From f0f453c916e279980df981c1e1dee0d167dc124e Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 15 Apr 2024 19:07:52 +0200 Subject: Adding upstream version 3.1.0. Signed-off-by: Daniel Baumann --- .../expected_results/dropbear_2019.78_test1.json | 371 ++++++++++++++ .../expected_results/dropbear_2019.78_test1.txt | 87 ++++ .../expected_results/openssh_4.0p1_test1.json | 525 +++++++++++++++++++ .../expected_results/openssh_4.0p1_test1.txt | 130 +++++ .../openssh_5.6p1_custom_policy_test1.json | 6 + .../openssh_5.6p1_custom_policy_test1.txt | 3 + .../openssh_5.6p1_custom_policy_test10.json | 31 ++ .../openssh_5.6p1_custom_policy_test10.txt | 28 ++ .../openssh_5.6p1_custom_policy_test2.json | 23 + .../openssh_5.6p1_custom_policy_test2.txt | 9 + .../openssh_5.6p1_custom_policy_test3.json | 22 + .../openssh_5.6p1_custom_policy_test3.txt | 9 + .../openssh_5.6p1_custom_policy_test4.json | 32 ++ .../openssh_5.6p1_custom_policy_test4.txt | 9 + .../openssh_5.6p1_custom_policy_test5.json | 31 ++ .../openssh_5.6p1_custom_policy_test5.txt | 9 + .../openssh_5.6p1_custom_policy_test7.json | 6 + .../openssh_5.6p1_custom_policy_test7.txt | 18 + .../openssh_5.6p1_custom_policy_test8.json | 19 + .../openssh_5.6p1_custom_policy_test8.txt | 24 + .../openssh_5.6p1_custom_policy_test9.json | 19 + .../openssh_5.6p1_custom_policy_test9.txt | 24 + .../expected_results/openssh_5.6p1_test1.json | 558 ++++++++++++++++++++ .../expected_results/openssh_5.6p1_test1.txt | 134 +++++ .../expected_results/openssh_5.6p1_test2.json | 560 +++++++++++++++++++++ .../expected_results/openssh_5.6p1_test2.txt | 135 +++++ .../expected_results/openssh_5.6p1_test3.json | 559 ++++++++++++++++++++ .../expected_results/openssh_5.6p1_test3.txt | 134 +++++ .../expected_results/openssh_5.6p1_test4.json | 558 ++++++++++++++++++++ .../expected_results/openssh_5.6p1_test4.txt | 133 +++++ .../expected_results/openssh_5.6p1_test5.json | 557 ++++++++++++++++++++ .../expected_results/openssh_5.6p1_test5.txt | 132 +++++ .../openssh_8.0p1_builtin_policy_test1.json | 43 ++ .../openssh_8.0p1_builtin_policy_test1.txt | 17 + .../openssh_8.0p1_builtin_policy_test2.json | 66 +++ .../openssh_8.0p1_builtin_policy_test2.txt | 21 + .../openssh_8.0p1_custom_policy_test11.json | 6 + .../openssh_8.0p1_custom_policy_test11.txt | 12 + .../openssh_8.0p1_custom_policy_test12.json | 43 ++ .../openssh_8.0p1_custom_policy_test12.txt | 26 + .../openssh_8.0p1_custom_policy_test13.json | 6 + .../openssh_8.0p1_custom_policy_test13.txt | 15 + .../openssh_8.0p1_custom_policy_test14.json | 19 + .../openssh_8.0p1_custom_policy_test14.txt | 21 + .../openssh_8.0p1_custom_policy_test6.json | 6 + .../openssh_8.0p1_custom_policy_test6.txt | 3 + .../expected_results/openssh_8.0p1_test1.json | 462 +++++++++++++++++ .../expected_results/openssh_8.0p1_test1.txt | 99 ++++ .../expected_results/openssh_8.0p1_test2.json | 421 ++++++++++++++++ .../expected_results/openssh_8.0p1_test2.txt | 91 ++++ .../expected_results/openssh_8.0p1_test3.json | 206 ++++++++ .../expected_results/openssh_8.0p1_test3.txt | 51 ++ .../expected_results/tinyssh_20190101_test1.json | 98 ++++ .../expected_results/tinyssh_20190101_test1.txt | 29 ++ 54 files changed, 6656 insertions(+) create mode 100644 test/docker/expected_results/dropbear_2019.78_test1.json create mode 100644 test/docker/expected_results/dropbear_2019.78_test1.txt create mode 100644 test/docker/expected_results/openssh_4.0p1_test1.json create mode 100644 test/docker/expected_results/openssh_4.0p1_test1.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json create mode 100644 test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_test1.json create mode 100644 test/docker/expected_results/openssh_5.6p1_test1.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_test2.json create mode 100644 test/docker/expected_results/openssh_5.6p1_test2.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_test3.json create mode 100644 test/docker/expected_results/openssh_5.6p1_test3.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_test4.json create mode 100644 test/docker/expected_results/openssh_5.6p1_test4.txt create mode 100644 test/docker/expected_results/openssh_5.6p1_test5.json create mode 100644 test/docker/expected_results/openssh_5.6p1_test5.txt create mode 100644 test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json create mode 100644 test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt create mode 100644 test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json create mode 100644 test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt create mode 100644 test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json create mode 100644 test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt create mode 100644 test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json create mode 100644 test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt create mode 100644 test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json create mode 100644 test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt create mode 100644 test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json create mode 100644 test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt create mode 100644 test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json create mode 100644 test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt create mode 100644 test/docker/expected_results/openssh_8.0p1_test1.json create mode 100644 test/docker/expected_results/openssh_8.0p1_test1.txt create mode 100644 test/docker/expected_results/openssh_8.0p1_test2.json create mode 100644 test/docker/expected_results/openssh_8.0p1_test2.txt create mode 100644 test/docker/expected_results/openssh_8.0p1_test3.json create mode 100644 test/docker/expected_results/openssh_8.0p1_test3.txt create mode 100644 test/docker/expected_results/tinyssh_20190101_test1.json create mode 100644 test/docker/expected_results/tinyssh_20190101_test1.txt (limited to 'test/docker/expected_results') diff --git a/test/docker/expected_results/dropbear_2019.78_test1.json b/test/docker/expected_results/dropbear_2019.78_test1.json new file mode 100644 index 0000000..55dd8b6 --- /dev/null +++ b/test/docker/expected_results/dropbear_2019.78_test1.json @@ -0,0 +1,371 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-dropbear_2019.78", + "software": "dropbear_2019.78" + }, + "compression": [ + "zlib@openssh.com", + "none" + ], + "cves": [], + "enc": [ + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-ctr", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + } + ], + "fingerprints": [ + { + "hash": "CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "63:7f:54:f7:0a:28:7f:75:0b:f4:07:0b:fc:66:51:a2", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ] + } + }, + { + "algorithm": "curve25519-sha256@libssh.org", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp521", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp384", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp256", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha256", + "notes": { + "info": [ + "available since OpenSSH 7.3, Dropbear SSH 2016.73" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "kexguess2@matt.ucc.asn.au", + "notes": { + "info": [ + "available since Dropbear SSH 2013.57" + ] + } + } + ], + "key": [ + { + "algorithm": "ecdsa-sha2-nistp256", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ], + "warn": [ + "using weak random number generator could reveal the key" + ] + } + }, + { + "algorithm": "ssh-rsa", + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-dss", + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak random number generator could reveal the key" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha2-256", + "notes": { + "info": [ + "available since OpenSSH 5.9, Dropbear SSH 2013.56" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "3des-ctr", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp256", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp384", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp521", + "notes": "" + } + ], + "key": [ + { + "name": "ecdsa-sha2-nistp256", + "notes": "" + }, + { + "name": "ssh-dss", + "notes": "" + }, + { + "name": "ssh-rsa", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "informational": { + "add": { + "enc": [ + { + "name": "twofish128-ctr", + "notes": "" + }, + { + "name": "twofish256-ctr", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group16-sha512", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha256", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha2-256", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/dropbear_2019.78_test1.txt b/test/docker/expected_results/dropbear_2019.78_test1.txt new file mode 100644 index 0000000..c0d5dfc --- /dev/null +++ b/test/docker/expected_results/dropbear_2019.78_test1.txt @@ -0,0 +1,87 @@ +# general +(gen) banner: SSH-2.0-dropbear_2019.78 +(gen) software: Dropbear SSH 2019.78 +(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2018.76+ +(gen) compression: enabled (zlib@openssh.com) + +# key exchange algorithms +(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 + `- [info] default key exchange since OpenSSH 6.4 +(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 + `- [info] default key exchange since OpenSSH 6.4 +(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 +(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +(kex) kexguess2@matt.ucc.asn.au -- [info] available since Dropbear SSH 2013.57 + +# host-key algorithms +(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [warn] using weak random number generator could reveal the key + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm + `- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +(key) ssh-dss -- [fail] using small 1024-bit modulus + `- [warn] using weak random number generator could reveal the key + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +# encryption algorithms (ciphers) +(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes128-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +(enc) aes256-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +(enc) 3des-ctr -- [fail] using broken & deprecated 3DES cipher + `- [info] available since Dropbear SSH 0.52 +(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 + +# message authentication code algorithms +(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 + +# fingerprints +(fin) ssh-rsa: SHA256:CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM + +# algorithm recommendations (for Dropbear SSH 2019.78) +(rec) -3des-cbc -- enc algorithm to remove  +(rec) -3des-ctr -- enc algorithm to remove  +(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  +(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove  +(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove  +(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove  +(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove  +(rec) -hmac-sha1 -- mac algorithm to remove  +(rec) -hmac-sha1-96 -- mac algorithm to remove  +(rec) -ssh-dss -- key algorithm to remove  +(rec) -ssh-rsa -- key algorithm to remove  +(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append  +(rec) +twofish128-ctr -- enc algorithm to append  +(rec) +twofish256-ctr -- enc algorithm to append  +(rec) -aes128-cbc -- enc algorithm to remove  +(rec) -aes256-cbc -- enc algorithm to remove  +(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove  +(rec) -hmac-sha2-256 -- mac algorithm to remove  + +# additional info +(nfo) For hardening guides on common OSes, please see:  + diff --git a/test/docker/expected_results/openssh_4.0p1_test1.json b/test/docker/expected_results/openssh_4.0p1_test1.json new file mode 100644 index 0000000..f5735a9 --- /dev/null +++ b/test/docker/expected_results/openssh_4.0p1_test1.json @@ -0,0 +1,525 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "1.99", + "raw": "SSH-1.99-OpenSSH_4.0", + "software": "OpenSSH_4.0" + }, + "compression": [ + "none", + "zlib" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + }, + { + "cvssv2": 2.6, + "description": "recover plaintext data from ciphertext", + "name": "CVE-2008-5161" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via multiple login attempts (slot exhaustion)", + "name": "CVE-2008-4109" + }, + { + "cvssv2": 6.5, + "description": "bypass command restrictions via modifying session file", + "name": "CVE-2008-1657" + }, + { + "cvssv2": 6.9, + "description": "hijack forwarded X11 connections", + "name": "CVE-2008-1483" + }, + { + "cvssv2": 7.5, + "description": "privilege escalation via causing an X client to be trusted", + "name": "CVE-2007-4752" + }, + { + "cvssv2": 5.0, + "description": "discover valid usernames through different responses", + "name": "CVE-2007-2243" + }, + { + "cvssv2": 5.0, + "description": "discover valid usernames through different responses", + "name": "CVE-2006-5052" + }, + { + "cvssv2": 9.3, + "description": "cause DoS or execute arbitrary code (double free)", + "name": "CVE-2006-5051" + }, + { + "cvssv2": 7.8, + "description": "cause DoS via crafted packet (CPU consumption)", + "name": "CVE-2006-4924" + }, + { + "cvssv2": 4.6, + "description": "execute arbitrary code", + "name": "CVE-2006-0225" + }, + { + "cvssv2": 5.0, + "description": "leak data about authentication credentials", + "name": "CVE-2005-2798" + } + ], + "enc": [ + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "blowfish-cbc", + "notes": { + "fail": [ + "using weak & deprecated Blowfish cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "cast128-cbc", + "notes": { + "fail": [ + "using weak & deprecated CAST cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "arcfour", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ] + } + }, + { + "algorithm": "aes192-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "rijndael-cbc@lysator.liu.se", + "notes": { + "fail": [ + "using deprecated & non-standardized Rijndael cipher" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + } + ], + "fingerprints": [ + { + "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 2.3.0" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group1-sha1", + "notes": { + "fail": [ + "using small 1024-bit modulus", + "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", + "using broken SHA-1 hash algorithm" + ], + "info": [ + "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-dss", + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak random number generator could reveal the key" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-md5", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160@openssh.com", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-md5-96", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-dss", + "notes": "" + }, + { + "name": "ssh-rsa", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + }, + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_4.0p1_test1.txt b/test/docker/expected_results/openssh_4.0p1_test1.txt new file mode 100644 index 0000000..4810a47 --- /dev/null +++ b/test/docker/expected_results/openssh_4.0p1_test1.txt @@ -0,0 +1,130 @@ +# general +(gen) banner: SSH-1.99-OpenSSH_4.0 +(gen) protocol SSH1 enabled +(gen) software: OpenSSH 4.0 +(gen) compatibility: OpenSSH 3.9-6.6, Dropbear SSH 0.53+ (some functionality from 0.52) +(gen) compression: enabled (zlib) + +# security +(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers +(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies +(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp +(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response +(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data +(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) +(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages +(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption) +(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion) +(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption) +(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values +(cve) CVE-2008-5161 -- (CVSSv2: 2.6) recover plaintext data from ciphertext +(cve) CVE-2008-4109 -- (CVSSv2: 5.0) cause DoS via multiple login attempts (slot exhaustion) +(cve) CVE-2008-1657 -- (CVSSv2: 6.5) bypass command restrictions via modifying session file +(cve) CVE-2008-1483 -- (CVSSv2: 6.9) hijack forwarded X11 connections +(cve) CVE-2007-4752 -- (CVSSv2: 7.5) privilege escalation via causing an X client to be trusted +(cve) CVE-2007-2243 -- (CVSSv2: 5.0) discover valid usernames through different responses +(cve) CVE-2006-5052 -- (CVSSv2: 5.0) discover valid usernames through different responses +(cve) CVE-2006-5051 -- (CVSSv2: 9.3) cause DoS or execute arbitrary code (double free) +(cve) CVE-2006-4924 -- (CVSSv2: 7.8) cause DoS via crafted packet (CPU consumption) +(cve) CVE-2006-0225 -- (CVSSv2: 4.6) execute arbitrary code +(cve) CVE-2005-2798 -- (CVSSv2: 5.0) leak data about authentication credentials +(sec) SSH v1 enabled -- SSH v1 can be exploited to recover plaintext passwords + +# key exchange algorithms +(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 2.3.0 +(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus + `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security) + `- [fail] using broken SHA-1 hash algorithm + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 + `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 + +# host-key algorithms +(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm + `- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +(key) ssh-dss -- [fail] using small 1024-bit modulus + `- [warn] using weak random number generator could reveal the key + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +# encryption algorithms (ciphers) +(enc) aes128-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 2.1.0 +(enc) arcfour -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 2.1.0 +(enc) aes192-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 +(enc) aes256-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher + `- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 +(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes192-ctr -- [info] available since OpenSSH 3.7 +(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 + +# message authentication code algorithms +(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0 +(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0 +(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0 + +# fingerprints +(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4 + +# algorithm recommendations (for OpenSSH 4.0) +(rec) -3des-cbc -- enc algorithm to remove  +(rec) -arcfour -- enc algorithm to remove  +(rec) -blowfish-cbc -- enc algorithm to remove  +(rec) -cast128-cbc -- enc algorithm to remove  +(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  +(rec) -hmac-md5 -- mac algorithm to remove  +(rec) -hmac-md5-96 -- mac algorithm to remove  +(rec) -hmac-ripemd160 -- mac algorithm to remove  +(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove  +(rec) -hmac-sha1 -- mac algorithm to remove  +(rec) -hmac-sha1-96 -- mac algorithm to remove  +(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove  +(rec) -ssh-dss -- key algorithm to remove  +(rec) -ssh-rsa -- key algorithm to remove  +(rec) -aes128-cbc -- enc algorithm to remove  +(rec) -aes192-cbc -- enc algorithm to remove  +(rec) -aes256-cbc -- enc algorithm to remove  + +# additional info +(nfo) For hardening guides on common OSes, please see:  + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json new file mode 100644 index 0000000..6480bca --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json @@ -0,0 +1,6 @@ +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker policy: test1 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt new file mode 100644 index 0000000..01146f8 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt @@ -0,0 +1,3 @@ +Host: localhost:2222 +Policy: Docker policy: test1 (version 1) +Result: ✔ Passed diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json new file mode 100644 index 0000000..0a1e148 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json @@ -0,0 +1,31 @@ +{ + "errors": [ + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (ssh-rsa-cert-v01@openssh.com) sizes" + }, + { + "actual": [ + "1024" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "CA signature size (ssh-rsa)" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker poliicy: test10 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt new file mode 100644 index 0000000..425d463 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt @@ -0,0 +1,28 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker poliicy: test10 (version 1) +Result: ❌ Failed! + +Errors: + * CA signature size (ssh-rsa) did not match. + - Expected: 4096 + - Actual: 1024 + + * Host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. + - Expected: 4096 + - Actual: 3072 + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json new file mode 100644 index 0000000..edf4254 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json @@ -0,0 +1,23 @@ +{ + "errors": [ + { + "actual": [ + "diffie-hellman-group-exchange-sha256", + "diffie-hellman-group-exchange-sha1", + "diffie-hellman-group14-sha1", + "diffie-hellman-group1-sha1" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "kex_alg1", + "kex_alg2" + ], + "mismatched_field": "Key exchanges" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test2 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt new file mode 100644 index 0000000..e88e44b --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt @@ -0,0 +1,9 @@ +Host: localhost:2222 +Policy: Docker policy: test2 (version 1) +Result: ❌ Failed! + +Errors: + * Key exchanges did not match. + - Expected: kex_alg1, kex_alg2 + - Actual: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json new file mode 100644 index 0000000..a98fa8d --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json @@ -0,0 +1,22 @@ +{ + "errors": [ + { + "actual": [ + "ssh-rsa", + "ssh-dss" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "ssh-rsa", + "ssh-dss", + "key_alg1" + ], + "mismatched_field": "Host keys" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test3 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt new file mode 100644 index 0000000..cf7eefc --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt @@ -0,0 +1,9 @@ +Host: localhost:2222 +Policy: Docker policy: test3 (version 1) +Result: ❌ Failed! + +Errors: + * Host keys did not match. + - Expected: ssh-rsa, ssh-dss, key_alg1 + - Actual: ssh-rsa, ssh-dss + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json new file mode 100644 index 0000000..317f7e2 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json @@ -0,0 +1,32 @@ +{ + "errors": [ + { + "actual": [ + "aes128-ctr", + "aes192-ctr", + "aes256-ctr", + "arcfour256", + "arcfour128", + "aes128-cbc", + "3des-cbc", + "blowfish-cbc", + "cast128-cbc", + "aes192-cbc", + "aes256-cbc", + "arcfour", + "rijndael-cbc@lysator.liu.se" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "cipher_alg1", + "cipher_alg2" + ], + "mismatched_field": "Ciphers" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test4 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt new file mode 100644 index 0000000..514b715 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt @@ -0,0 +1,9 @@ +Host: localhost:2222 +Policy: Docker policy: test4 (version 1) +Result: ❌ Failed! + +Errors: + * Ciphers did not match. + - Expected: cipher_alg1, cipher_alg2 + - Actual: aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json new file mode 100644 index 0000000..50c0b86 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json @@ -0,0 +1,31 @@ +{ + "errors": [ + { + "actual": [ + "hmac-md5", + "hmac-sha1", + "umac-64@openssh.com", + "hmac-ripemd160", + "hmac-ripemd160@openssh.com", + "hmac-sha1-96", + "hmac-md5-96" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "hmac-md5", + "hmac-sha1", + "umac-64@openssh.com", + "hmac-ripemd160", + "hmac-ripemd160@openssh.com", + "hmac_alg1", + "hmac-md5-96" + ], + "mismatched_field": "MACs" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test5 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt new file mode 100644 index 0000000..746ca8c --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt @@ -0,0 +1,9 @@ +Host: localhost:2222 +Policy: Docker policy: test5 (version 1) +Result: ❌ Failed! + +Errors: + * MACs did not match. + - Expected: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac_alg1, hmac-md5-96 + - Actual: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96 + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json new file mode 100644 index 0000000..dcc1d6c --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json @@ -0,0 +1,6 @@ +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker poliicy: test7 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt new file mode 100644 index 0000000..1d3af14 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt @@ -0,0 +1,18 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker poliicy: test7 (version 1) +Result: ✔ Passed diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json new file mode 100644 index 0000000..e7f06a6 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json @@ -0,0 +1,19 @@ +{ + "errors": [ + { + "actual": [ + "1024" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "2048" + ], + "mismatched_field": "CA signature size (ssh-rsa)" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker poliicy: test8 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt new file mode 100644 index 0000000..05ab91d --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt @@ -0,0 +1,24 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker poliicy: test8 (version 1) +Result: ❌ Failed! + +Errors: + * CA signature size (ssh-rsa) did not match. + - Expected: 2048 + - Actual: 1024 + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json new file mode 100644 index 0000000..51d1067 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json @@ -0,0 +1,19 @@ +{ + "errors": [ + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (ssh-rsa-cert-v01@openssh.com) sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker poliicy: test9 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt new file mode 100644 index 0000000..94060ab --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt @@ -0,0 +1,24 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker poliicy: test9 (version 1) +Result: ❌ Failed! + +Errors: + * Host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. + - Expected: 4096 + - Actual: 3072 + diff --git a/test/docker/expected_results/openssh_5.6p1_test1.json b/test/docker/expected_results/openssh_5.6p1_test1.json new file mode 100644 index 0000000..53216e5 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test1.json @@ -0,0 +1,558 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "arcfour256", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "arcfour128", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "blowfish-cbc", + "notes": { + "fail": [ + "using weak & deprecated Blowfish cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "cast128-cbc", + "notes": { + "fail": [ + "using weak & deprecated CAST cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "aes192-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "arcfour", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ] + } + }, + { + "algorithm": "rijndael-cbc@lysator.liu.se", + "notes": { + "fail": [ + "using deprecated & non-standardized Rijndael cipher" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + } + ], + "fingerprints": [ + { + "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 2.3.0" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group1-sha1", + "notes": { + "fail": [ + "using small 1024-bit modulus", + "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", + "using broken SHA-1 hash algorithm" + ], + "info": [ + "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-dss", + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak random number generator could reveal the key" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-md5", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "hmac-ripemd160", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160@openssh.com", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-md5-96", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-dss", + "notes": "" + }, + { + "name": "ssh-rsa", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + }, + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test1.txt b/test/docker/expected_results/openssh_5.6p1_test1.txt new file mode 100644 index 0000000..601dc39 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test1.txt @@ -0,0 +1,134 @@ +# general +(gen) banner: SSH-2.0-OpenSSH_5.6 +(gen) software: OpenSSH 5.6 +(gen) compatibility: OpenSSH 4.7-6.6, Dropbear SSH 0.53+ (some functionality from 0.52) +(gen) compression: enabled (zlib@openssh.com) + +# security +(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers +(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies +(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp +(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response +(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data +(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) +(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid +(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack +(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard +(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) +(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages +(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption) +(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion) +(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption) +(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values + +# key exchange algorithms +(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 4.4 +(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 2.3.0 +(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus + `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security) + `- [fail] using broken SHA-1 hash algorithm + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 + `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 + +# host-key algorithms +(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm + `- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +(key) ssh-dss -- [fail] using small 1024-bit modulus + `- [warn] using weak random number generator could reveal the key + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +# encryption algorithms (ciphers) +(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes192-ctr -- [info] available since OpenSSH 3.7 +(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) arcfour256 -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 4.2 +(enc) arcfour128 -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 4.2 +(enc) aes128-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 2.1.0 +(enc) aes192-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 +(enc) aes256-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +(enc) arcfour -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 2.1.0 +(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher + `- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +# message authentication code algorithms +(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode + `- [warn] using small 64-bit tag size + `- [info] available since OpenSSH 4.7 +(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0 +(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0 +(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0 + +# fingerprints +(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4 + +# algorithm recommendations (for OpenSSH 5.6) +(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger)  +(rec) -3des-cbc -- enc algorithm to remove  +(rec) -arcfour -- enc algorithm to remove  +(rec) -arcfour128 -- enc algorithm to remove  +(rec) -arcfour256 -- enc algorithm to remove  +(rec) -blowfish-cbc -- enc algorithm to remove  +(rec) -cast128-cbc -- enc algorithm to remove  +(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  +(rec) -hmac-md5 -- mac algorithm to remove  +(rec) -hmac-md5-96 -- mac algorithm to remove  +(rec) -hmac-ripemd160 -- mac algorithm to remove  +(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove  +(rec) -hmac-sha1 -- mac algorithm to remove  +(rec) -hmac-sha1-96 -- mac algorithm to remove  +(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove  +(rec) -ssh-dss -- key algorithm to remove  +(rec) -ssh-rsa -- key algorithm to remove  +(rec) -aes128-cbc -- enc algorithm to remove  +(rec) -aes192-cbc -- enc algorithm to remove  +(rec) -aes256-cbc -- enc algorithm to remove  +(rec) -umac-64@openssh.com -- mac algorithm to remove  + +# additional info +(nfo) For hardening guides on common OSes, please see:  + diff --git a/test/docker/expected_results/openssh_5.6p1_test2.json b/test/docker/expected_results/openssh_5.6p1_test2.json new file mode 100644 index 0000000..a1dd987 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test2.json @@ -0,0 +1,560 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "arcfour256", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "arcfour128", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "blowfish-cbc", + "notes": { + "fail": [ + "using weak & deprecated Blowfish cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "cast128-cbc", + "notes": { + "fail": [ + "using weak & deprecated CAST cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "aes192-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "arcfour", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ] + } + }, + { + "algorithm": "rijndael-cbc@lysator.liu.se", + "notes": { + "fail": [ + "using deprecated & non-standardized Rijndael cipher" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + } + ], + "fingerprints": [ + { + "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 2.3.0" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group1-sha1", + "notes": { + "fail": [ + "using small 1024-bit modulus", + "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", + "using broken SHA-1 hash algorithm" + ], + "info": [ + "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-rsa-cert-v01@openssh.com", + "ca_algorithm": "ssh-rsa", + "casize": 1024, + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit hostkey modulus", + "using small 1024-bit CA key modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 5.6" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-md5", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "hmac-ripemd160", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160@openssh.com", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-md5-96", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-rsa-cert-v01@openssh.com", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + }, + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test2.txt b/test/docker/expected_results/openssh_5.6p1_test2.txt new file mode 100644 index 0000000..6b3b975 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test2.txt @@ -0,0 +1,135 @@ +# general +(gen) banner: SSH-2.0-OpenSSH_5.6 +(gen) software: OpenSSH 5.6 +(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52) +(gen) compression: enabled (zlib@openssh.com) + +# security +(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers +(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies +(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp +(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response +(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data +(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) +(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid +(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack +(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard +(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) +(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages +(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption) +(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion) +(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption) +(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values + +# key exchange algorithms +(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 4.4 +(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 2.3.0 +(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus + `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security) + `- [fail] using broken SHA-1 hash algorithm + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 + `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 + +# host-key algorithms +(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm + `- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/1024-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm + `- [fail] using small 1024-bit hostkey modulus + `- [fail] using small 1024-bit CA key modulus + `- [info] available since OpenSSH 5.6 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 + +# encryption algorithms (ciphers) +(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes192-ctr -- [info] available since OpenSSH 3.7 +(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) arcfour256 -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 4.2 +(enc) arcfour128 -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 4.2 +(enc) aes128-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 2.1.0 +(enc) aes192-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 +(enc) aes256-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +(enc) arcfour -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 2.1.0 +(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher + `- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +# message authentication code algorithms +(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode + `- [warn] using small 64-bit tag size + `- [info] available since OpenSSH 4.7 +(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0 +(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0 +(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0 + +# fingerprints +(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4 + +# algorithm recommendations (for OpenSSH 5.6) +(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger)  +(rec) -3des-cbc -- enc algorithm to remove  +(rec) -arcfour -- enc algorithm to remove  +(rec) -arcfour128 -- enc algorithm to remove  +(rec) -arcfour256 -- enc algorithm to remove  +(rec) -blowfish-cbc -- enc algorithm to remove  +(rec) -cast128-cbc -- enc algorithm to remove  +(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  +(rec) -hmac-md5 -- mac algorithm to remove  +(rec) -hmac-md5-96 -- mac algorithm to remove  +(rec) -hmac-ripemd160 -- mac algorithm to remove  +(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove  +(rec) -hmac-sha1 -- mac algorithm to remove  +(rec) -hmac-sha1-96 -- mac algorithm to remove  +(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove  +(rec) -ssh-rsa -- key algorithm to remove  +(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove  +(rec) -aes128-cbc -- enc algorithm to remove  +(rec) -aes192-cbc -- enc algorithm to remove  +(rec) -aes256-cbc -- enc algorithm to remove  +(rec) -umac-64@openssh.com -- mac algorithm to remove  + +# additional info +(nfo) For hardening guides on common OSes, please see:  + diff --git a/test/docker/expected_results/openssh_5.6p1_test3.json b/test/docker/expected_results/openssh_5.6p1_test3.json new file mode 100644 index 0000000..2cbd316 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test3.json @@ -0,0 +1,559 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "arcfour256", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "arcfour128", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "blowfish-cbc", + "notes": { + "fail": [ + "using weak & deprecated Blowfish cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "cast128-cbc", + "notes": { + "fail": [ + "using weak & deprecated CAST cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "aes192-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "arcfour", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ] + } + }, + { + "algorithm": "rijndael-cbc@lysator.liu.se", + "notes": { + "fail": [ + "using deprecated & non-standardized Rijndael cipher" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + } + ], + "fingerprints": [ + { + "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 2.3.0" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group1-sha1", + "notes": { + "fail": [ + "using small 1024-bit modulus", + "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", + "using broken SHA-1 hash algorithm" + ], + "info": [ + "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-rsa-cert-v01@openssh.com", + "ca_algorithm": "ssh-rsa", + "casize": 3072, + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit hostkey modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 5.6" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-md5", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "hmac-ripemd160", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160@openssh.com", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-md5-96", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-rsa-cert-v01@openssh.com", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + }, + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test3.txt b/test/docker/expected_results/openssh_5.6p1_test3.txt new file mode 100644 index 0000000..991c502 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test3.txt @@ -0,0 +1,134 @@ +# general +(gen) banner: SSH-2.0-OpenSSH_5.6 +(gen) software: OpenSSH 5.6 +(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52) +(gen) compression: enabled (zlib@openssh.com) + +# security +(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers +(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies +(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp +(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response +(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data +(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) +(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid +(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack +(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard +(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) +(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages +(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption) +(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion) +(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption) +(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values + +# key exchange algorithms +(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 4.4 +(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 2.3.0 +(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus + `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security) + `- [fail] using broken SHA-1 hash algorithm + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 + `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 + +# host-key algorithms +(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm + `- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/3072-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm + `- [fail] using small 1024-bit hostkey modulus + `- [info] available since OpenSSH 5.6 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 + +# encryption algorithms (ciphers) +(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes192-ctr -- [info] available since OpenSSH 3.7 +(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) arcfour256 -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 4.2 +(enc) arcfour128 -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 4.2 +(enc) aes128-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 2.1.0 +(enc) aes192-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 +(enc) aes256-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +(enc) arcfour -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 2.1.0 +(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher + `- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +# message authentication code algorithms +(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode + `- [warn] using small 64-bit tag size + `- [info] available since OpenSSH 4.7 +(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0 +(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0 +(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0 + +# fingerprints +(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4 + +# algorithm recommendations (for OpenSSH 5.6) +(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger)  +(rec) -3des-cbc -- enc algorithm to remove  +(rec) -arcfour -- enc algorithm to remove  +(rec) -arcfour128 -- enc algorithm to remove  +(rec) -arcfour256 -- enc algorithm to remove  +(rec) -blowfish-cbc -- enc algorithm to remove  +(rec) -cast128-cbc -- enc algorithm to remove  +(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  +(rec) -hmac-md5 -- mac algorithm to remove  +(rec) -hmac-md5-96 -- mac algorithm to remove  +(rec) -hmac-ripemd160 -- mac algorithm to remove  +(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove  +(rec) -hmac-sha1 -- mac algorithm to remove  +(rec) -hmac-sha1-96 -- mac algorithm to remove  +(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove  +(rec) -ssh-rsa -- key algorithm to remove  +(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove  +(rec) -aes128-cbc -- enc algorithm to remove  +(rec) -aes192-cbc -- enc algorithm to remove  +(rec) -aes256-cbc -- enc algorithm to remove  +(rec) -umac-64@openssh.com -- mac algorithm to remove  + +# additional info +(nfo) For hardening guides on common OSes, please see:  + diff --git a/test/docker/expected_results/openssh_5.6p1_test4.json b/test/docker/expected_results/openssh_5.6p1_test4.json new file mode 100644 index 0000000..90f5fc6 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test4.json @@ -0,0 +1,558 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "arcfour256", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "arcfour128", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "blowfish-cbc", + "notes": { + "fail": [ + "using weak & deprecated Blowfish cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "cast128-cbc", + "notes": { + "fail": [ + "using weak & deprecated CAST cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "aes192-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "arcfour", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ] + } + }, + { + "algorithm": "rijndael-cbc@lysator.liu.se", + "notes": { + "fail": [ + "using deprecated & non-standardized Rijndael cipher" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + } + ], + "fingerprints": [ + { + "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 2.3.0" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group1-sha1", + "notes": { + "fail": [ + "using small 1024-bit modulus", + "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", + "using broken SHA-1 hash algorithm" + ], + "info": [ + "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 3072, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-rsa-cert-v01@openssh.com", + "ca_algorithm": "ssh-rsa", + "casize": 1024, + "keysize": 3072, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit CA key modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 5.6" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-md5", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "hmac-ripemd160", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160@openssh.com", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-md5-96", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-rsa-cert-v01@openssh.com", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + }, + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test4.txt b/test/docker/expected_results/openssh_5.6p1_test4.txt new file mode 100644 index 0000000..2fb3e19 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test4.txt @@ -0,0 +1,133 @@ +# general +(gen) banner: SSH-2.0-OpenSSH_5.6 +(gen) software: OpenSSH 5.6 +(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52) +(gen) compression: enabled (zlib@openssh.com) + +# security +(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers +(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies +(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp +(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response +(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data +(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) +(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid +(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack +(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard +(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) +(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages +(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption) +(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion) +(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption) +(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values + +# key exchange algorithms +(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 4.4 +(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 2.3.0 +(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus + `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security) + `- [fail] using broken SHA-1 hash algorithm + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 + `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 + +# host-key algorithms +(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/1024-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm + `- [fail] using small 1024-bit CA key modulus + `- [info] available since OpenSSH 5.6 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 + +# encryption algorithms (ciphers) +(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes192-ctr -- [info] available since OpenSSH 3.7 +(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) arcfour256 -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 4.2 +(enc) arcfour128 -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 4.2 +(enc) aes128-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 2.1.0 +(enc) aes192-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 +(enc) aes256-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +(enc) arcfour -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 2.1.0 +(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher + `- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +# message authentication code algorithms +(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode + `- [warn] using small 64-bit tag size + `- [info] available since OpenSSH 4.7 +(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0 +(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0 +(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0 + +# fingerprints +(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244 + +# algorithm recommendations (for OpenSSH 5.6) +(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger)  +(rec) -3des-cbc -- enc algorithm to remove  +(rec) -arcfour -- enc algorithm to remove  +(rec) -arcfour128 -- enc algorithm to remove  +(rec) -arcfour256 -- enc algorithm to remove  +(rec) -blowfish-cbc -- enc algorithm to remove  +(rec) -cast128-cbc -- enc algorithm to remove  +(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  +(rec) -hmac-md5 -- mac algorithm to remove  +(rec) -hmac-md5-96 -- mac algorithm to remove  +(rec) -hmac-ripemd160 -- mac algorithm to remove  +(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove  +(rec) -hmac-sha1 -- mac algorithm to remove  +(rec) -hmac-sha1-96 -- mac algorithm to remove  +(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove  +(rec) -ssh-rsa -- key algorithm to remove  +(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove  +(rec) -aes128-cbc -- enc algorithm to remove  +(rec) -aes192-cbc -- enc algorithm to remove  +(rec) -aes256-cbc -- enc algorithm to remove  +(rec) -umac-64@openssh.com -- mac algorithm to remove  + +# additional info +(nfo) For hardening guides on common OSes, please see:  + diff --git a/test/docker/expected_results/openssh_5.6p1_test5.json b/test/docker/expected_results/openssh_5.6p1_test5.json new file mode 100644 index 0000000..0749cd1 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test5.json @@ -0,0 +1,557 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "arcfour256", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "arcfour128", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "blowfish-cbc", + "notes": { + "fail": [ + "using weak & deprecated Blowfish cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "cast128-cbc", + "notes": { + "fail": [ + "using weak & deprecated CAST cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "aes192-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "arcfour", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ] + } + }, + { + "algorithm": "rijndael-cbc@lysator.liu.se", + "notes": { + "fail": [ + "using deprecated & non-standardized Rijndael cipher" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + } + ], + "fingerprints": [ + { + "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 2.3.0" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group1-sha1", + "notes": { + "fail": [ + "using small 1024-bit modulus", + "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", + "using broken SHA-1 hash algorithm" + ], + "info": [ + "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 3072, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-rsa-cert-v01@openssh.com", + "ca_algorithm": "ssh-rsa", + "casize": 3072, + "keysize": 3072, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 5.6" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-md5", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "hmac-ripemd160", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160@openssh.com", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-md5-96", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-rsa-cert-v01@openssh.com", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + }, + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test5.txt b/test/docker/expected_results/openssh_5.6p1_test5.txt new file mode 100644 index 0000000..b9e7cd7 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test5.txt @@ -0,0 +1,132 @@ +# general +(gen) banner: SSH-2.0-OpenSSH_5.6 +(gen) software: OpenSSH 5.6 +(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52) +(gen) compression: enabled (zlib@openssh.com) + +# security +(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers +(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies +(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp +(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response +(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data +(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) +(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid +(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack +(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard +(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) +(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages +(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption) +(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion) +(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption) +(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values + +# key exchange algorithms +(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 4.4 +(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 2.3.0 +(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus + `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security) + `- [fail] using broken SHA-1 hash algorithm + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 + `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 + +# host-key algorithms +(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/3072-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm + `- [info] available since OpenSSH 5.6 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 + +# encryption algorithms (ciphers) +(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes192-ctr -- [info] available since OpenSSH 3.7 +(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) arcfour256 -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 4.2 +(enc) arcfour128 -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 4.2 +(enc) aes128-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 2.1.0 +(enc) aes192-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 +(enc) aes256-cbc -- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +(enc) arcfour -- [fail] using broken RC4 cipher + `- [info] available since OpenSSH 2.1.0 +(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher + `- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +# message authentication code algorithms +(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode + `- [warn] using small 64-bit tag size + `- [info] available since OpenSSH 4.7 +(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0 +(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0 +(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0 + +# fingerprints +(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244 + +# algorithm recommendations (for OpenSSH 5.6) +(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger)  +(rec) -3des-cbc -- enc algorithm to remove  +(rec) -arcfour -- enc algorithm to remove  +(rec) -arcfour128 -- enc algorithm to remove  +(rec) -arcfour256 -- enc algorithm to remove  +(rec) -blowfish-cbc -- enc algorithm to remove  +(rec) -cast128-cbc -- enc algorithm to remove  +(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  +(rec) -hmac-md5 -- mac algorithm to remove  +(rec) -hmac-md5-96 -- mac algorithm to remove  +(rec) -hmac-ripemd160 -- mac algorithm to remove  +(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove  +(rec) -hmac-sha1 -- mac algorithm to remove  +(rec) -hmac-sha1-96 -- mac algorithm to remove  +(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove  +(rec) -ssh-rsa -- key algorithm to remove  +(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove  +(rec) -aes128-cbc -- enc algorithm to remove  +(rec) -aes192-cbc -- enc algorithm to remove  +(rec) -aes256-cbc -- enc algorithm to remove  +(rec) -umac-64@openssh.com -- mac algorithm to remove  + +# additional info +(nfo) For hardening guides on common OSes, please see:  + diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json new file mode 100644 index 0000000..3dfe59c --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json @@ -0,0 +1,43 @@ +{ + "errors": [ + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (rsa-sha2-256) sizes" + }, + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (rsa-sha2-512) sizes" + }, + { + "actual": [ + "4096" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "3072" + ], + "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Hardened OpenSSH Server v8.0 (version 4)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt new file mode 100644 index 0000000..f1f617e --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt @@ -0,0 +1,17 @@ +Host: localhost:2222 +Policy: Hardened OpenSSH Server v8.0 (version 4) +Result: ❌ Failed! + +Errors: + * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. + - Expected: 3072 + - Actual: 4096 + + * Host key (rsa-sha2-256) sizes did not match. + - Expected: 4096 + - Actual: 3072 + + * Host key (rsa-sha2-512) sizes did not match. + - Expected: 4096 + - Actual: 3072 + diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json new file mode 100644 index 0000000..0c54345 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json @@ -0,0 +1,66 @@ +{ + "errors": [ + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (rsa-sha2-256) sizes" + }, + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (rsa-sha2-512) sizes" + }, + { + "actual": [ + "umac-64-etm@openssh.com", + "umac-128-etm@openssh.com", + "hmac-sha2-256-etm@openssh.com", + "hmac-sha2-512-etm@openssh.com", + "hmac-sha1-etm@openssh.com", + "umac-64@openssh.com", + "umac-128@openssh.com", + "hmac-sha2-256", + "hmac-sha2-512", + "hmac-sha1" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "hmac-sha2-256-etm@openssh.com", + "hmac-sha2-512-etm@openssh.com", + "umac-128-etm@openssh.com" + ], + "mismatched_field": "MACs" + }, + { + "actual": [ + "4096" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "3072" + ], + "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Hardened OpenSSH Server v8.0 (version 4)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt new file mode 100644 index 0000000..8f1d9dc --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt @@ -0,0 +1,21 @@ +Host: localhost:2222 +Policy: Hardened OpenSSH Server v8.0 (version 4) +Result: ❌ Failed! + +Errors: + * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. + - Expected: 3072 + - Actual: 4096 + + * Host key (rsa-sha2-256) sizes did not match. + - Expected: 4096 + - Actual: 3072 + + * Host key (rsa-sha2-512) sizes did not match. + - Expected: 4096 + - Actual: 3072 + + * MACs did not match. + - Expected: hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com + - Actual: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1 + diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json new file mode 100644 index 0000000..b6a8308 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json @@ -0,0 +1,6 @@ +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker policy: test11 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt new file mode 100644 index 0000000..0ac0671 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt @@ -0,0 +1,12 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker policy: test11 (version 1) +Result: ✔ Passed diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json new file mode 100644 index 0000000..8ddcf39 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json @@ -0,0 +1,43 @@ +{ + "errors": [ + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (rsa-sha2-256) sizes" + }, + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (rsa-sha2-512) sizes" + }, + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (ssh-rsa) sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test12 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt new file mode 100644 index 0000000..de615e0 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt @@ -0,0 +1,26 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker policy: test12 (version 1) +Result: ❌ Failed! + +Errors: + * Host key (rsa-sha2-256) sizes did not match. + - Expected: 4096 + - Actual: 3072 + + * Host key (rsa-sha2-512) sizes did not match. + - Expected: 4096 + - Actual: 3072 + + * Host key (ssh-rsa) sizes did not match. + - Expected: 4096 + - Actual: 3072 + diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json new file mode 100644 index 0000000..4f942bd --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json @@ -0,0 +1,6 @@ +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker policy: test13 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt new file mode 100644 index 0000000..7734d88 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt @@ -0,0 +1,15 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker policy: test13 (version 1) +Result: ✔ Passed diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json new file mode 100644 index 0000000..fc8eb61 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json @@ -0,0 +1,19 @@ +{ + "errors": [ + { + "actual": [ + "4096" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "8192" + ], + "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test14 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt new file mode 100644 index 0000000..17987a5 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt @@ -0,0 +1,21 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker policy: test14 (version 1) +Result: ❌ Failed! + +Errors: + * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. + - Expected: 8192 + - Actual: 4096 + diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json new file mode 100644 index 0000000..8804aae --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json @@ -0,0 +1,6 @@ +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker policy: test6 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt new file mode 100644 index 0000000..b0e9441 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt @@ -0,0 +1,3 @@ +Host: localhost:2222 +Policy: Docker policy: test6 (version 1) +Result: ✔ Passed diff --git a/test/docker/expected_results/openssh_8.0p1_test1.json b/test/docker/expected_results/openssh_8.0p1_test1.json new file mode 100644 index 0000000..350af5e --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_test1.json @@ -0,0 +1,462 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_8.0", + "software": "OpenSSH_8.0" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.0, + "description": "privilege escalation via supplemental groups", + "name": "CVE-2021-41617" + }, + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 7.8, + "description": "memory corruption and local code execution via pre-authentication integer overflow", + "name": "CVE-2019-16905" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + } + ], + "enc": [ + { + "algorithm": "chacha20-poly1305@openssh.com", + "notes": { + "info": [ + "default cipher since OpenSSH 6.9", + "available since OpenSSH 6.5" + ], + "warn": [ + "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation" + ] + } + }, + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes128-gcm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "aes256-gcm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + } + ], + "fingerprints": [ + { + "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", + "hash_alg": "SHA256", + "hostkey": "ssh-ed25519" + }, + { + "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9", + "hash_alg": "MD5", + "hostkey": "ssh-ed25519" + }, + { + "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ] + } + }, + { + "algorithm": "curve25519-sha256@libssh.org", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp256", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp384", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp521", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 4096, + "notes": { + "info": [ + "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).", + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group16-sha512", + "notes": { + "info": [ + "available since OpenSSH 7.3, Dropbear SSH 2016.73" + ] + } + }, + { + "algorithm": "diffie-hellman-group18-sha512", + "notes": { + "info": [ + "available since OpenSSH 7.3" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha256", + "notes": { + "info": [ + "available since OpenSSH 7.3, Dropbear SSH 2016.73" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + } + ], + "key": [ + { + "algorithm": "rsa-sha2-512", + "keysize": 3072, + "notes": { + "info": [ + "available since OpenSSH 7.2" + ] + } + }, + { + "algorithm": "rsa-sha2-256", + "keysize": 3072, + "notes": { + "info": [ + "available since OpenSSH 7.2" + ] + } + }, + { + "algorithm": "ssh-rsa", + "keysize": 3072, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ecdsa-sha2-nistp256", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ], + "warn": [ + "using weak random number generator could reveal the key" + ] + } + }, + { + "algorithm": "ssh-ed25519", + "notes": { + "info": [ + "available since OpenSSH 6.5" + ] + } + } + ], + "mac": [ + { + "algorithm": "umac-64-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ], + "warn": [ + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "umac-128-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha2-256-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha2-512-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha1-etm@openssh.com", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "umac-128@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha2-256", + "notes": { + "info": [ + "available since OpenSSH 5.9, Dropbear SSH 2013.56" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha2-512", + "notes": { + "info": [ + "available since OpenSSH 5.9, Dropbear SSH 2013.56" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "del": { + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp256", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp384", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp521", + "notes": "" + } + ], + "key": [ + { + "name": "ecdsa-sha2-nistp256", + "notes": "" + }, + { + "name": "ssh-rsa", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-etm@openssh.com", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "chacha20-poly1305@openssh.com", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha256", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha2-256", + "notes": "" + }, + { + "name": "hmac-sha2-512", + "notes": "" + }, + { + "name": "umac-128@openssh.com", + "notes": "" + }, + { + "name": "umac-64-etm@openssh.com", + "notes": "" + }, + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_8.0p1_test1.txt b/test/docker/expected_results/openssh_8.0p1_test1.txt new file mode 100644 index 0000000..cde69a5 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_test1.txt @@ -0,0 +1,99 @@ +# general +(gen) banner: SSH-2.0-OpenSSH_8.0 +(gen) software: OpenSSH 8.0 +(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+ +(gen) compression: enabled (zlib@openssh.com) + +# security +(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups +(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers +(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow +(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response + +# key exchange algorithms +(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 + `- [info] default key exchange since OpenSSH 6.4 +(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 + `- [info] default key exchange since OpenSSH 6.4 +(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 + `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). +(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 +(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 +(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 +(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 + +# host-key algorithms +(key) rsa-sha2-512 (3072-bit) -- [info] available since OpenSSH 7.2 +(key) rsa-sha2-256 (3072-bit) -- [info] available since OpenSSH 7.2 +(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [warn] using weak random number generator could reveal the key + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(key) ssh-ed25519 -- [info] available since OpenSSH 6.5 + +# encryption algorithms (ciphers) +(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation + `- [info] available since OpenSSH 6.5 + `- [info] default cipher since OpenSSH 6.9 +(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes192-ctr -- [info] available since OpenSSH 3.7 +(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2 +(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2 + +# message authentication code algorithms +(mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size + `- [info] available since OpenSSH 6.2 +(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2 +(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2 +(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2 +(mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm + `- [info] available since OpenSSH 6.2 +(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode + `- [warn] using small 64-bit tag size + `- [info] available since OpenSSH 4.7 +(mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 6.2 +(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 +(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 +(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 + +# fingerprints +(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU +(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244 + +# algorithm recommendations (for OpenSSH 8.0) +(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  +(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove  +(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove  +(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove  +(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove  +(rec) -hmac-sha1 -- mac algorithm to remove  +(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove  +(rec) -ssh-rsa -- key algorithm to remove  +(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove  +(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove  +(rec) -hmac-sha2-256 -- mac algorithm to remove  +(rec) -hmac-sha2-512 -- mac algorithm to remove  +(rec) -umac-128@openssh.com -- mac algorithm to remove  +(rec) -umac-64-etm@openssh.com -- mac algorithm to remove  +(rec) -umac-64@openssh.com -- mac algorithm to remove  + +# additional info +(nfo) For hardening guides on common OSes, please see:  + diff --git a/test/docker/expected_results/openssh_8.0p1_test2.json b/test/docker/expected_results/openssh_8.0p1_test2.json new file mode 100644 index 0000000..a05ae96 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_test2.json @@ -0,0 +1,421 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_8.0", + "software": "OpenSSH_8.0" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.0, + "description": "privilege escalation via supplemental groups", + "name": "CVE-2021-41617" + }, + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 7.8, + "description": "memory corruption and local code execution via pre-authentication integer overflow", + "name": "CVE-2019-16905" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + } + ], + "enc": [ + { + "algorithm": "chacha20-poly1305@openssh.com", + "notes": { + "info": [ + "default cipher since OpenSSH 6.9", + "available since OpenSSH 6.5" + ], + "warn": [ + "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation" + ] + } + }, + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes128-gcm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "aes256-gcm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + } + ], + "fingerprints": [ + { + "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", + "hash_alg": "SHA256", + "hostkey": "ssh-ed25519" + }, + { + "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9", + "hash_alg": "MD5", + "hostkey": "ssh-ed25519" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ] + } + }, + { + "algorithm": "curve25519-sha256@libssh.org", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp256", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp384", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp521", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 4096, + "notes": { + "info": [ + "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).", + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group16-sha512", + "notes": { + "info": [ + "available since OpenSSH 7.3, Dropbear SSH 2016.73" + ] + } + }, + { + "algorithm": "diffie-hellman-group18-sha512", + "notes": { + "info": [ + "available since OpenSSH 7.3" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha256", + "notes": { + "info": [ + "available since OpenSSH 7.3, Dropbear SSH 2016.73" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-ed25519", + "notes": { + "info": [ + "available since OpenSSH 6.5" + ] + } + }, + { + "algorithm": "ssh-ed25519-cert-v01@openssh.com", + "ca_algorithm": "ssh-ed25519", + "casize": 256, + "notes": { + "info": [ + "available since OpenSSH 6.5" + ] + } + } + ], + "mac": [ + { + "algorithm": "umac-64-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ], + "warn": [ + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "umac-128-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha2-256-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha2-512-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha1-etm@openssh.com", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "umac-128@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha2-256", + "notes": { + "info": [ + "available since OpenSSH 5.9, Dropbear SSH 2013.56" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha2-512", + "notes": { + "info": [ + "available since OpenSSH 5.9, Dropbear SSH 2013.56" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "del": { + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp256", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp384", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp521", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-etm@openssh.com", + "notes": "" + } + ] + } + }, + "informational": { + "add": { + "key": [ + { + "name": "rsa-sha2-256", + "notes": "" + }, + { + "name": "rsa-sha2-512", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "chacha20-poly1305@openssh.com", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha256", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha2-256", + "notes": "" + }, + { + "name": "hmac-sha2-512", + "notes": "" + }, + { + "name": "umac-128@openssh.com", + "notes": "" + }, + { + "name": "umac-64-etm@openssh.com", + "notes": "" + }, + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_8.0p1_test2.txt b/test/docker/expected_results/openssh_8.0p1_test2.txt new file mode 100644 index 0000000..8cbb69a --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_test2.txt @@ -0,0 +1,91 @@ +# general +(gen) banner: SSH-2.0-OpenSSH_8.0 +(gen) software: OpenSSH 8.0 +(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+ +(gen) compression: enabled (zlib@openssh.com) + +# security +(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups +(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers +(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow +(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response + +# key exchange algorithms +(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 + `- [info] default key exchange since OpenSSH 6.4 +(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 + `- [info] default key exchange since OpenSSH 6.4 +(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 + `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). +(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 +(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 +(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 +(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 + +# host-key algorithms +(key) ssh-ed25519 -- [info] available since OpenSSH 6.5 +(key) ssh-ed25519-cert-v01@openssh.com (256-bit cert/256-bit ssh-ed25519 CA) -- [info] available since OpenSSH 6.5 + +# encryption algorithms (ciphers) +(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation + `- [info] available since OpenSSH 6.5 + `- [info] default cipher since OpenSSH 6.9 +(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes192-ctr -- [info] available since OpenSSH 3.7 +(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2 +(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2 + +# message authentication code algorithms +(mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size + `- [info] available since OpenSSH 6.2 +(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2 +(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2 +(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2 +(mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm + `- [info] available since OpenSSH 6.2 +(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode + `- [warn] using small 64-bit tag size + `- [info] available since OpenSSH 4.7 +(mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 6.2 +(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 +(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 +(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 + +# fingerprints +(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU + +# algorithm recommendations (for OpenSSH 8.0) +(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  +(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove  +(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove  +(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove  +(rec) -hmac-sha1 -- mac algorithm to remove  +(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove  +(rec) +rsa-sha2-256 -- key algorithm to append  +(rec) +rsa-sha2-512 -- key algorithm to append  +(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove  +(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove  +(rec) -hmac-sha2-256 -- mac algorithm to remove  +(rec) -hmac-sha2-512 -- mac algorithm to remove  +(rec) -umac-128@openssh.com -- mac algorithm to remove  +(rec) -umac-64-etm@openssh.com -- mac algorithm to remove  +(rec) -umac-64@openssh.com -- mac algorithm to remove  + +# additional info +(nfo) For hardening guides on common OSes, please see:  + diff --git a/test/docker/expected_results/openssh_8.0p1_test3.json b/test/docker/expected_results/openssh_8.0p1_test3.json new file mode 100644 index 0000000..13a8130 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_test3.json @@ -0,0 +1,206 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_8.0", + "software": "OpenSSH_8.0" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.0, + "description": "privilege escalation via supplemental groups", + "name": "CVE-2021-41617" + }, + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 7.8, + "description": "memory corruption and local code execution via pre-authentication integer overflow", + "name": "CVE-2019-16905" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + } + ], + "enc": [ + { + "algorithm": "chacha20-poly1305@openssh.com", + "notes": { + "info": [ + "default cipher since OpenSSH 6.9", + "available since OpenSSH 6.5" + ], + "warn": [ + "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation" + ] + } + }, + { + "algorithm": "aes256-gcm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "aes128-gcm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + } + ], + "fingerprints": [ + { + "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", + "hash_alg": "SHA256", + "hostkey": "ssh-ed25519" + }, + { + "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9", + "hash_alg": "MD5", + "hostkey": "ssh-ed25519" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ] + } + }, + { + "algorithm": "curve25519-sha256@libssh.org", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 4096, + "notes": { + "info": [ + "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).", + "available since OpenSSH 4.4" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-ed25519", + "notes": { + "info": [ + "available since OpenSSH 6.5" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-sha2-256-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha2-512-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "umac-128-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + } + ], + "recommendations": { + "informational": { + "add": { + "kex": [ + { + "name": "diffie-hellman-group16-sha512", + "notes": "" + }, + { + "name": "diffie-hellman-group18-sha512", + "notes": "" + } + ], + "key": [ + { + "name": "rsa-sha2-256", + "notes": "" + }, + { + "name": "rsa-sha2-512", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "chacha20-poly1305@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_8.0p1_test3.txt b/test/docker/expected_results/openssh_8.0p1_test3.txt new file mode 100644 index 0000000..27154b8 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_test3.txt @@ -0,0 +1,51 @@ +# general +(gen) banner: SSH-2.0-OpenSSH_8.0 +(gen) software: OpenSSH 8.0 +(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+ +(gen) compression: enabled (zlib@openssh.com) + +# security +(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups +(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers +(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow +(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response + +# key exchange algorithms +(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 + `- [info] default key exchange since OpenSSH 6.4 +(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 + `- [info] default key exchange since OpenSSH 6.4 +(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 + `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). + +# host-key algorithms +(key) ssh-ed25519 -- [info] available since OpenSSH 6.5 + +# encryption algorithms (ciphers) +(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation + `- [info] available since OpenSSH 6.5 + `- [info] default cipher since OpenSSH 6.9 +(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2 +(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2 +(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes192-ctr -- [info] available since OpenSSH 3.7 +(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 + +# message authentication code algorithms +(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2 +(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2 +(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2 + +# fingerprints +(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU + +# algorithm recommendations (for OpenSSH 8.0) +(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append  +(rec) +diffie-hellman-group18-sha512 -- kex algorithm to append  +(rec) +rsa-sha2-256 -- key algorithm to append  +(rec) +rsa-sha2-512 -- key algorithm to append  +(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove  + +# additional info +(nfo) For hardening guides on common OSes, please see:  + diff --git a/test/docker/expected_results/tinyssh_20190101_test1.json b/test/docker/expected_results/tinyssh_20190101_test1.json new file mode 100644 index 0000000..7cc7629 --- /dev/null +++ b/test/docker/expected_results/tinyssh_20190101_test1.json @@ -0,0 +1,98 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": "", + "protocol": "2.0", + "raw": "", + "software": "tinyssh_noversion" + }, + "compression": [ + "none" + ], + "cves": [], + "enc": [ + { + "algorithm": "chacha20-poly1305@openssh.com", + "notes": { + "info": [ + "default cipher since OpenSSH 6.9", + "available since OpenSSH 6.5" + ], + "warn": [ + "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation" + ] + } + } + ], + "fingerprints": [ + { + "hash": "89ocln1x7KNqnMgWffGoYtD70ksJ4FrH7BMJHa7SrwU", + "hash_alg": "SHA256", + "hostkey": "ssh-ed25519" + }, + { + "hash": "dd:9c:6d:f9:b0:8c:af:fa:c2:65:81:5d:5d:56:f8:21", + "hash_alg": "MD5", + "hostkey": "ssh-ed25519" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ] + } + }, + { + "algorithm": "curve25519-sha256@libssh.org", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "sntrup4591761x25519-sha512@tinyssh.org", + "notes": { + "info": [ + "the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security", + "available since OpenSSH 8.0" + ], + "warn": [ + "using experimental algorithm" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-ed25519", + "notes": { + "info": [ + "available since OpenSSH 6.5" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-sha2-256", + "notes": { + "info": [ + "available since OpenSSH 5.9, Dropbear SSH 2013.56" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": {}, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/tinyssh_20190101_test1.txt b/test/docker/expected_results/tinyssh_20190101_test1.txt new file mode 100644 index 0000000..7307169 --- /dev/null +++ b/test/docker/expected_results/tinyssh_20190101_test1.txt @@ -0,0 +1,29 @@ +# general +(gen) software: TinySSH noversion +(gen) compatibility: OpenSSH 8.0-8.4, Dropbear SSH 2018.76+ +(gen) compression: disabled + +# key exchange algorithms +(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 + `- [info] default key exchange since OpenSSH 6.4 +(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 + `- [info] default key exchange since OpenSSH 6.4 +(kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm + `- [info] available since OpenSSH 8.0 + `- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security + +# host-key algorithms +(key) ssh-ed25519 -- [info] available since OpenSSH 6.5 + +# encryption algorithms (ciphers) +(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation + `- [info] available since OpenSSH 6.5 + `- [info] default cipher since OpenSSH 6.9 + +# message authentication code algorithms +(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 + +# fingerprints +(fin) ssh-ed25519: SHA256:89ocln1x7KNqnMgWffGoYtD70ksJ4FrH7BMJHa7SrwU + -- cgit v1.2.3