Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Results reported against wrong host when using --targets and --level parameters #309

Open
sscotter opened this issue Nov 28, 2024 · 2 comments
Open

Results reported against wrong host when using --targets and --level parameters #309

sscotter opened this issue Nov 28, 2024 · 2 comments

Comments

@sscotter
Copy link 

#  ssh-audit --help
ssh-audit v3.3.0, https://github.com/jtesta/ssh-audit

# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 12 (bookworm)
Release:        12
Codename:       bookworm

It should be noted, this is being run under WSL.

I've currently trying to audit 105 hosts across ten internal network segments. I've created a txt file which contains all the IP addresses I wish to audit (hosts-with-port-22-open.txt) and I'm looking specifically for hosts which are offering weak algorithms.

I'm executing the following command

ssh-audit -b --timeout=10 --threads=1 --targets=hosts-with-port-22-open.txt --level=fail

I've specified the above parameters for the following reasons

  • -b - Without this, I get the fail results, but no mention of which host they relate to.
  • --timeout was out of desperation, didn't seem to make any different either way
  • --threads was so that hosts were audited sequentially to make it easier for me to follow what's going on. I think the problem occurs regardless of setting this this 1 or leaving it as the default 32 as even when --threads wasn't specified I was seeing conflicting results which didn't match when checking a host individually.
  • --targets= points to a file with 105 IPs in
  • --level=fail so that I only see the hosts I need to go remediate.

Here's the truncated output of the first five hosts...

Running against: 10.0.100.100:22...

Running against: 10.0.125.25:22...


--------------------------------------------------------------------------------

Running against: 10.0.125.26:22...

(kex) diffie-hellman-group-exchange-sha1 (2048-bit) -- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
(kex) diffie-hellman-group1-sha1 -- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
(kex) diffie-hellman-group1-sha1 -- [fail] using broken SHA-1 hash algorithm
(key) ssh-rsa (2048-bit) -- [fail] using broken SHA-1 hash algorithm
(key) ssh-dss -- [fail] using small 1024-bit modulus
(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
(enc) [email protected] -- [fail] using deprecated & non-standardized Rijndael cipher
(enc) arcfour -- [fail] using broken RC4 cipher
(enc) arcfour128 -- [fail] using broken RC4 cipher
(enc) arcfour256 -- [fail] using broken RC4 cipher
(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
(mac) [email protected] -- [fail] using broken SHA-1 hash algorithm
(mac) [email protected] -- [fail] using broken MD5 hash algorithm
(mac) [email protected] -- [fail] using broken SHA-1 hash algorithm
(mac) [email protected] -- [fail] using broken MD5 hash algorithm
(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
(mac) [email protected] -- [fail] using deprecated RIPEMD hash algorithm
(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
(mac) [email protected] -- [fail] using deprecated RIPEMD hash algorithm
(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
(rec) -3des-cbc-- enc algorithm to remove
(rec) -arcfour-- enc algorithm to remove
(rec) -arcfour128-- enc algorithm to remove
(rec) -arcfour256-- enc algorithm to remove
(rec) -blowfish-cbc-- enc algorithm to remove
(rec) -cast128-cbc-- enc algorithm to remove
(rec) -diffie-hellman-group-exchange-sha1-- kex algorithm to remove
(rec) -diffie-hellman-group1-sha1-- kex algorithm to remove
(rec) -diffie-hellman-group14-sha1-- kex algorithm to remove
(rec) -hmac-md5-- mac algorithm to remove
(rec) -hmac-md5-96-- mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) -hmac-ripemd160-- mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) -hmac-sha1-- mac algorithm to remove
(rec) -hmac-sha1-96-- mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] enc algorithm to remove
(rec) -ssh-dss-- key algorithm to remove
(rec) -ssh-rsa-- key algorithm to remove
--------------------------------------------------------------------------------

Running against: 10.0.125.43:22...
(kex) diffie-hellman-group-exchange-sha1 (2048-bit) -- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
(kex) diffie-hellman-group1-sha1 -- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
(kex) diffie-hellman-group1-sha1 -- [fail] using broken SHA-1 hash algorithm
(key) ssh-rsa (2048-bit) -- [fail] using broken SHA-1 hash algorithm
(key) ssh-dss -- [fail] using small 1024-bit modulus
(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
(enc) [email protected] -- [fail] using deprecated & non-standardized Rijndael cipher
(enc) arcfour -- [fail] using broken RC4 cipher
(enc) arcfour128 -- [fail] using broken RC4 cipher
(enc) arcfour256 -- [fail] using broken RC4 cipher
(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
(mac) [email protected] -- [fail] using broken SHA-1 hash algorithm
(mac) [email protected] -- [fail] using broken MD5 hash algorithm
(mac) [email protected] -- [fail] using broken SHA-1 hash algorithm
(mac) [email protected] -- [fail] using broken MD5 hash algorithm
(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
(mac) [email protected] -- [fail] using deprecated RIPEMD hash algorithm
(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
(mac) [email protected] -- [fail] using deprecated RIPEMD hash algorithm
(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
(rec) -3des-cbc-- enc algorithm to remove
(rec) -arcfour-- enc algorithm to remove
(rec) -arcfour128-- enc algorithm to remove
(rec) -arcfour256-- enc algorithm to remove
(rec) -blowfish-cbc-- enc algorithm to remove
(rec) -cast128-cbc-- enc algorithm to remove
(rec) -diffie-hellman-group-exchange-sha1-- kex algorithm to remove
(rec) -diffie-hellman-group1-sha1-- kex algorithm to remove
(rec) -diffie-hellman-group14-sha1-- kex algorithm to remove
(rec) -hmac-md5-- mac algorithm to remove
(rec) -hmac-md5-96-- mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) -hmac-ripemd160-- mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) -hmac-sha1-- mac algorithm to remove
(rec) -hmac-sha1-96-- mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] enc algorithm to remove
(rec) -ssh-dss-- key algorithm to remove
(rec) -ssh-rsa-- key algorithm to remove
--------------------------------------------------------------------------------


Running against: 10.0.125.82:22...


--------------------------------------------------------------------------------
...

The above output indicates that 10.0.100.100, 10.0.125.25 and 10.0.125.82 have no fails, and 10.0.125.26 and 10.0.125.43 have fails.

I thought this was odd as 10.0.125.25 and 10.0.125.26 are identical devices with practically identical configuration.

So, I used ssh-audit again scanning the hosts individually and got the following output...

# ssh-audit -b --timeout=10 --threads=1 10.0.100.100 --level=fail


# ssh-audit -b --timeout=10 --threads=1 10.0.125.25 --level=fail

(kex) diffie-hellman-group-exchange-sha1 (2048-bit) -- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
(kex) diffie-hellman-group1-sha1 -- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
(kex) diffie-hellman-group1-sha1 -- [fail] using broken SHA-1 hash algorithm
(key) ssh-rsa (2048-bit) -- [fail] using broken SHA-1 hash algorithm
(key) ssh-dss -- [fail] using small 1024-bit modulus
(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
(enc) [email protected] -- [fail] using deprecated & non-standardized Rijndael cipher
(enc) arcfour -- [fail] using broken RC4 cipher
(enc) arcfour128 -- [fail] using broken RC4 cipher
(enc) arcfour256 -- [fail] using broken RC4 cipher
(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
(mac) [email protected] -- [fail] using broken SHA-1 hash algorithm
(mac) [email protected] -- [fail] using broken MD5 hash algorithm
(mac) [email protected] -- [fail] using broken SHA-1 hash algorithm
(mac) [email protected] -- [fail] using broken MD5 hash algorithm
(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
(mac) [email protected] -- [fail] using deprecated RIPEMD hash algorithm
(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
(mac) [email protected] -- [fail] using deprecated RIPEMD hash algorithm
(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
(rec) -3des-cbc-- enc algorithm to remove
(rec) -arcfour-- enc algorithm to remove
(rec) -arcfour128-- enc algorithm to remove
(rec) -arcfour256-- enc algorithm to remove
(rec) -blowfish-cbc-- enc algorithm to remove
(rec) -cast128-cbc-- enc algorithm to remove
(rec) -diffie-hellman-group-exchange-sha1-- kex algorithm to remove
(rec) -diffie-hellman-group1-sha1-- kex algorithm to remove
(rec) -diffie-hellman-group14-sha1-- kex algorithm to remove
(rec) -hmac-md5-- mac algorithm to remove
(rec) -hmac-md5-96-- mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) -hmac-ripemd160-- mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) -hmac-sha1-- mac algorithm to remove
(rec) -hmac-sha1-96-- mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] enc algorithm to remove
(rec) -ssh-dss-- key algorithm to remove
(rec) -ssh-rsa-- key algorithm to remove

# ssh-audit -b --timeout=10 --threads=1 10.0.125.26 --level=fail

(kex) diffie-hellman-group-exchange-sha1 (2048-bit) -- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
(kex) diffie-hellman-group1-sha1 -- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
(kex) diffie-hellman-group1-sha1 -- [fail] using broken SHA-1 hash algorithm
(key) ssh-rsa (2048-bit) -- [fail] using broken SHA-1 hash algorithm
(key) ssh-dss -- [fail] using small 1024-bit modulus
(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
(enc) [email protected] -- [fail] using deprecated & non-standardized Rijndael cipher
(enc) arcfour -- [fail] using broken RC4 cipher
(enc) arcfour128 -- [fail] using broken RC4 cipher
(enc) arcfour256 -- [fail] using broken RC4 cipher
(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
(mac) [email protected] -- [fail] using broken SHA-1 hash algorithm
(mac) [email protected] -- [fail] using broken MD5 hash algorithm
(mac) [email protected] -- [fail] using broken SHA-1 hash algorithm
(mac) [email protected] -- [fail] using broken MD5 hash algorithm
(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
(mac) [email protected] -- [fail] using deprecated RIPEMD hash algorithm
(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
(mac) [email protected] -- [fail] using deprecated RIPEMD hash algorithm
(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
(rec) -3des-cbc-- enc algorithm to remove
(rec) -arcfour-- enc algorithm to remove
(rec) -arcfour128-- enc algorithm to remove
(rec) -arcfour256-- enc algorithm to remove
(rec) -blowfish-cbc-- enc algorithm to remove
(rec) -cast128-cbc-- enc algorithm to remove
(rec) -diffie-hellman-group-exchange-sha1-- kex algorithm to remove
(rec) -diffie-hellman-group1-sha1-- kex algorithm to remove
(rec) -diffie-hellman-group14-sha1-- kex algorithm to remove
(rec) -hmac-md5-- mac algorithm to remove
(rec) -hmac-md5-96-- mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) -hmac-ripemd160-- mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) -hmac-sha1-- mac algorithm to remove
(rec) -hmac-sha1-96-- mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] mac algorithm to remove
(rec) [email protected] enc algorithm to remove
(rec) -ssh-dss-- key algorithm to remove
(rec) -ssh-rsa-- key algorithm to remove

# ssh-audit -b --timeout=10 --threads=1 10.0.125.43 --level=fail


# ssh-audit -b --timeout=10 --threads=1 10.0.125.82 --level=fail

(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm
(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
(rec) -diffie-hellman-group14-sha1-- kex algorithm to remove
(rec) -ecdh-sha2-nistp256-- kex algorithm to remove
(rec) -ecdh-sha2-nistp384-- kex algorithm to remove
(rec) -ecdh-sha2-nistp521-- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256-- key algorithm to remove
(rec) -hmac-sha1-- mac algorithm to remove
(rec) -ssh-rsa-- key algorithm to remove

The above output indicates that 10.0.100.100 and 10.0.125.43 have no fails, and 10.0.125.25, 10.0.125.26 and 10.0.125.82 have fails.

I believe output for the individual scans to be accurate.

I appears to me that the output when executed using --targets is incorrectly offset and the output attributed to 10.0.125.26 should have been for 10.0.125.25, and the output attributed to 10.0.125.43 should have been for 10.0.125.26
@jtesta
Copy link
Owner

jtesta commented Nov 29, 2024

Thanks for reporting this. I can confirm that the tool isn't outputting the target host correctly when --targets and --level are used simultaneously (unless -b is used). This will require a patch to fix. While investigating this further, I'll see if there's anything that may also cause confusion of the scan results being mismatched with targets.

As for the discrepancies between 10.0.125.25 and 10.0.125.26, that could be caused by transient network issues, or simply the hosts being too slow to respond. If you re-run the scans with -d, you'll get lots of detailed data about the scan progress, which may tell us why we get no results when results are expected instead.

jtesta added a commit that referenced this issue Dec 5, 2024
@jtesta
When running against multiple hosts, now prints each target host rega…
d9c703c 
…rdless of output level. (#309)
@jtesta
Copy link
Owner

jtesta commented Dec 5, 2024

@sscotter : I committed d9c703c, which will now always print the target host when multiple hosts are scanned regardless of the level setting. So now you're no longer required to use -b.

And more good news!: I think I found the cause of the confusion in the output results not matching the hosts. It turns out the -b setting causes verbose mode to be automatically enabled (not sure what the original goal of this was...); this causes the "Running against: X" message to be printed. This message is printed asynchronously by the thread workers when they begin a scan, but the results are printed synchronously by the master thread after the worker thread finishes. Hence, we were getting "Running against: X" messages followed by results for host Y (!). If you rely on the new "(gen) target: X" line included in the results, the output should all make sense now.

After committing e318787, enabling batch mode no longer automatically enables verbose mode, so you won't see those asynchronous "Running against: X" messages anymore unless you explicitly run with -v.

I think all of your reported issues are now fixed. If you have time, please test the master branch and see if you get more sensible results. Thanks again for reporting this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jtesta @sscotter