Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Auditing SSH Settings (some Blue Team, some Red Team) - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Auditing SSH Settings (some Blue Team, some Red Team)

Yesterday we discussed revisiting SSH configurations and updating settings.  Now that this is done across your organization (just kidding), how will you audit this.  In particular, what about hosts that you don’t know are there, or that you don’t know are running SSH?

For starters, nmap makes a great audit tool.  A simple scan for port 22 will look like this:

nmap –p 22 –Pn --open x.x.x0/24

(note that this only probes port 22, you might want to add 222 or 2222 or 2323 – or even scan all of 1-65535, and look for SSH on other ports)

A more useful scan though will give you information on the services (-sV) and OS (-O):

nmap –p 22 –Pn --open –sV –O x.x.x0/24

If you have thousands of hosts to assess, you can look at MASSCAN instead of nmap to get the initial “find the open ports” scan job done quicker.  While MASSCAN will do the initial scan at blinding speed, Nmap and other tools will do a better job once you start asking for more complex output.

Or, looking for SSH version 1 servers:

nmap –p 22 –Pn –open x.x.x.0/24 –script sshv1.nse

 

Or even more useful, just pull the ciphers supported in the target SSH servers:

nmap –p 22 –Pn –open x.x.x.0/24 –script ssh2-enum-algos.nse

 

A tool that I’ve been playing with the last week or so goes one better.  Ssh-scan assesses the target host, then dumps it’s ciphers and the config bits that it can deduce remotely, then gives you recommendations based on policies (some default policies are included with the tool).   This is by no means the only SSH scanner out there, there are certainly dozens of similar tools, ssh_scan is just a new one that popped up in my Twitter feed this past month.  Tools like Nessus or OpenVAS will also do a good job on these assessments (try one against the next against the next, let us know what you see!)

Ssh_scan is extremely easy to install – on Kali (or almost any Linux distro with Ruby installed), simply run:

gem install ssh_scan

Their site also has instructions to run this in Docker.

A scan of a typical host (an ESXi with a default SSH config) might look like this (note the recommendations section, in red)

#ssh_scan -t 192.168.122.50
[
  {
    "ssh_scan_version": "0.0.29",
    "ip": "192.168.122.50",
    "hostname": "",
    "port": 22,
    "server_banner": "SSH-2.0-OpenSSH_5.6",
    "ssh_version": 2.0,
    "os": "unknown",
    "os_cpe": "o:unknown",
    "ssh_lib": "openssh",
    "ssh_lib_cpe": "a:openssh:openssh:5.6",
    "key_algorithms": [
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group-exchange-sha1",
      "diffie-hellman-group14-sha1",
      "diffie-hellman-group1-sha1"
    ],
    "encryption_algorithms_client_to_server": [
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "3des-cbc"
    ],
    "encryption_algorithms_server_to_client": [
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "3des-cbc"
    ],
    "mac_algorithms_client_to_server": [
      "hmac-sha1",
      "hmac-sha1-96"
    ],
    "mac_algorithms_server_to_client": [
      "hmac-sha1",
      "hmac-sha1-96"
    ],
    "compression_algorithms_client_to_server": [
      "none",
      "zlib@openssh.com"
    ],
    "compression_algorithms_server_to_client": [
      "none",
      "zlib@openssh.com"
    ],
    "languages_client_to_server": [

    ],
    "languages_server_to_client": [

    ],
    "auth_methods": [
      "publickey",
      "keyboard-interactive"
    ],
    "fingerprints": {
      "dsa": {
        "known_bad": "false",
        "md5": "65:98:f9:e9:94:00:e4:21:d8:5a:d8:4e:b3:aa:d5:32",
        "sha1": "d8:c3:8b:da:3f:37:7e:f7:a3:d6:36:10:37:f5:6a:8d:df:e6:74:84",
        "sha256": "21:b0:70:98:0c:e3:1b:77:b3:fc:01:7c:dc:99:6a:ea:a9:57:f1:ef:90:8c:80:01:3e:17:6b:1e:51:22:c9:5a"
      },
      "rsa": {
        "known_bad": "false",
        "md5": "c4:6c:3b:22:f7:60:9a:57:9e:a1:df:84:66:53:15:92",
        "sha1": "ed:f4:d9:37:a6:be:8d:fc:de:dd:2a:68:a0:7e:08:cb:97:58:2c:d9",
        "sha256": "2b:37:be:45:7c:9c:c3:51:eb:15:54:97:54:9b:ab:6d:81:73:a1:94:66:62:e1:9b:4a:92:13:d7:92:f6:1d:84"
      }
    },
    "duplicate_host_key_ips": [

    ],
    "compliance": {
      "policy": "Mozilla Modern",
      "compliant": false,
      "recommendations": [
        "Add these key exchange algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256",
        "Add these MAC algorithms: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com",
        "Add these encryption ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com",
        "Remove these key exchange algorithms: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1",
        "Remove these MAC algorithms: hmac-sha1, hmac-sha1-96",
        "Remove these encryption ciphers: 3des-cbc",
        "Remove these authentication methods: keyboard-interactive"
      ],

      "references": [
        "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
      ]
    },
    "start_time": "2017-10-30 09:17:24 -0400",
    "end_time": "2017-10-30 09:17:25 -0400",
    "scan_duration_seconds": 1.034291524
  }
]

Note the recommendations section.  On ESXi especially, if you combine this with the advice from VMware and the CIS Hardening Guide, the guidance really boils down to “why did you enable SSH on that box anyway?” – for vSphere, really you are better off to use the API to script against the environment (which is usually why people enable SSH on that platform)

In another example, scanning a pfSense firewall (just the recommendations shown):
    "compliance": {
      "policy": "Mozilla Modern",
      "compliant": false,
      "recommendations": [
        "Add these key exchange algorithms: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256",
        "Remove these MAC algorithms: hmac-ripemd160-etm@openssh.com, hmac-ripemd160",
        "Remove these authentication methods: password, keyboard-interactive"
      ],
      "references": [
        "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
      ]
    }

Here we see that the recommendations include removal of the default “password, keyboard interactive” authentication (in other words, go to keys for authentication instead of userid/password), as well as some SSH "tech" recommendations.

While you should scan everything with tools like Nessus or OpenVAS, the output from these tools can be a tidal wave of duplicate and overlapping advice.  You can certainly tune either product to give you pinpoint results, but that can be a bit of a job too.  If you are just looking to have a “fix SSH in my infrastructure” day, combining nmap and ssh_scan can give you “just the facts” to get the job done!

Have you worked with a different or maybe a better SSH audit tool?  Please, use our comment form and let us know!

If you book yourself a "fix my SSH services" day, and you're able to share some war stories, please also use that comment form!

===============
Rob VandenBrink
Compugen

Rob VandenBrink

458 Posts
ISC Handler
The tool I use for this kind of work is ssh-audit (https://github.com/arthepsy/ssh-audit)

Seems to work pretty well.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!