aeris
/
cryptcheck
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
52 Commits
3 Branches
875KB
Tree: a2c38b05b0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a2c38b05b0'
${ noResults }
cryptcheck/lib/cryptcheck/ssh/server.rb

120 lines
4.6KB
Raw Blame History 

  1. require 'socket'

  2. 

  3. module CryptCheck

  4. 	module Ssh

  5. 		class Server

  6. 			TCP_TIMEOUT = 10

  7. 			class SshNotAvailableException < Exception

  8. 			end

  9. 

  10. 			attr_reader :ip, :port, :hostname, :kex, :encryption, :hmac, :compression, :key

  11. 

  12. 			KEX = {

  13. 					'curve25519-sha256@libssh.org'         => :green,

  14. 					'ecdh-sha2-nistp521'                   => nil,		# NIST

  15. 					'ecdh-sha2-nistp384'                   => nil,		# NIST

  16. 					'ecdh-sha2-nistp256'                   => nil,		# NIST

  17. 					'diffie-hellman-group-exchange-sha256' => :green,	# DLP (PFS)

  18. 					'diffie-hellman-group-exchange-sha1'   => :yellow,	# DLP (PFS)

  19. 					'diffie-hellman-group14-sha1'          => :yellow,	# 2048 bits < 3072 bits

  20. 					'diffie-hellman-group1-sha1'           => :red		# 768 bits < 1024 bits

  21. 			}

  22. 

  23. 			ENCRYPTION = {

  24. 					'chacha20-poly1305@openssh.com' => :green,

  25. 					'aes256-gcm@openssh.com'        => :green,

  26. 					'aes128-gcm@openssh.com'        => :green,

  27. 					'aes256-ctr'                    => nil,		# CTR < GCM

  28. 					'aes192-ctr'                    => nil,		# CTR < GCM

  29. 					'aes128-ctr'                    => nil,		# CTR < GCM

  30. 					'aes256-cbc'                    => :yellow,	# CBC

  31. 					'aes192-cbc'                    => :yellow,	# CBC

  32. 					'aes128-cbc'                    => :yellow,	# CBC

  33. 					'blowfish-cbc'                  => :yellow,	# CBC

  34. 					'cast128-cbc'                   => :yellow,	# CBC

  35. 					'3des-cbc'                      => :red,	# 3DES

  36. 					'arcfour'                       => :red,	# RC4

  37. 					'arcfour128'                    => :red,	# RC4

  38. 					'arcfour256'                    => :red		# RC4

  39. 			}

  40. 

  41. 			HMAC = {

  42. 					'hmac-sha2-512-etm@openssh.com'  => :green,

  43. 					'hmac-sha2-256-etm@openssh.com'  => :green,

  44. 					'hmac-sha2-512'                  => nil,

  45. 					'hmac-sha2-256'                  => nil,

  46. 					'hmac-sha1-etm@openssh.com'      => :green,

  47. 					'hmac-sha1'                      => nil,

  48. 					'hmac-sha1-96-etm@openssh.com'   => :red,	# EXPORT

  49. 					'hmac-sha1-96'                   => :red,	# EXPORT

  50. 					'hmac-ripemd160-etm@openssh.com' => :green,

  51. 					'hmac-ripemd160'                 => nil,

  52. 					'hmac-md5-etm@openssh.com'       => :red,	# MD5

  53. 					'hmac-md5'                       => :red,	# MD5

  54. 					'hmac-md5-96-etm@openssh.com'    => :red,	# MD5 + EXPORT

  55. 					'hmac-md5-96'                    => :red,	# MD5 + EXPORT

  56. 					'umac-128-etm@openssh.com'       => :green,

  57. 					'umac-128@openssh.com'           => nil,

  58. 					'umac-64-etm@openssh.com'        => :red,	# < 128 bits

  59. 					'umac-64@openssh.com'            => :red	# < 128 bits

  60. 			}

  61. 

  62. 			COMPRESSION = {

  63. 					'none'             => nil,

  64. 					'zlib@openssh.com' => nil

  65. 			}

  66. 

  67. 			KEY = {

  68. 					'ssh-ed25519'                              => :green,

  69. 					'ssh-ed25519-cert-v01@openssh.com'         => :green,

  70. 					'ecdsa-sha2-nistp256'                      => nil,		# NIST

  71. 					'ecdsa-sha2-nistp384'                      => nil,		# NIST

  72. 					'ecdsa-sha2-nistp521'                      => nil,		# NIST

  73. 					'ssh-rsa'                                  => :yellow,	# RSA

  74. 					'ssh-dss'                                  => :red,		# DSA

  75. 					'ecdsa-sha2-nistp256-cert-v01@openssh.com' => nil,		# NIST

  76. 					'ecdsa-sha2-nistp384-cert-v01@openssh.com' => nil,		# NIST

  77. 					'ecdsa-sha2-nistp521-cert-v01@openssh.com' => nil,		# NIST

  78. 					'ssh-rsa-cert-v01@openssh.com'             => :yellow,	# RSA

  79. 					'ssh-rsa-cert-v00@openssh.com'             => :yellow,	# RSA

  80. 					'ssh-dss-cert-v01@openssh.com'             => :red,		# DSA

  81. 					'ssh-dss-cert-v00@openssh.com'             => :red,		# DSA

  82. 			}

  83. 

  84. 			def initialize(ip, port=22, hostname:)

  85. 				@ip, @port, @hostname = ip, port, hostname

  86. 

  87. 				Logger.info { name.colorize :blue }

  88. 				kex = ::Socket.tcp ip, port, connect_timeout: TCP_TIMEOUT do |socket|

  89. 					socket.readline

  90. 					socket.write "SSH-2.0-CryptCheck\r\n"

  91. 					Packet.read_kex_init socket

  92. 				end

  93. 

  94. 				@kex, @encryption, @hmac, @compression, @key = kex[:kex], kex[:encryption], kex[:mac], kex[:compression], kex[:host_key]

  95. 

  96. 				Logger.info { '' }

  97. 				@kex.each { |k| Logger.info { "Key exchange : #{k.colorize KEX[k]}" } }

  98. 				Logger.info { '' }

  99. 				@encryption.each { |e| Logger.info { "Encryption : #{e.colorize ENCRYPTION[e]}" } }

  100. 				Logger.info { '' }

  101. 				@hmac.each { |h| Logger.info { "HMAC : #{h.colorize HMAC[h]}" } }

  102. 				Logger.info { '' }

  103. 				@compression.each { |c| Logger.info { "Compression : #{c}" } }

  104. 				Logger.info { '' }

  105. 				@key.each { |k| Logger.info { "Key type : #{k.colorize KEY[k]}" } }

  106. 			rescue => e

  107. 				Logger.debug { "SSH not supported : #{e}" }

  108. 				raise SshNotAvailableException, e

  109. 			end

  110. 

  111. 			private

  112. 			def name

  113. 				name = "#{@hostname || @ip}:#@port"

  114. 				name += " [#@ip]" if @hostname

  115. 				name

  116. 			end

  117. 		end

  118. 	end

  119. end