ssh_scan – A prototype SSH Configuration and Policy Scanner

A SSH configuration and policy scannerKey Benefits

Minimal Dependancies – Uses native Ruby and BinData to do its work, no heavy dependancies.

Not Just a Script – Implementation is portable for use in another project or for automation of tasks.

Simple – Just point ssh_scan at an SSH service and get a JSON report of what it supports and its policy status.

Configurable – Make your own custom policies that fit your unique policy requirements.

To install and run as a gem, type:

gem install ssh_scanssh_scan

To run from a docker container, type:

docker pull mozilla/ssh_scandocker run -it mozilla/ssh_scan /app/bin/ssh_scan -t

To install and run from source, type:

# clone repogit clone ssh_scan# install rvm,# you might have to provide root to install missing packagesgpg2 –keyserver hkp:// –recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3curl -sSL | bash -s stable# install Ruby 2.3.1 with rvm,# again, you might have to install missing devel packagesrvm install 2.3.1rvm use 2.3.1# resolve dependenciesgem install bundlerbundle install./bin/ssh_scan

Example Command-Line Usage
Run ssh_scan -h to get this

ssh_scan v0.0.17 ( ssh_scan [options] -t, –target [IP/Range/Hostname] IP/Ranges/Hostname to scan -f, –file [FilePath] File Path of the file containing IP/Range/Hostnames to scan -T, –timeout [seconds] Timeout per connect after which ssh_scan gives up on the host -L, –logger [Log File Path] Enable logger -O, –from_json [FilePath] File to read JSON output from -o, –output [FilePath] File to write JSON output to -p, –port [PORT] Port (Default: 22) -P, –policy [FILE] Custom policy file (Default: Mozilla Modern) –threads [NUMBER] Number of worker threads (Default: 5) –fingerprint-db [FILE] File location of fingerprint database (Default: ./fingerprints.db) –suppress-update-status Do not check for updates -u, –unit-test [FILE] Throw appropriate exit codes based on compliance status -V [STD_LOGGING_LEVEL], –verbosity -v, –version Display just version info -h, –help Show this messageExamples: ssh_scan -t ssh_scan -t ssh_scan -t ::1 ssh_scan -t ::1 -T 5 ssh_scan -f hosts.txt ssh_scan -o output.json ssh_scan -O output.json -o rescan_output.json ssh_scan -t -p 22222 ssh_scan -t -p 22222 -L output.log -V INFO ssh_scan -t -P custom_policy.yml ssh_scan -t –unit-test -P custom_policy.yml

See here for example video

See here for example output

See here for example policies

CreditsSources of Inspiration for ssh_scan

Mozilla OpenSSH Security Guide – For providing a sane baseline policy recommendation for SSH configuration parameters (eg. Ciphers, MACs, and KexAlgos).

Download ssh_scan


Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do

Você está comentando utilizando sua conta Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s