elie/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2025-09-07 15:06:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Smoothed out some rough edges from PR #307.

Browse Source
This commit is contained in:
Joe Testa
2025-08-17 16:34:32 -04:00
parent 1c0d3d5df1
commit 970d747dcb
5 changed files with 723 additions and 515 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
README.md
View File

@@ -41,12 +41,18 @@
## Usage
```
usage: ssh-audit.py [-h] [-4] [-6] [-b] [-c] [-d]
[-g <min1:pref1:max1[,min2:pref2:max2,...]> / <x-y[:step]>] [-j] [-l {info,warn,fail}] [-L]
[-M custom_policy.txt] [-m] [-n] [-P "Built-In Policy Name" / custom_policy.txt] [-p N]
[-T targets.txt] [-t N] [-v] [--conn-rate-test N[:max_rate]] [--dheat N[:kex[:e_len]]]
[--lookup alg1[,alg2,...]] [--skip-rate-test] [--threads N]
[-g <min1:pref1:max1[,min2:pref2:max2,...]> / <x-y[:step]>]
[-j] [-l {info,warn,fail}] [-L] [-M custom_policy.txt]
[-m] [-n] [-P "Built-In Policy Name" / custom_policy.txt]
[-p N] [-T targets.txt] [-t N] [-v]
[--conn-rate-test N[:max_rate]] [--dheat N[:kex[:e_len]]]
[--get-hardening-guide platform] [--list-hardening-guides]
[--lookup alg1[,alg2,...]] [--skip-rate-test]
[--threads N]
[host]
# ssh-audit.py v3.4.0-dev, https://github.com/jtesta/ssh-audit
positional arguments:
host target hostname or IPv4/IPv6 address
@@ -55,44 +61,74 @@ optional arguments:
-4, --ipv4 enable IPv4 (order of precedence)
-6, --ipv6 enable IPv6 (order of precedence)
-b, --batch batch output
-c, --client-audit starts a server on port 2222 to audit client software config (use -p to change port; use -t
to change timeout)
-c, --client-audit starts a server on port 2222 to audit client software
config (use -p to change port; use -t to change
timeout)
-d, --debug enable debugging output
-g <min1:pref1:max1[,min2:pref2:max2,...]> / <x-y[:step]>, --gex-test <min1:pref1:max1[,min2:pref2:max2,...]> / <x-y[:step]>
conducts a very customized Diffie-Hellman GEX modulus size test. Tests an array of minimum,
preferred, and maximum values, or a range of values with an optional incremental step amount
-j, --json enable JSON output (use -jj to enable indentation for better readability)
conducts a very customized Diffie-Hellman GEX modulus
size test. Tests an array of minimum, preferred, and
maximum values, or a range of values with an optional
incremental step amount
-j, --json enable JSON output (use -jj to enable indentation for
better readability)
-l {info,warn,fail}, --level {info,warn,fail}
minimum output level (default: info)
-L, --list-policies list all the official, built-in policies. Combine with -v to view policy change logs
-L, --list-policies list all the official, built-in policies. Combine with
-v to view policy change logs
-M custom_policy.txt, --make-policy custom_policy.txt
creates a policy based on the target server (i.e.: the target server has the ideal
configuration that other servers should adhere to), and stores it in the file path specified
-m, --manual print the man page (Docker, PyPI, Snap, and Windows builds only)
-n, --no-colors disable colors (automatic when the NO_COLOR environment variable is set)
creates a policy based on the target server (i.e.: the
target server has the ideal configuration that other
servers should adhere to), and stores it in the file
path specified
-m, --manual print the man page (Docker, PyPI, Snap, and Windows
builds only)
-n, --no-colors disable colors (automatic when the NO_COLOR
environment variable is set)
-P "Built-In Policy Name" / custom_policy.txt, --policy "Built-In Policy Name" / custom_policy.txt
run a policy test using the specified policy (use -L to see built-in policies, or specify
filesystem path to custom policy created by -M)
-p N, --port N the TCP port to connect to (or to listen on when -c is used)
run a policy test using the specified policy (use -L
to see built-in policies, or specify filesystem path
to custom policy created by -M)
-p N, --port N the TCP port to connect to (or to listen on when -c is
used)
-T targets.txt, --targets targets.txt
a file containing a list of target hosts (one per line, format HOST[:PORT]). Use -p/--port
to set the default port for all hosts. Use --threads to control concurrent scans
-t N, --timeout N timeout (in seconds) for connection and reading (default: 5)
a file containing a list of target hosts (one per
line, format HOST[:PORT]). Use -p/--port to set the
default port for all hosts. Use --threads to control
concurrent scans
-t N, --timeout N timeout (in seconds) for connection and reading
(default: 5)
-v, --verbose enable verbose output
--conn-rate-test N[:max_rate]
perform a connection rate test (useful for collecting metrics related to susceptibility of
the DHEat vuln). Testing is conducted with N concurrent sockets with an optional maximum
rate of connections per second
perform a connection rate test (useful for collecting
metrics related to susceptibility of the DHEat vuln).
Testing is conducted with N concurrent sockets with an
optional maximum rate of connections per second
--dheat N[:kex[:e_len]]
continuously perform the DHEat DoS attack (CVE-2002-20001) against the target using N
concurrent sockets. Optionally, a specific key exchange algorithm can be specified instead
of allowing it to be automatically chosen. Additionally, a small length of the fake e value
sent to the server can be chosen for a more efficient attack (such as 4).
continuously perform the DHEat DoS attack
(CVE-2002-20001) against the target using N concurrent
sockets. Optionally, a specific key exchange algorithm
can be specified instead of allowing it to be
automatically chosen. Additionally, a small length of
the fake e value sent to the server can be chosen for
a more efficient attack (such as 4).
--get-hardening-guide platform
retrieves the hardening guide for the specified
platform name (use --list-hardening-guides to see list
of available guides).
--list-hardening-guides
list all official, built-in hardening guides for
common systems. Their full names can then be passed to
--get-hardening-guide. Add -v to this option to view
hardening guide change logs and prior versions.
--lookup alg1[,alg2,...]
looks up an algorithm(s) without connecting to a server.
--skip-rate-test skip the connection rate test during standard audits (used to safely infer whether the DHEat
attack is viable)
--threads N number of threads to use when scanning multiple targets (-T/--targets) (default: 32)
looks up an algorithm(s) without connecting to a
server.
--skip-rate-test skip the connection rate test during standard audits
(used to safely infer whether the DHEat attack is
viable)
--threads N number of threads to use when scanning multiple
targets (-T/--targets) (default: 32)
```
* if both IPv4 and IPv6 are used, order of precedence can be set by using either `-46` or `-64`.
* batch flag `-b` will output sections without header and without empty lines (implies verbose flag).
@@ -183,7 +219,7 @@ Below is a screen shot of the client-auditing output when an unhardened OpenSSH
![client_screenshot](https://user-images.githubusercontent.com/2982011/68867998-b946c100-06c4-11ea-975f-1f47e4178a74.png)
## Hardening Guides
Guides to harden server & client configuration can be found here: [https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html)
Guides to harden server & client configuration are built into the tool (see `--list-hardening-guides` and `--get-hardening-guide` options). Additionally, they are also available online at: [https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html)
## Pre-Built Packages
Pre-built packages are available for Windows (see the [Releases](https://github.com/jtesta/ssh-audit/releases) page), PyPI, Snap, and Docker:
@@ -217,6 +253,7 @@ For convenience, a web front-end on top of the command-line tool is available at
- BIG THANKS to [realmiwi](https://github.com/realmiwi) for being the project's *very first sponsor!!*
- Added warning to all key exchanges that do not include protections against quantum attacks due to the Harvest Now, Decrypt Later strategy (see https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later).
- Removed SSHv1 support (rationale is documented in: https://github.com/jtesta/ssh-audit/issues/298).
- Added hardening guides (see `--list-hardening-guides` and `--get-hardening-guide`). Previously, they were only available at <https://ssh-audit.com/hardening_guides.html>, but now they are built-in for convenience; partial credit [oam7575](https://github.com/oam7575).
- Migrated from deprecated `getopt` module to `argparse`; partial credit [oam7575](https://github.com/oam7575).
- When running against multiple hosts, now prints each target host regardless of output level.
- Batch mode (`-b`) no longer automatically enables verbose mode, due to sometimes confusing results; users can still explicitly enable verbose mode using the `-v` flag.