From af7e2a088c131e5ea4725acf3391bfe2e71cf870 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Mon, 26 Aug 2019 15:19:49 -0400 Subject: [PATCH] Added hmac-sha512 and hmac-sha512@ssh.com MACs. Added diffie-hellman-group17-sha512 key exchange. --- README.md | 4 ++-- ssh-audit.py | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7495ad0..890a9a5 100644 --- a/README.md +++ b/README.md @@ -46,9 +46,9 @@ usage: ssh-audit.py [-1246pbnvlt] - Added RSA certificate key length test. - Added Diffie-Hellman modulus size test. - Now outputs host key fingerprints for RSA and ED25519. - - Added 2 new key exchanges: `sntrup4591761x25519-sha512@tinyssh.org`, `diffie-hellman-group-exchange-sha256@ssh.com`. + - Added 3 new key exchanges: `sntrup4591761x25519-sha512@tinyssh.org`, `diffie-hellman-group-exchange-sha256@ssh.com`, `diffie-hellman-group17-sha512`. - Added 3 new encryption algorithms: `des-cbc-ssh1`, `blowfish-ctr`, `twofish-ctr`. - - Added 8 new MACs: `hmac-sha2-56`, `hmac-sha2-224`, `hmac-sha2-384`, `hmac-sha3-256`, `hmac-sha3-384`, `hmac-sha3-512`, `hmac-sha256`, `hmac-sha256@ssh.com`. + - Added 10 new MACs: `hmac-sha2-56`, `hmac-sha2-224`, `hmac-sha2-384`, `hmac-sha3-256`, `hmac-sha3-384`, `hmac-sha3-512`, `hmac-sha256`, `hmac-sha256@ssh.com`, `hmac-sha512`, `hmac-512@ssh.com`. - Added command line argument (-t / --timeout) for connection & reading timeouts. - Updated CVEs for libssh & Dropbear. diff --git a/ssh-audit.py b/ssh-audit.py index 0797f95..bfdcda6 100755 --- a/ssh-audit.py +++ b/ssh-audit.py @@ -322,6 +322,7 @@ class SSH2(object): # pylint: disable=too-few-public-methods 'diffie-hellman-group14-sha256': [['7.3,d2016.73']], 'diffie-hellman-group15-sha512': [[]], 'diffie-hellman-group16-sha512': [['7.3,d2016.73']], + 'diffie-hellman-group17-sha512': [[]], 'diffie-hellman-group18-sha512': [['7.3']], 'diffie-hellman-group-exchange-sha1': [['2.3.0', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_HASH_WEAK]], 'diffie-hellman-group-exchange-sha256': [['4.4']], @@ -410,6 +411,8 @@ class SSH2(object): # pylint: disable=too-few-public-methods 'hmac-sha3-512': [[], [], [WARN_ENCRYPT_AND_MAC]], 'hmac-sha256': [[], [], [WARN_ENCRYPT_AND_MAC]], 'hmac-sha256@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha512': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha512@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC]], 'hmac-md5': [['2.1.0,d0.28', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_ENCRYPT_AND_MAC, WARN_HASH_WEAK]], 'hmac-md5-96': [['2.5.0', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_ENCRYPT_AND_MAC, WARN_HASH_WEAK]], 'hmac-ripemd160': [['2.5.0', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_ENCRYPT_AND_MAC]],