex test.
  • Fixed improper termination while scanning multiple targets when one target returns an error.
  • Dropped support for Python 3.5 (which reached EOL in Sept. 2020).
  • Added 1 new key exchange: [email protected].

v2.3.1 (2020-10-28)

  • Now parses public key sizes for [email protected] and [email protected] host key types.
  • Flag [email protected] as a failure due to SHA-1 hash.
  • Fixed bug in recommendation output which suppressed some algorithms inappropriately.
  • Built-in policies now include CA key requirements (if certificates are in use).
  • Lookup function (--lookup) now performs case-insensitive lookups of similar algorithms; credit Adam Russell.
  • Migrated pre-made policies from external files to internal database.
  • Split single 3,500 line script into many files (by class).
  • Added setup.py support; credit Ganden Schaffner.
  • Added 1 new cipher: [email protected].

v2.3.0 (2020-09-27)

  • Added new policy auditing functionality to test adherence to a hardening guide/standard configuration (see -L/--list-policies, -M/--make-policy and -P/--policy). For an in-depth tutorial, see https://www.positronsecurity.com/blog/2020-09-27-ssh-policy-configuration-checks-with-ssh-audit/.
  • Created new man page (see ssh-audit.1 file).
  • 1024-bit moduli upgraded from warnings to failures.
  • Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit Jürgen Gmach.
  • Added feature to look up algorithms in internal database (see --lookup); credit Adam Russell.
  • Suppress recommendation of token host key types.
  • Added check for use-after-free vulnerability in PuTTY v0.73.
  • Added 11 new host key types: ssh-rsa1, [email protected], ssh-gost2001, ssh-gost2012-256, ssh-gost2012-512, spki-sign-rsa, ssh-ed448, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521, x509v3-rsa2048-sha256.
  • Added 8 new key exchanges: diffie-hellman-group1-sha256, kexAlgoCurve25519SHA256, Curve25519SHA256, gss-group14-sha256-, gss-group15-sha512-, gss-group16-sha512-, gss-nistp256-sha256-, gss-curve25519-sha256-.
  • Added 5 new ciphers: blowfish, AEAD_AES_128_GCM, AEAD_AES_256_GCM, [email protected], [email protected].
  • Added 3 new MACs: [email protected], hmac-sha3-224, [email protected].

v2.2.0 (2020-03-11)

v2.1.1 (2019-11-26)

  • Added 2 new host key types: [email protected], [email protected].
  • Added 2 new ciphers: des, 3des.
  • Added 3 new PuTTY vulnerabilities.
  • During client testing, client IP address is now listed in output.

v2.1.0 (2019-11-14)

  • Added client software auditing functionality (see -c / --client-audit option).
  • Added JSON output option (see -j / --json option; credit Andreas Jaggi).
  • Fixed crash while scanning Solaris Sun_SSH.
  • Added 9 new key exchanges: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==, gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==, gss-group14-sha1-, gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==, gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==, gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==, diffie-hellman-group15-sha256, ecdh-sha2-1.3.132.0.10, curve448-sha512.
  • Added 1 new host key type: ecdsa-sha2-1.3.132.0.10.
  • Added 4 new ciphers: idea-cbc, serpent128-cbc, serpent192-cbc, serpent256-cbc.
  • Added 6 new MACs: [email protected], [email protected], hmac-ripemd, [email protected], [email protected], [email protected].

v2.0.0 (2019-08-29)

  • Forked from https://github.com/arthepsy/ssh-audit (development was stalled, and developer went MIA).
  • Added RSA host key length test.
  • Added RSA certificate key length test.
  • Added Diffie-Hellman modulus size test.
  • Now outputs host key fingerprints for RSA and ED25519.
  • Added 5 new key exchanges: [email protected], [email protected], [email protected], diffie-hellman-group16-sha256, diffie-hellman-group17-sha512.
  • Added 3 new encryption algorithms: des-cbc-ssh1, blowfish-ctr, twofish-ctr.
  • Added 10 new MACs: hmac-sha2-56, hmac-sha2-224, hmac-sha2-384, hmac-sha3-256, hmac-sha3-384, hmac-sha3-512, hmac-sha256, [email protected], hmac-sha512, [email protected].
  • Added command line argument (-t / --timeout) for connection & reading timeouts.
  • Updated CVEs for libssh & Dropbear.

v1.7.0 (2016-10-26)

  • implement options to allow specify IPv4/IPv6 usage and order of precedence
  • implement option to specify remote port (old behavior kept for compatibility)
  • add colors support for Microsoft Windows via optional colorama dependency
  • fix encoding and decoding issues, add tests, do not crash on encoding errors
  • use mypy-lang for static type checking and verify all code

v1.6.0 (2016-10-14)

  • implement algorithm recommendations section (based on recognized software)
  • implement full libssh support (version history, algorithms, security, etc)
  • fix SSH-1.99 banner recognition and version comparison functionality
  • do not output empty algorithms (happens for misconfigured servers)
  • make consistent output for Python 3.x versions
  • add a lot more tests (conf, banner, software, SSH1/SSH2, output, etc)
  • use Travis CI to test for multiple Python versions (2.6-3.5, pypy, pypy3)

v1.5.0 (2016-09-20)

  • create security section for related security information
  • match and output assigned CVE list and security issues for Dropbear SSH
  • implement full SSH1 support with fingerprint information
  • automatically fallback to SSH1 on protocol mismatch
  • add new options to force SSH1 or SSH2 (both allowed by default)
  • parse banner information and convert it to specific software and OS version
  • do not use padding in batch mode
  • several fixes (Cisco sshd, rare hangs, error handling, etc)

v1.0.20160902

  • implement batch output option
  • implement minimum output level option
  • fix compatibility with Python 2.6

v1.0.20160812

  • implement SSH version compatibility feature
  • fix wrong mac algorithm warning
  • fix Dropbear SSH version typo
  • parse pre-banner header
  • better errors handling

v1.0.20160803

  • use OpenSSH 7.3 banner
  • add new key-exchange algorithms

v1.0.20160207

  • use OpenSSH 7.2 banner
  • additional warnings for OpenSSH 7.2
  • fix OpenSSH 7.0 failure messages
  • add rijndael-cbc failure message from OpenSSH 6.7

v1.0.20160105

  • multiple additional warnings
  • support for none algorithm
  • better compression handling
  • ensure reading enough data (fixes few Linux SSH)

v1.0.20151230

  • Dropbear SSH support

v1.0.20151223

  • initial version
Comments
  • Man Page on Windows

    Man Page on Windows

    I'm contemplating whether it would be possible make the man page available in Windows.

    This is not a complete solution, these are just my initial thoughts exploring what would be required and how we might go about doing it... Any thoughts, feedback or suggestions would be welcome...

    Converting the man page to a readable format for the Windows console

    Since Windows doesn't have a manual reader, the man page would need to be converted to a format that can be rendered in the Windows console. This would have to be performed as part of the build process when there's a new release.

    One option would be to simply convert it to plain text output. This conversion can be achieved as follows:

    MANWIDTH=80 man ./ssh-audit.1 > ssh_audit_windows_man.txt

    In Windows 10, the console is capable of interpreting ANSI escape sequences (also known as VT escape sequences). So another option would be to convert the man page to ANSI escape sequence formatted output, this would preserve any typographical emphasis that's present in the original man page, such as bold and underlined text. This conversion can be achieved as follows:

    # * man outputs a backspace-overwrite sequence rather than an ANSI escape 
#   sequence.
# * 'MAN_KEEP_FORMATTING' preserves the backspace-overwrite sequence when 
#   redirected to a file or a pipe.
# * The 'ul' command converts the backspace-overwrite sequence to an ANSI escape 
#   sequence.

MANWIDTH=80 MAN_KEEP_FORMATTING=1 man ./ssh-audit.1 | ul > ssh_audit_windows_man.txt

    Example of an ANSI escape sequence formatted man page on Windows 10

    import os
os.system("color")

f = open('c:\\bitbucket\\ssh_audit_windows_man.txt', encoding="utf-8")
file_contents = f.read()
print (file_contents)
f.close()

    man-page-on-windows

    Displaying the man page

    Displaying the man page could perhaps be invoked using a command line parameter such as:

    ssh-audit.exe --manual

    Packaging the converted man page

    Currently the Windows package is a standalone executable with no external dependencies. Ideally any solution that's adopted would preserve this.

    Does anyone know of a way that the man page (in its converted format) could be embedded into the ssh-audit executable without having to ship an external text file?

    opened by thecliguy 35
  • Group Size Enumeration of diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256

    Group Size Enumeration of diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256

    I've encountered an SSH server where the Diffie-Hellman group size used by the key exchange algorithm diffie-hellman-group-exchange-sha256 is hardcoded and cannot be seen or configured by an administrator.

    My plan was to use ssh-audit to scan the server and find out more information about the supported group size(s) but then I realised that ssh-audit only returns the minimum value.

    I studied RFC 4419 which explains how the client requests a modulus from the server by specifying a minimum, a preferred and a maximum value (expressed in bits). The send_init_gex function in ssh-audit has been implemented as per the explanation in RFC 4419, it accepts minbits, prefbits and maxbits.

    I was able to modify gextest.py to invoke send_init_gex with minbits, prefbits and maxbits of the same value from 0 to 8192. This gave me the answer I was looking for, it showed that the server was configured with group sizes of 1024, 2048, 3072, 4096 and 6144. Using this information I can now contact the manufacturer of the SSH server software and ask if they will consider removing 1024.

    @jtesta What do you think about about adding group size enumeration as a feature to ssh-audit? I could submit my patch as a draft for you to review?

    Enumerating every value from 0 to 8192 is a slow process because it has to make a new connection to the target server each time. In my case this was not a problem because I ran the patched version of ssh-audit on the SSH server itself. However, if someone were to attempt this over a network it may cause a firewall's rate control to be triggered resulting in requests being blocked. So we'd probably need to mention this as a potential caveat in the documentation.

    opened by thecliguy 26
  • Show MD5 Hash of Fingerprint in Verbose Output

    Show MD5 Hash of Fingerprint in Verbose Output

    When when verifying host keys, PuTTY, plink and psftp use an md5 hash rather than a sha256 hash.

    plink 0.74 - Example Output (click to expand): 

    C:\sandbox>plink.exe -v scanme.nmap.org
Looking up host "scanme.nmap.org" for SSH connection
Connecting to 45.33.32.156 port 22
We claim version: SSH-2.0-PuTTY_Release_0.74
Remote version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13
We believe remote version has SSH-2 channel request bug
Using SSH protocol version 2
No GSSAPI security context available
Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
Server also has ecdsa-sha2-nistp256/ssh-dss/ssh-rsa host keys, but we don't know any of them
Host key fingerprint is:
ssh-ed25519 255 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's ssh-ed25519 key fingerprint is:
ssh-ed25519 255 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n)

    Currently ssh-audit only shows fingerprints in the form of a sha256 hash. Do you have any objection to also showing the md5 hash if the verbose (-v/--verbose) parameter has been provided?

    I've built a proof-of-concept that I can share.

    By the way, the Fingerprint class is already capable of producing an md5 hash, it's just not currently used: https://github.com/jtesta/ssh-audit/blob/2f1a2a60b153509612a450173041fb698177dc45/src/ssh_audit/fingerprint.py#L33-L37

    opened by thecliguy 14
  • client audit vs client hardening guide

    client audit vs client hardening guide

    Hi @jtesta

    I just discovered the client hardening mode.

    I run Ubuntu 18.04 on my laptop.

    I applied the changes from your hardening guide

    https://www.ssh-audit.com/hardening_guides.html#ubuntu_18_04_linux_mint_19

    and then I started the client audit via python3.8 ssh-audit.py -c and then on a second terminal, I sshed into localhost port 2222.

    Expected I expected all output to be green.

    what I got

    # general
(gen) client IP: 127.0.0.1
(gen) banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
(gen) software: OpenSSH 7.6p1
(gen) compression: enabled ([email protected], zlib)

# key exchange algorithms
(kex) curve25519-sha256                         -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
(kex) [email protected]              -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256                        -- [fail] using weak elliptic curves
                                                `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384                        -- [fail] using weak elliptic curves
                                                `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521                        -- [fail] using weak elliptic curves
                                                `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256      -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group16-sha512             -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512             -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha1        -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
                                                `- [warn] using weak hashing algorithm
                                                `- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group14-sha256             -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1               -- [warn] using weak hashing algorithm
                                                `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) ext-info-c

# host-key algorithms
(key) [email protected]  -- [fail] using weak elliptic curves
                                                `- [warn] using weak random number generator could reveal the key
                                                `- [info] available since OpenSSH 5.7
(key) [email protected]  -- [fail] using weak elliptic curves
                                                `- [warn] using weak random number generator could reveal the key
                                                `- [info] available since OpenSSH 5.7
(key) [email protected]  -- [fail] using weak elliptic curves
                                                `- [warn] using weak random number generator could reveal the key
                                                `- [info] available since OpenSSH 5.7
(key) [email protected]          -- [info] available since OpenSSH 6.5
(key) [email protected]              -- [info] available since OpenSSH 5.6
(key) ecdsa-sha2-nistp256                       -- [fail] using weak elliptic curves
                                                `- [warn] using weak random number generator could reveal the key
                                                `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ecdsa-sha2-nistp384                       -- [fail] using weak elliptic curves
                                                `- [warn] using weak random number generator could reveal the key
                                                `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ecdsa-sha2-nistp521                       -- [fail] using weak elliptic curves
                                                `- [warn] using weak random number generator could reveal the key
                                                `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ssh-ed25519                               -- [info] available since OpenSSH 6.5
(key) rsa-sha2-512                              -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256                              -- [info] available since OpenSSH 7.2
(key) ssh-rsa                                   -- [fail] using weak hashing algorithm
                                                `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28

# encryption algorithms (ciphers)
(enc) [email protected]             -- [info] available since OpenSSH 6.5
                                                `- [info] default cipher since OpenSSH 6.9.
(enc) aes128-ctr                                -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr                                -- [info] available since OpenSSH 3.7
(enc) aes256-ctr                                -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) [email protected]                    -- [info] available since OpenSSH 6.2
(enc) [email protected]                    -- [info] available since OpenSSH 6.2

# message authentication code algorithms
(mac) [email protected]                   -- [warn] using small 64-bit tag size
                                                `- [info] available since OpenSSH 6.2
(mac) [email protected]                  -- [info] available since OpenSSH 6.2
(mac) [email protected]             -- [info] available since OpenSSH 6.2
(mac) [email protected]             -- [info] available since OpenSSH 6.2
(mac) [email protected]                 -- [warn] using weak hashing algorithm
                                                `- [info] available since OpenSSH 6.2
(mac) [email protected]                       -- [warn] using encrypt-and-MAC mode
                                                `- [warn] using small 64-bit tag size
                                                `- [info] available since OpenSSH 4.7
(mac) [email protected]                      -- [warn] using encrypt-and-MAC mode
                                                `- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256                             -- [warn] using encrypt-and-MAC mode
                                                `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-512                             -- [warn] using encrypt-and-MAC mode
                                                `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1                                 -- [warn] using encrypt-and-MAC mode
                                                `- [warn] using weak hashing algorithm
                                                `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28

# algorithm recommendations (for OpenSSH 7.6)
(rec) -diffie-hellman-group-exchange-sha1       -- kex algorithm to remove 
(rec) -ecdh-sha2-nistp256                       -- kex algorithm to remove 
(rec) -ecdh-sha2-nistp384                       -- kex algorithm to remove 
(rec) -ecdh-sha2-nistp521                       -- kex algorithm to remove 
(rec) -ecdsa-sha2-nistp256                      -- key algorithm to remove 
(rec) -ecdsa-sh[email protected] -- key algorithm to remove 
(rec) -ecdsa-sha2-nistp384                      -- key algorithm to remove 
(rec) [email protected] -- key algorithm to remove 
(rec) -ecdsa-sha2-nistp521                      -- key algorithm to remove 
(rec) [email protected] -- key algorithm to remove 
(rec) -ssh-rsa                                  -- key algorithm to remove 
(rec) -diffie-hellman-group14-sha1              -- kex algorithm to remove 
(rec) -hmac-sha1                                -- mac algorithm to remove 
(rec) [email protected]                -- mac algorithm to remove 
(rec) -hmac-sha2-256                            -- mac algorithm to remove 
(rec) -hmac-sha2-512                            -- mac algorithm to remove 
(rec) [email protected]                     -- mac algorithm to remove 
(rec) [email protected]                  -- mac algorithm to remove 
(rec) [email protected]                      -- mac algorithm to remove 

# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>

    My ssh config contains some jumphost configurtations, and then on the bottom your suggested changes which I echoed into the file.

    # lots of hosts...

Host xxx
    Hostname 192.168.1.220
    ProxyJump yyy

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms ssh-ed25519,[email protected],rsa-sha2-256,rsa-sha2-512,[email protected]

    I tried to google about client hardening, but almost all information out there is about server hardening.

    Any hint for me what to do?

    Thanks!

    opened by jugmac00 11
  • Add OpenSSH 8 recommendations

    Add OpenSSH 8 recommendations

    Hi Joe,

    The tool currently suggests recommended settings for OpenSSH 7.6 but I currently have OpenSSH_8.0p1, OpenSSL 1.1.1c 28 May 2019, so it would be great to have up-to-date kex/mac/etc recommendations what to enable, disable, and so on. There might be such in the official docs but the tool should make it easy to find them via its output.

    # algorithm recommendations (for OpenSSH 7.6)
...
    opened by immanuelfodor 11
  • Feature request: Consider host entries in .ssh/config

    Feature request: Consider host entries in .ssh/config

    It would be convenient if host entries in .ssh/config (hostname, port) could be recognised and automatically be used, so an entry like

    Host staging
	PubkeyAuthentication yes
	IdentitiesOnly yes
	IdentityFile ~/.ssh/id_ed25519
	Hostname mystagingserver.domain.com
	User dummy
	Port 54321

    would allow a simple

    ssh-audit.py staging

    instead of a

    ssh-audit.py -p 54321 mystagingserver.domain.com

    opened by shoopdawoop 10
  • Add an OPNsense SSH hardening guide

    Add an OPNsense SSH hardening guide

    Hi @jtesta,

    According to https://github.com/opnsense/core/issues/3975, there will be new SSH config options in OPNsense 20.7, so it'd be great to add these to the common OS list at https://www.ssh-audit.com/hardening_guides.html maybe below pfSense (as OPNsense is its fork).

    Until the new settings are released, users can enable them by running these commands on their OPNsense box/vm:

    opnsense-patch 5df590c
opnsense-patch 1165119
service configd restart

    As there are no ordering in the chosen algos (limitation of the UI), advanced users that mess with these settings should pick their choices to be the most hard that their SSH clients support. I'm happy that they added support to tweaking these at least.

    opened by immanuelfodor 10
  • v2.3.0 Milestones

    v2.3.0 Milestones

    @jtesta Hi Joe,

    At the end of July you mentioned that you were hoping to release v2.3.0.

    Are there some specific issues that you want to close before releasing v2.3.0? If so, perhaps they could be tagged as milestones.

    opened by thecliguy 9
  • SSH Connections - Additional Logging and Visibility of Errors

    SSH Connections - Additional Logging and Visibility of Errors

    ADDITIONAL LOGGING

    I'm planning on using ssh-audit in a production environment and would like to be able to demonstrate and record how aggressive a typical audit is.

    Currently verbose output only shows the initial SSH connection that's made to a target server:

    https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/ssh_audit.py#L823

    However an audit actually makes multiple connections to a target server:

    1. The initial connection:
      ssh_audit.py: main --> audit --> err = s.connect()

    2. Obtaining host key(s):
      ssh_audit.py: main --> audit --> HostKeyTest.run(s, kex) hostkeytest.py: run --> perform_test --> err = s.connect() (err = s.connect() runs once per key type [rsa, ed25519, etc])

    3. Performing DH group exchange: ssh_audit.py: main --> audit --> GEXTest.run(s, kex) gextest.py: run --> GEXTest.reconnect --> err = s.connect() (GEXTest.reconnect runs once per group-exchange alg and once per modulus length for each group-exchange alg)

    @jtesta Would you be happy to entertain the idea of adding some additional logging so that each SSH connection is output? If that sounds OK, do you want this to be added to the existing verbose output or would it be more appropriate to add a new --debug parameter?

    VISIBILITY OF ERRORS

    When obtaining host key(s) and performing DH group exchange, if s.connect() or get_banner() produce an error then currently the error message is suppressed:

    https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/hostkeytest.py#L109-L116

    https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/gextest.py#L45-L52

    Should we at least display a warning rather than hiding errors?

    opened by thecliguy 8
  • ssh-rsa Host Key Algorithm

    ssh-rsa Host Key Algorithm

    @jtesta Hi Joe

    The OpenSSH 8.3 release notes includes a future deprecation notice where it says: "...we will be disabling the "ssh-rsa" public key signature algorithm by default in a near-future release".

    Is it worth updating ssh-rsa in ssh2_kexdb.py to mention something like "A future deprecation notice has been issued in OpenSSH 8.3, see https://www.openssh.com/txt/release-8.3." ?

    When I researched the deprecation of ssh-rsa, there seems to be a degree of confusion about the whole thing. So before you do anything, it's probably a good idea to check and make sure that you agree with my interpretation and that I'm not perpetuating incorrect information.

    opened by thecliguy 8
  • Batch scanning fail

    Batch scanning fail

    Hello,

    When i try to scan a batch of targets in a file if one of those get a [exception] cannot connect to 127.0.0.1 port 22 : timed out or connection refused the scan fails. i tried specifying the -b flag but that did not help much. The work around was to just cat the file and run it in parallel/xargs. But i still figured i should let you know.

    opened by gbiagomba 8
  • Dropbear ssh hardening guide addition

    Dropbear ssh hardening guide addition

    The current release of dropbear can be hardened by building it adding the following three lines to localoptions.h:

    #define DROPBEAR_RSA_SHA1 0
#define DROPBEAR_DH_GROUP14_SHA1 0
#define DROPBEAR_SHA1_HMAC 0

    Wondering if you would like to add this to your hardening guide.

    Reference: https://github.com/mkj/dropbear/issues/138

    opened by graysky2 0
  • Only SHA256 fingerprints are calculated - no MD5 and SHA512

    Only SHA256 fingerprints are calculated - no MD5 and SHA512

    When scanning a remote server, only the sha256 fingerprints are shown.

    It would make sense, to calculate the fingerprint with different hash algorithms, because not every client uses a sha256 hash for fingerprint calculation.

    Following hash algorithms should be used:

    • MD5 (deprecated but there are still clients which are using MD5)
    • SHA512 (rarely used but some clients exist which are using SHA512 fingerprints)

    I know those algorithms are not common, but as long as some clients are using those, ssh-audit should calculate the fingerprints.

    opened by hmaier1996 2
  • LookupError: unknown encoding: idna

    LookupError: unknown encoding: idna

    I get an exception when scanning some targets using targets file. When scanning these targets manually, it works fine.

    I'm using the ssh-audit.exe in Version 2.5 on a Windows 10 VM. For me it looks like to be an issue of missing import: import encodings.idna

    An exception occurred while scanning 10.2xx.xx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna

    An exception occurred while scanning 10.2xx.xxx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna

    An exception occurred while scanning 10.2xx.xxx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna

    An exception occurred while scanning 10.2xx.xx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna

    An exception occurred while scanning 10.2xx.xxx.xx:22: Traceback (most recent call last): File "ssh-audit.py", line 1017, in target_worker_thread File "ssh-audit.py", line 842, in audit File "ssh_socket.py", line 155, in connect File "ssh_socket.py", line 85, in _resolve File "socket.py", line 953, in getaddrinfo LookupError: unknown encoding: idna

    opened by kastahl 6
  • Python file

    Python file

    (output truncated)

    $ pip3 show -f ssh-audit
Version: 2.5.0
License: UNKNOWN
Location: /usr/local/lib/python3.10/site-packages
Requires: 
Required-by: 
Files:
  ../../../bin/ssh-audit
  ssh_audit-2.5.0.dist-info/LICENSE

    Hello. Be it unknown or not to Python, the license is dully mentioned here

    $ cat /usr/local/lib/python3.10/site-packages/ssh_audit-2.5.0.dist-info/LICENSE | awk 'NF'| head -2
The MIT License (MIT)
Copyright (C) 2017-2020 Joe Testa ([email protected])

    Whatever the side the issue has root, it is worth fixing. Copyright's end-year might require up-to-date number. Worth noting that an en-dash (–), is what the usage defines as applying to range of dates, not a hyphen (-), which is commonly misused by developers.

    opened by Ricky-Tigg 2
  • [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1)

    [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1)

    Hi!

    I'm working on a product, that needs to implement ssh / scp themselves. I've read a dozens of rfc's myself already, but still would rather not implement everything myself. As such I've opted to use Apache Mina SSHD.

    Trying to disable the ecdsa-sha2-nistp521 Signature however seems to be problematic. I can see, that ssh-audit tries connecting with only that signature algorithm and then see that the server implementation concludes, that a session cannot be negotiated properly. As such it sends the Message SSH_MSG_DISCONNECT (1), while logging the error message: "SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE - sendKexInit() no resolved signatures available".

    However ssh-audit then fails to execute with the following message: [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1). While reading the RFC 4253 i would say, that this is to be expected though, as on Page 18 it says:

      If no algorithm satisfying all these conditions can be found, the
  connection fails, and both sides MUST disconnect.

    My Test Code utilizes Containers (testContainers-java) and JUnit. For reference:

    import lombok.Cleanup;
import lombok.extern.slf4j.Slf4j;
import org.junit.jupiter.api.Test;
import org.testcontainers.containers.GenericContainer;
import org.testcontainers.containers.output.Slf4jLogConsumer;
import org.testcontainers.containers.startupcheck.IndefiniteWaitOneShotStartupCheckStrategy;
import org.testcontainers.junit.jupiter.Testcontainers;
import org.testcontainers.utility.MountableFile;

import java.io.IOException;

import static org.testcontainers.Testcontainers.exposeHostPorts;

@Slf4j
@Testcontainers
public final class SSHTest {
    private static final int SSH_PORT = 2222;


    @Test
    public void testAudit() throws Exception {
        @Cleanup final var launcher = createLauncher();
        launcher.start();

        exposeHostPorts(SSH_PORT);

        @Cleanup final var container = createContainerAudit();
        container.start();
    }

    private static GenericContainer<?> createContainerAudit() {
        return new SSHAudit(new SSHAudit.Config(SSH_URL, SSH_PORT))
            .withLogConsumer(new Slf4jLogConsumer(log))
            .withStartupCheckStrategy(new IndefiniteWaitOneShotStartupCheckStrategy());
    }
}

import org.testcontainers.containers.GenericContainer;
import org.testcontainers.utility.DockerImageName;

final class SSHAudit extends GenericContainer<SSHAudit> {
    public SSHAudit(final Config config) {
        super(DockerImageName.parse("positronsecurity/ssh-audit"));
        this.setCommand(
            "-b",
//            "-l", "warn",
            config.url()
        );
    }

    public record Config(
        String host,
        int port
    ) {
        String url() {
            return this.host + ":" + this.port;
        }
    }
}

    The cause of the error is linked here

    I'm unsure on how one would approach this though. As I have not yet understood the code base here. My suggestion would be to check if the server disconnected, but i can see. that the protocol definition currently has no such field.

    EDIT:

    Output of Help Menu running in Docker Container 
    [main] INFO 🐳 [positronsecurity/ssh-audit:latest] - Container positronsecurity/ssh-audit:latest started in PT1.5658137S

STDOUT # ssh-audit.py v2.5.0, https://github.com/jtesta/ssh-audit
STDOUT 
STDOUT usage: ssh-audit.py [options] <host>
STDOUT 
STDOUT    -h,  --help             print this help
STDOUT    -1,  --ssh1             force ssh version 1 only
STDOUT    -2,  --ssh2             force ssh version 2 only
STDOUT    -4,  --ipv4             enable IPv4 (order of precedence)
STDOUT    -6,  --ipv6             enable IPv6 (order of precedence)
STDOUT    -b,  --batch            batch output
STDOUT    -c,  --client-audit     starts a server on port 2222 to audit client
STDOUT                                software config (use -p to change port;
STDOUT                                use -t to change timeout)
STDOUT    -d,  --debug            debug output
STDOUT    -j,  --json             JSON output (use -jj to enable indents)
STDOUT    -l,  --level=<level>    minimum output level (info|warn|fail)
STDOUT    -L,  --list-policies    list all the official, built-in policies
STDOUT         --lookup=<alg1,alg2,...>    looks up an algorithm(s) without
STDOUT                                     connecting to a server
STDOUT    -M,  --make-policy=<policy.txt>  creates a policy based on the target server
STDOUT                                     (i.e.: the target server has the ideal
STDOUT                                     configuration that other servers should
STDOUT                                     adhere to)
STDOUT    -m,  --manual           print the man page (Windows only)
STDOUT    -n,  --no-colors        disable colors
STDOUT    -p,  --port=<port>      port to connect
STDOUT    -P,  --policy=<policy.txt>  run a policy test using the specified policy
STDOUT    -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
STDOUT                                (default: 5)
STDOUT    -T,  --targets=<hosts.txt>  a file containing a list of target hosts (one
STDOUT                                    per line, format HOST[:PORT]).  Use --threads
STDOUT                                    to control concurrent scans.
STDOUT         --threads=<threads>    number of threads to use when scanning multiple
STDOUT                                    targets (-T/--targets) (default: 32)
STDOUT    -v,  --verbose          verbose output
STDOUT 
END
    Output of --debug running in Docker Container (Error).

    Supported Signatures: ssh-dss [email protected] ssh-rsa [email protected] rsa-sha2-256 [email protected] rsa-sha2-512 [email protected] ecdsa-sha2-nistp256 [email protected] ecdsa-sha2-nistp384 [email protected] [email protected] ssh-ed25519 [email protected] [email protected]

    STDOUT Starting audit of host.testcontainers.internal:2222...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT (gen) banner: SSH-2.0-APACHE-SSHD-2.8.0
STDOUT [exception] did not receive MSG_KEXINIT (20), instead received unknown message (1)
END 
...
    Output of --debug running in Docker Container (Successful, but audit fails).

    Supported Signatures: ssh-dss [email protected] ssh-rsa [email protected] rsa-sha2-256 [email protected] rsa-sha2-512 [email protected] ecdsa-sha2-nistp256 [email protected] ecdsa-sha2-nistp384 [email protected] ecdsa-sha2-nistp521 [email protected] [email protected] ssh-ed25519 [email protected] [email protected]

    
STDOUT Starting audit of host.testcontainers.internal:2222...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 512...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 768...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 1024...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 1536...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT Preparing to perform DH group exchange using diffie-hellman-group-exchange-sha256 with modulus size 2048...
STDOUT Connecting to 172.17.0.3:2222...
STDOUT Getting banner...
STDOUT KEX initialisation...
STDOUT (gen) banner: SSH-2.0-APACHE-SSHD-2.8.0
STDOUT (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
STDOUT (gen) compression: enabled (zlib, [email protected])
STDOUT (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
STDOUT (kex) [email protected] -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
STDOUT (kex) curve448-sha512
STDOUT (kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4
STDOUT (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
STDOUT (kex) diffie-hellman-group17-sha512
STDOUT (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
STDOUT (kex) diffie-hellman-group15-sha512
STDOUT (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
STDOUT (kex) ext-info-s
STDOUT (key) ecdsa-sha2-nistp521 -- [fail] using weak elliptic curves
STDOUT (key) ecdsa-sha2-nistp521 -- [warn] using weak random number generator could reveal the key
STDOUT (key) ecdsa-sha2-nistp521 -- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
STDOUT (enc) [email protected] -- [info] available since OpenSSH 6.5
STDOUT (enc) [email protected] -- [info] default cipher since OpenSSH 6.9.
STDOUT (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
STDOUT (enc) aes192-ctr -- [info] available since OpenSSH 3.7
STDOUT (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
STDOUT (enc) [email protected] -- [info] available since OpenSSH 6.2
STDOUT (enc) [email protected] -- [info] available since OpenSSH 6.2
STDOUT (mac) [email protected] -- [info] available since OpenSSH 6.2
STDOUT (mac) [email protected] -- [info] available since OpenSSH 6.2
STDOUT (rec) -ecdsa-sha2-nistp521-- key algorithm to remove 
STDOUT (nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
END
    opened by BjoernAkAManf 3
Releases(v2.5.0)
Owner
Joe Testa
Principal penetration tester and founder of Positron Security. @therealjoetesta
Joe Testa
GitHub Repository
AIL LeakFeeder: A Module for AIL Framework that automate the process to feed leaked files automatically to AIL

AIL LeakFeeder: A Module for AIL Framework that automates the process to feed leaked files automatically to AIL, So basically this feeder will help you ingest AIL with your leaked files automatically

ail project 8 May 03, 2022
recover Firefox and more browsers logins

Browser Creds this script will recover saved browsers logins into txt files. It currently only support windows 10. currently support : Chrome Opera Fi

HugoLB 41 Nov 09, 2022
Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1

CVE-2021-22911 Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1 The getPasswordPolicy method is vulnerable to NoS

Enox 47 Nov 09, 2022
Automatic SQL injection and database takeover tool

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of

sqlmapproject 25.7k Jan 08, 2023
DoSer.py - Simple DoSer in Python

DoSer.py - Simple DoSer in Python What is DoSer? DoSer is basically an HTTP Denial of Service attack that affects threaded servers. It works like this

8 Sep 02, 2022
Password database With special stuff

This is a Password database I made for myself, as I want to keep all my passwords in the same place. but still protected, shall anyone get access to the file. And so I made this simple password datab

9 Oct 30, 2022
Docker is an open platform for developing, shipping, and running applications OS-level virtualization to deliver software in packages called containers However, 'security' is a top request on Docker's public roadmap This project aims at vulnerability check for such docker containers. New contributions are accepted

Docker-Vulnerability-Check Docker is an open platform for developing, shipping, and running applications OS-level virtualization to deliver software i

Team Spark 103 Aug 20, 2022
Facebook Fast Cracking Tool With Python

Pro-Crack Facebook Fast Cracking Tool This is a multi-password‌ cracking tool that can help you hack facebook accounts very quickly Installation On Te

ReD H4CkeR 5 Feb 19, 2022
Apache OFBiz rmi反序列化EXP(CVE-2021-26295)

Apache OFBiz rmi反序列化EXP(CVE-2021-26295) 目前仅支持nc弹shell 将ysoserial.jar放置在同目录下,py3运行,根据提示输入漏洞url,你的vps地址和端口 第二次使用建议删除exp.ot 本工具仅用于安全测试,禁止未授权非法攻击站点,否则后果自负

15 Nov 09, 2022
Better-rtti-parser - IDA script to parse RTTI information in executable

RTTI parser Parses RTTI information from executable. Example HexRays decompiler view Before: After: Functions window Before: After: Structs window Ins

101 Jan 04, 2023
Springboot directory scanning

Springboot directory scanning

WINEZERO 87 Dec 28, 2022
CVE-2021-43936 is a critical vulnerability (CVSS3 10.0) leading to Remote Code Execution (RCE) in WebHMI Firmware.

CVE-2021-43936 CVE-2021-43936 is a critical vulnerability (CVSS3 10.0) leading to Remote Code Execution (RCE) in WebHMI Firmware. This vulnerability w

Jeremiasz Pluta 8 Jul 05, 2022
Undetectable Keylogger that reports to Discord

FUD Keylogger That Reports To Discord This python script will capture all of the keystrokes within a given time frame and report them to a Discord Ser

Dimitris Kalopisis 36 Dec 20, 2022
Python implementation of the diceware password generating algorithm.

Diceware Password Generator - Generate High Entropy Passwords Please Note - This Program Do Not Store Passwords In Any Form And All The Passwords Are

Sameera Madushan 35 Dec 25, 2022
A simple multi-threaded distributed SSH brute-forcing tool written in Python.

OrbitalDump A simple multi-threaded distributed SSH brute-forcing tool written in Python. How it Works When the script is executed without the --proxi

K4YT3X 408 Jan 03, 2023
A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer.

Wlan Fetcher Windows10 Description A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer. Usage This Script onl

2 Nov 20, 2021
CVE-2022-22965 : about spring core rce

CVE-2022-22965: Spring-Core-Rce EXP 特性: 漏洞探测(不写入 webshell,简单字符串输出) 自定义写入 webshell 文件名称及路径 不会追加写入到同一文件中,每次检测写入到不同名称 webshell 文件 支持写入 冰蝎 webshell 代理支持,可

东方有鱼名为咸 53 Nov 09, 2022
This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

22 Nov 09, 2022
Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞利用功能

Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞利用功能

之乎者也 2.8k Dec 29, 2022
Cracker - Tools CRACK FACEBOOK DAN INSTAGRAM DENGAN FITUR BANYAK

CLOME TO TOOLS ME 😁 FITUR TOOLS RESULTS INSTALASI ____/-- INSTALLASI /+/+/+/ t

Jeeck X Nano 3 Jan 08, 2022