ncsa / ssh-auditor Goto Github PK

View Code? Open in Web Editor NEW

591.0 28.0 84.0 169 KB

The best way to scan for weak ssh passwords on your network

License: Other

Go 96.78% Makefile 0.37% Dockerfile 2.85%

ssh brute-force auditing security discover

ssh-auditor's Introduction

SSH Auditor

Features

ssh-auditor will automatically:

Re-check all known hosts as new credentials are added. It will only check the new credentials.
Queue a full credential scan on any new host discovered.
Queue a full credential scan on any known host whose ssh version or key fingerprint changes.
Attempt command execution as well as attempt to tunnel a TCP connection.
Re-check each credential using a per credential scan_interval - default 14 days.

It's designed so that you can run ssh-auditor discover + ssh-auditor scan from cron every hour to to perform a constant audit.

Demos

Earlier demo showing all of the features

Demo showing improved log output

Usage

Install

$ brew install go # or however you want to install the go compiler
$ go get github.com/ncsa/ssh-auditor

or Build from a git clone

$ go build

Build a static binary including sqlite

$ make static

Ensure you can use enough file descriptors

$ ulimit -n 4096

Create initial database and discover ssh servers

$ ./ssh-auditor discover -p 22 -p 2222 192.168.1.0/24 10.0.0.1/24

Add credential pairs to check

$ ./ssh-auditor addcredential root root
$ ./ssh-auditor addcredential admin admin
$ ./ssh-auditor addcredential guest guest --scan-interval 1 #check this once per day

Try credentials against discovered hosts

$ ./ssh-auditor scan

Output a report on what credentials worked

$ ./ssh-auditor vuln

RE-Check credentials that worked

$ ./ssh-auditor rescan

Output a report on duplicate key usage

$ ./ssh-auditor dupes

TODO

update the 'host changes' table
handle false positives from devices that don't use ssh password authentication but instead use the shell to do it.
variable re-check times - each credential has a scan_interval in days
better support non-standard ports - discover is the only thing that needs to be updated, the rest doesn't care.
possibly daemonize and add an api that bro could hook into to kick off a discover as soon as a new SSH server is detected.
make the store pluggable (mysql, postgresql).
differentiate between a failed password attempt and a failed connection or timeout. Mostly done. Things like fail2ban complicate this.
add go implementations for the report sqlite3 command.

Report query.

This query that ssh-auditor vuln runs is

select
        hc.hostport, hc.user, hc.password, hc.result, hc.last_tested, h.version
 from
        host_creds hc, hosts h
 where
        h.hostport = hc.hostport
 and    result!='' order by last_tested asc

ssh-auditor's People

Contributors

Stargazers

Watchers

ssh-auditor's Issues

Unable to clear hosts that went offline before being fixed

We have some old entries that need to be cleared out. The vulnerable hosts went offline rather than being fixed.

Currently I can't just use the CentOS sqlite3 tool because of the partial index, which isn't supported in version 3.7. (CREATE INDEX host_creds_vulnerable ON host_creds (result) where result != '';)

It would be great if there was a command to reset hosts.

Scan false negative

I was testing the version 0.6 installed from rpm packages on a specific target, I've found out the scan return a false negative:

[root@com01 ~]# ssh-auditor discover 10.200.200.206/32 --debug
INFO[11-18|08:53:32] discovering hosts                        include=10.200.200.206/32 exclude= total=1 ports=22
INFO[11-18|08:53:32] current known hosts                      count=0
INFO[11-18|08:53:32] discovered new host                      host=10.200.200.206:22 version=SSH-2.0-OpenSSH_7.2 fp=SHA256:LNhTGE5pmDRfWmM15aF49hUrUz/NCI5cIoxqMfjSfJ4
INFO[11-18|08:53:32] discovery report                         total=1 new=1 updated=0
INFO[11-18|08:53:32] brute force queue size                   new=0 total=0

[root@com01 ~]# ssh-auditor addcredential root zaq12wsx --debug
INFO[11-18|08:53:53] added credential                         user=root password=zaq12wsx interval=14

[root@com01 ~]# ssh-auditor scan --debug
INFO[11-18|08:54:19] brute force queue size                   new=1 total=1
DBUG[11-18|08:54:19] negative brute force result              host=10.200.200.206:22 user=root password=zaq12wsx result=
INFO[11-18|08:54:19] brute force scan report                  total=1 neg=1 pos=0 err=0

[root@com01 ~]# sshpass -p zaq12wsx ssh [email protected] hostname
com07
[root@com01 ~]#

The target is a linux server running opensuse 42.3 with ldap authentication

AddCredential doesn't update existing scan_intervals

AddCredential needs to do a

update host_creds set scan_interval=..

if the row was updated and not added.

Ability to discover using list of ips instead of cidr ranges

Hello
Consider adding a "-f" parameter so you can add a custom ip list

like：
./ssh-auditor discover -p 22 -f ip.txt

thanks

Reset Credential Interval

I would like to be able to reset the check interval for all credentials
I would like to be able to drop the whole credentials table
I would like to be able to set a new interval value for all credentials at once

Many thanks

go get -t -v ./...
Fetching https://golang.org/x/crypto/ssh?go-get=1
https fetch failed: Get https://golang.org/x/crypto/ssh?go-get=1: dial tcp 216.239.37.1:443: i/o timeout
package golang.org/x/crypto/ssh: unrecognized import path "golang.org/x/crypto/ssh" (https fetch: Get https://golang.org/x/crypto/ssh?go-get=1: dial tcp 216.239.37.1:443: i/o timeout)
Fetching https://golang.org/x/crypto/ssh/terminal?go-get=1
https fetch failed: Get https://golang.org/x/crypto/ssh/terminal?go-get=1: dial tcp 216.239.37.1:443: i/o timeout
package golang.org/x/crypto/ssh/terminal: unrecognized import path "golang.org/x/crypto/ssh/terminal" (https fetch: Get https://golang.org/x/crypto/ssh/terminal?go-get=1: dial tcp 216.239.37.1:443: i/o timeout)
make: *** [static] Error 1

Support SSH Keys

Would be neat to be able to add bad/default SSH keys, for example the ones in the https://github.com/rapid7/ssh-badkeys repo, for a start.