Coder Social home page Coder Social logo

xaitax / cve-2024-6387_check Goto Github PK

View Code? Open in Web Editor NEW
421.0 6.0 84.0 49 KB

CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH

License: GNU General Public License v3.0

Python 100.00%
cve-2024-6387 exploit pentesting python3 redteam

cve-2024-6387_check's Introduction

CVE-2024-6387_Check

image

πŸ“œ Description

CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH, specifically targeting the recently discovered regreSSHion vulnerability (CVE-2024-6387). This script facilitates rapid scanning of multiple IP addresses, domain names, and CIDR network ranges to detect potential vulnerabilities and ensure your infrastructure is secure.

🌟 Features

  • Rapid Scanning: Quickly scan multiple IP addresses, domain names, and CIDR ranges for the CVE-2024-6387 vulnerability.
  • Banner Retrieval: Efficiently retrieves SSH banners without authentication.
  • Grace Time Detection: Optionally detect if servers have mitigated vulnerabilities using the LoginGraceTime setting.
  • IPv6 Support: Fully supports IPv6 addresses for both direct and hostname-based scanning.
  • Multi-threading: Uses threading for concurrent checks, significantly reducing scan times.
  • Detailed Output: Provides clear, emoji-coded output summarizing scan results.
  • Port Check: Identifies closed ports and provides a summary of non-responsive hosts.
  • Patched Versions Detection: Recognizes and excludes known patched versions from vulnerability reports.
  • DNS/Hostname Resolution: Resolve and display hostnames for IP addresses.

πŸš€ Usage

python CVE-2024-6387_Check.py <targets> [--ports PORTS] [--timeout TIMEOUT] [--list FILE] [--grace-time-check [SECONDS]] [--dns-resolve] [--use-help-request]

Command Line Arguments

  • <targets>: IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.
  • --timeout TIMEOUT: Set connection timeout in seconds (default: 1 second).
  • --list FILE: File containing a list of IP addresses to check.
  • --ports PORTS: Specify a comma-separated list of port numbers to check (default: 22).
  • --use-help-request: Enable sending a HELP request if the initial SSH banner retrieval fails.
  • --grace-time-check [SECONDS]: Time in seconds to wait after identifying the version to check for LoginGraceTime mitigation (default: 120 seconds).
  • --dns-resolve: Resolve and display hostnames for IP addresses.

Examples

Single IP

python CVE-2024-6387_Check.py 192.168.1.1

IPs from a file

python CVE-2024-6387_Check.py -l ip_list.txt

Multiple IPs and Domains

python CVE-2024-6387_Check.py 192.168.1.1 example.com 192.168.1.2

CIDR Range

python CVE-2024-6387_Check.py 192.168.1.0/24

With Multiple Ports

python CVE-2024-6387_Check.py 192.168.1.1 example.com --ports 22,2222

Checking LoginGraceTime Mitigation

python CVE-2024-6387_Check.py 192.168.1.1 --grace-time-check

Checking LoginGraceTime Mitigation with Custom Time

python CVE-2024-6387_Check.py 192.168.1.1 --grace-time-check 150

Enabling HELP request

python CVE-2024-6387_Check.py 192.168.1.1 --use-help-request

Enabling DNS/Hostname Resolution

python CVE-2024-6387_Check.py 192.168.1.1 --dns-resolve

✨ Features Explained

Grace Time Detection

The tool supports checking for LoginGraceTime mitigation. When the --grace-time-check option is used, the script will wait for the specified duration after retrieving the SSH banner to see if the connection remains open, which indicates that the LoginGraceTime setting might be set to 0 as a mitigation measure.

IPv6 Support

The tool fully supports IPv6 addresses. You can scan both IPv4 and IPv6 addresses directly or through hostname resolution.

Patched Versions Detection

The tool recognizes certain patched versions of OpenSSH and excludes them from the vulnerability report, ensuring more accurate results.

DNS/Hostname Resolution

When the --dns-resolve option is used, the script resolves and displays hostnames for IP addresses in the output. This feature helps identify the scanned hosts more clearly.

HELP Request Handling

The tool includes an option to handle restrictive SSH services that do not immediately return a banner. When the --use-help-request option is used, the script will send a "HELP" request if the initial SSH banner retrieval fails, increasing "mitigation" detections.

Output

The script will provide a summary of the scanned targets:

  • 🚨 Vulnerable: Servers running a vulnerable version of OpenSSH.
  • πŸ›‘οΈ Not Vulnerable: Servers running a non-vulnerable version of OpenSSH.
  • ⚠️ Unknown: Servers running an unknown version of SSH
  • πŸ”’ Closed Ports: Count of servers with port 22 (or specified port) closed.
  • πŸ“Š Total Scanned: Total number of targets scanned.
πŸ›‘οΈ Servers not vulnerable: 2

   [+] Server at somedomain.cloudapp.azure.com (running SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11)
   [+] Server at regresshion_test.cc (running SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3)

🚨 Servers likely vulnerable: 1

   [+] Server at 4.231.170.122 (abc.com) (running SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2)
   [+] Server at 4.231.170.121 (running SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2) vulnerable and LoginGraceTime remediation not done (Session was closed by server at 120.1 seconds)

⚠️ Servers with unknown SSH version: 1

   [+] Server at 103.97.85.85 (xxx.com) (banner: SSH-2.0-ROSSSH)

πŸ”’ Servers with port 22 closed: 254

πŸ“Š Total scanned targets: 257

πŸ“† Changelog

[08. July 2024] - Version 0.8

  • [Added] Included patched versions for FreeBSD 13.3, 14.x and 15
  • [Added] Hostname resolution via -d or --dns-resolve
  • [Fixed] LoginGraceTime detection @agibson2

[06. July 2024] - Version 0.7

  • [Added] Introduced an option to use a "HELP" request to retrieve the SSH banner if the initial attempt fails. This feature can be enabled using the --use-help-request argument. This helps to bypass certain SSH configurations that do not immediately return the banner, improving compatibility with more restrictive SSH services.
  • [Added] #30 Allow multiple ports to be scanned.

[05. July 2024] - Version 0.6

  • [Added] Introduced LoginGraceTime detection.
  • [Fixed] Resolved issue where hosts with only an IPv6 address could not be tested by hostname.

πŸ“š References

Qualys Blog on regreSSHion Vulnerability

cve-2024-6387_check's People

Contributors

xaitax avatar bugdisclose avatar blackblocks-io avatar agibson2 avatar dacodedbeat avatar clovel avatar pbirkants avatar atenreiro avatar energeticcc avatar tomasflorian avatar

Stargazers

avatar hirak0 avatar Filipe Reis avatar Chris Karagiannis avatar avatar Chun-Jing, Lai avatar Vladimir Shelkovnikov avatar avatar Mariam Siradze avatar (β€’β€Ώβ€’) avatar Ajit Singh Verma avatar mapaca_rules avatar avatar Mohammed Alhakami avatar Davide Brunato avatar Andre Pereira avatar Bernhard Reuter avatar avatar Paolo Lungaroni avatar Zaftoshi avatar Grant Ozolins avatar avatar PSh4dy avatar S.B avatar Second Datke avatar Christian Scott avatar avatar Ryan Schulze avatar Roland Leitenberger avatar avatar Victor Rodriguez avatar GenΓ­s Riera PΓ©rez avatar Hoai-Thu Vuong avatar Aniip_01 avatar avatar Arian Saputra avatar PushkraJ avatar avatar avatar Dmitry Lukashevich avatar Marek SuΕ‘ickΓ½ avatar Charles Johnson avatar avatar avatar Kanabo avatar Kostadinov avatar Giovanni Francesco Solone avatar avatar Dominik 'Lawlez' Feger avatar TaiNN avatar Pierre avatar KAKAKA avatar Ahn, JongMoon avatar Dmitry V avatar Raywong avatar Decki Okmal Pratama avatar Ricki Ajirasman avatar Faiz Kurniawan avatar Iwan Sunarya avatar avatar ABAH YEYEN KENDOR avatar Domenico Sgarbossa avatar Ruben at Cubics avatar Christian avatar avatar Denis Ustin avatar Jens C. avatar avatar An3ker avatar avatar Hak-Init avatar avatar isaku.dev avatar avatar avatar avatar Thomas Cherickal avatar C3Pain avatar XiaHan avatar Renzo Marl Peralta avatar Gerald Senarclens de Grancy avatar Natsu avatar Agrin Fauzi avatar avatar Fauzan avatar Amit Vitekar avatar avatar avatar Itsfitts avatar M0B avatar avatar Lukas Hennies avatar Peter Eckel avatar Cliff avatar bash avatar Thanikul Sriuthis avatar avatar Babak Kamali avatar Luuc avatar Beth Macknik avatar

Watchers

avatar avatar Muhammad Ridwan Hakim avatar avatar Franksec42 avatar Victor Rodriguez avatar

Forkers

emdnaia dkstar11q tounsi007 imbas007 atenreiro andyoulovexy mdiqbalahmad miglen rochmad nullze dembyp bugdisclose c0de-sin adestis-bm ikhaleelkhan xiju2003 cleverg0d alvinsmith-eroad skyuff heckerbirb maikpaprott clovel hemeraone energeticcc tw-yuan thx0701 ctrloe smitug01 pabloservers blackblocks-io laccart djayagit black-archivers geeky4047 panckazzz grische jkudjo ibrahemmohamed1 abdelkarimjaja febimudiyanto rafifdna eltayeb-karrar nidem alsyundawy mikedamm mrawb jvarelaf dacodedbeat hezhangke rescenic gf-mse xsec cyb3rm3g annahri naonymous ntedgi lleon1435 pbirkants st3rven security-phoenix-demo hulkholden qailanet nak000 fckoo ju-kim-ai lemongad im-hanzou bg6cq epiharyono agibson2 thomascherickal zulkelanaputra styapark hiage jaweesh ak4l3r3 satyasys allansong2012 selboo tomasflorian tuankiet97 ozakziki alhakamim

cve-2024-6387_check's Issues

Feature request: Option to test login timeout of more than X seconds

A lot of workarounds are to remove the timeout for the login so that the race condition doesn't happen (LoginGraceTime 0). Even though that can open you up for DoS on the ssh logins, It does at least keep the original vulnerability being exploited. Just going by the banner version won't rule those out of course.

It would be great to have an option to test that the login timeout doesn't disconnect connection quicker than X seconds.... where X is a number that is longer than any default LoginGraceTime timeouts you have set in your environment. You could then flag any that have a longer timeout than X as possibly remediated by the LoginGraceTime 0 setting even though the banner identifies it as vulnerable. So after identifying the version, leave the session open for X amount of seconds (32 seconds or 302 seconds for example) to see if the server disconnects the session and flag them as possibly remediated if the server doesn't close the session at X seconds.

While this would take longer to scan all systems, I think this could be very helpful to help identify the servers that are more likely to be vulnerable so that we can spend more of our time patching systems that are more likely not remediated yet. With it being an option, there wouldn't be a down side to it as those that don't want to use this feature don't have to.

How to scan IPV6 Hosts

Does the script support IPV6?
My previous attempts were not successful in this regard.

Thank you for your efforts.

Connection TCP reset during grace-time-check crashes program

While waiting with the connection open during the grace-time-check, If a connection is reset by the server or by some other network device between the systems, the program crashes and doesn't display any results. I created a patch for it and made a small addition to catch the ConnectionResetError and changed the text to say Session was reset instead of Session was closed. I left it as being vulnerable in my change. Maybe creating a new category for network errors and put a new report section for those might be the best idea instead of leaving it in the vulnerable category, but since I am aware of what it means, I just left it.

The changes are here...
If you want this change, I can submit a pull request for it.

main...agibson2:CVE-2024-6387_Check:main

add multiple port scan

#!/usr/bin/env python3

import socket
import argparse
import ipaddress
import threading
import time
from queue import Queue
from concurrent.futures import ThreadPoolExecutor

VERSION = "0.5"

BLUE = "\033[94m"
GREEN = "\033[92m"
RED = "\033[91m"
ORANGE = "\033[33m"
ENDC = "\033[0m"

progress_lock = threading.Lock()
progress_counter = 0
total_hosts = 0

def display_banner():
banner = rf"""
{BLUE}
_________ _________ ___ ___ .__
_______ ____ ___________ ____ / // // | || ____ ____
_ __ _/ __ \ / _ __ _/ __ \ _ \ _ / ~ \ |/ _ \ /
| | /\ // // > | /\ / / / \ Y / ( <> ) |
|| _ > /|| _ >_______ /_______ /_|_ /||_/|| /
/_____/ / / / / /
CVE-2024-6387 Vulnerability Checker
v{VERSION} / Alex Hagenah / @xaitax / [email protected]
{ENDC}
"""
print(banner)

def get_ssh_sock(ip, port, timeout):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(timeout)
try:
sock.connect((ip, port))
return sock
except:
sock.close()
return None

def get_ssh_banner(sock):
try:
banner = sock.recv(1024).decode(errors='ignore').strip()
sock.close()
return banner
except Exception as e:
return str(e)

def check_vulnerability(ip, ports, timeout, result_queue):
global progress_counter

for port in ports:
    sshsock = get_ssh_sock(ip, port, timeout)
    if not sshsock:
        result_queue.put((ip, port, 'closed', "Port closed"))
        with progress_lock:
            progress_counter += 1
        continue

    banner = get_ssh_banner(sshsock)
    if "SSH-2.0" not in banner:
        result_queue.put(
            (ip, port, 'failed', f"Failed to retrieve SSH banner: {banner}"))
        with progress_lock:
            progress_counter += 1
        continue

    if "SSH-2.0-OpenSSH" not in banner:
        result_queue.put((ip, port, 'unknown', f"(banner: {banner})"))
        with progress_lock:
            progress_counter += 1
        continue

    vulnerable_versions = [
        'SSH-2.0-OpenSSH_1',
        'SSH-2.0-OpenSSH_2',
        'SSH-2.0-OpenSSH_3',
        'SSH-2.0-OpenSSH_4.0',
        'SSH-2.0-OpenSSH_4.1',
        'SSH-2.0-OpenSSH_4.2',
        'SSH-2.0-OpenSSH_4.3',
        'SSH-2.0-OpenSSH_4.4',
        'SSH-2.0-OpenSSH_8.5',
        'SSH-2.0-OpenSSH_8.6',
        'SSH-2.0-OpenSSH_8.7',
        'SSH-2.0-OpenSSH_8.8',
        'SSH-2.0-OpenSSH_8.9',
        'SSH-2.0-OpenSSH_9.0',
        'SSH-2.0-OpenSSH_9.1',
        'SSH-2.0-OpenSSH_9.2',
        'SSH-2.0-OpenSSH_9.3',
        'SSH-2.0-OpenSSH_9.4',
        'SSH-2.0-OpenSSH_9.5',
        'SSH-2.0-OpenSSH_9.6',
        'SSH-2.0-OpenSSH_9.7'
    ]

    excluded_versions = [
        'SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10',
        'SSH-2.0-OpenSSH_9.3p1 Ubuntu-3ubuntu3.6',
        'SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3',
        'SSH-2.0-OpenSSH_9.3p1 Ubuntu-1ubuntu3.6',
        'SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3',
        'SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3'
    ]

    if any(version in banner for version in vulnerable_versions) and banner not in excluded_versions:
        result_queue.put((ip, port, 'vulnerable', f"(running {banner})"))
    else:
        result_queue.put((ip, port, 'not_vulnerable', f"(running {banner})"))

    with progress_lock:
        progress_counter += 1

def process_ip_list(ip_list_file):
ips = []
try:
with open(ip_list_file, 'r') as file:
ips.extend(file.readlines())
except IOError:
print(f"❌ [-] Could not read file: {ip_list_file}")
return [ip.strip() for ip in ips]

def main():
global total_hosts
display_banner()

parser = argparse.ArgumentParser(
    description="Check if servers are running a vulnerable version of OpenSSH (CVE-2024-6387).")
parser.add_argument(
    "targets", nargs='*', help="IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.")
parser.add_argument("--ports", type=str, default="22",
                    help="Comma-separated list of ports to check (default: 22).")
parser.add_argument("-t", "--timeout", type=float, default=1.0,
                    help="Connection timeout in seconds (default: 1 second).")
parser.add_argument(
    "-l", "--list", help="File containing a list of IP addresses to check.")

args = parser.parse_args()
targets = args.targets
timeout = args.timeout

ports = [int(port.strip()) for port in args.ports.split(',')]

ips = []

if args.list:
    ips.extend(process_ip_list(args.list))

for target in targets:
    try:
        with open(target, 'r') as file:
            ips.extend(file.readlines())
    except IOError:
        if '/' in target:
            try:
                network = ipaddress.ip_network(target, strict=False)
                ips.extend([str(ip) for ip in network.hosts()])
            except ValueError:
                print(f"❌ [-] Invalid CIDR notation: {target}")
        else:
            ips.append(target)

result_queue = Queue()

total_hosts = len(ips)

max_workers = 100

with ThreadPoolExecutor(max_workers=max_workers) as executor:
    futures = [executor.submit(check_vulnerability, ip.strip(
    ), ports, timeout, result_queue) for ip in ips]

    while any(future.running() for future in futures):
        with progress_lock:
            print(f"\rProgress: {progress_counter}/{total_hosts} hosts scanned", end="")
        time.sleep(1)

for future in futures:
    future.result()

print(f"\rProgress: {progress_counter}/{total_hosts} hosts scanned")

total_scanned = len(ips)
closed_ports = 0
unknown = []
not_vulnerable = []
vulnerable = []

while not result_queue.empty():
    ip, port, status, message = result_queue.get()
    if status == 'closed':
        closed_ports += 1
    elif status == 'unknown':
        unknown.append((ip, message))
    elif status == 'vulnerable':
        vulnerable.append((ip, message))
    elif status == 'not_vulnerable':
        not_vulnerable.append((ip, message))
    else:
        print(f"⚠️ [!] Server at {ip}:{port} is {message}")

print(f"\nπŸ›‘οΈ Servers not vulnerable: {len(not_vulnerable)}\n")
for ip, msg in not_vulnerable:
    print(f"   [+] Server at {GREEN}{ip}{ENDC} {msg}")
print(f"\n🚨 Servers likely vulnerable: {len(vulnerable)}\n")
for ip, msg in vulnerable:
    print(f"   [+] Server at {RED}{ip}{ENDC} {msg}")
print(f"\n⚠️ Servers with unknown SSH version: {len(unknown)}\n")
for ip, msg in unknown:
    print(f"   [+] Server at {ORANGE}{ip}{ENDC} {msg}")
print(f"\nπŸ”’ Servers with port(s) {args.ports} closed: {closed_ports}")
print(f"\nπŸ“Š Total scanned targets: {total_scanned}\n")

if name == "main":
main()
sorry for interrupt because i dont understand to request add feature. i was adding for multiple port using --ports

thanks

Invalid non-printable character line 40

I get this error:

└─$ python3 CVE-2024-6387_Check.py <ip>
  File "/home/user/CVE-2024-6387_Check/CVE-2024-6387_Check.py", line 40
            'SSH-2.0-OpenSSH_8.5',
    ^
SyntaxError: invalid non-printable character U+2002

running cat -A

 vulnerable_versions = [$
        'SSH-2.0-OpenSSH_8.5p1',$
M-bM-^@M-^BM-bM-^@M-^BM-bM-^@M-^BM-bM-^@M-^B    'SSH-2.0-OpenSSH_8.5',$
        'SSH-2.0-OpenSSH_8.6p1',$
        'SSH-2.0-OpenSSH_8.6',$

OSError: [Errno 24] Too many open files

Found an issue "OSError: [Errno 24] Too many open files" while executing on a MAC, likely as the script attempts to create a large number of concurrent threads and sockets, leading to this issue.

Requires Python 3.6 or newer

Just a heads up for people with systems using v2 as default python command.

Older versions will give syntax error due to f"" style strings

Adding network support in ip_list_file

Adding network support in ip_list_file

def process_ip_list(ip_list_file):
    ips = []

    try:
        with open(ip_list_file, 'r') as file:
            for target in file:
                if '/' in target:
                    try:
                        network = ipaddress.ip_network(target.strip(), strict=False)
                        ips.extend([str(ip) for ip in network.hosts()])
                    except ValueError as e:
                        print(f"❌ [-] Invalid CIDR notation {target} {e}")
                else:
                    ips.append(target)
    except IOError:
        print(f"❌ [-] Could not read file: {ip_list_file}")
    return [ip.strip() for ip in ips]

SSH Service HELP request

In some instances, the SSH service does not return the banner from a simple socket connection. It may just return a timeout, whereas nmap -sV will successfully send a HELP request to retrieve banner information.

I cannot provide the IP address this is affected by, but the solution is to perform the following. This may not always be required, so it might be worthwhile performing this on a second run when the first socket connection fails to return a banner.

def get_ssh_sock(ip, port, timeout):
    try:
        family = socket.AF_INET6 if ':' in ip else socket.AF_INET
        sock = socket.socket(family, socket.SOCK_STREAM)
        sock.settimeout(timeout)
        sock.connect((ip, port))
        help_string = "HELP\n"
        sock.sendall(help_string.encode())
        return sock

This was just a temporary fix to get it to work on a host. But may be something to be aware of.

Ports

Thanks for the job.
Seems to have a problem with specified ports :

python CVE-2024-6387_Check.py -ports 22,22222 -l linux.txt

                                  _________ _________ ___ ___ .__

_______ ____ ___________ ____ / // // | || ____ ____
_ __ _/ __ \ / _ __ _/ __ \ _ \ _ / ~ \ |/ _ \ /
| | /\ // // > | /\ / / / \ Y / ( <> ) |
|| _ > /|| _ >_______ /_______ /_|_ /||_/|| /
/_____/ / / / / /
CVE-2024-6387 Vulnerability Checker
v0.8 / Alex Hagenah / @xaitax / [email protected]

Traceback (most recent call last):
File "C:\xxx\CVE-2024-6387_Check-main\CVE-2024-6387_Check-main\CVE-2024-6387_Check.py", line 297, in
main()
File "C:\xxx\CVE-2024-6387_Check-main\CVE-2024-6387_Check-main\CVE-2024-6387_Check.py", line 208, in main
ports = [int(p) for p in args.ports.split(',')]
^^^^^^
ValueError: invalid literal for int() with base 10: 'orts'

OSError: [Errno 24] Too many open files

A traceback is printed at the beginning for exception "OSError: [Errno 24] Too many open files", but then the script continues and appears to give a reasonable working output.

Occurs on Python 3.11.7 and 3.12.2 on macOS.

22:20:59 in ~/Downloads via 🐍 3.11.7 
➜ pyenv shell 3.12                             

22:25:43 in ~/Downloads via 🐍 3.12.2 
➜ python CVE-2024-6387_Check.py "172.16.2.0/24"
Exception in thread Thread-254 (check_vulnerability):
Traceback (most recent call last):
  File "/Users/seb/.pyenv/versions/3.12.2/lib/python3.12/threading.py", line 1073, in _bootstrap_inner
  File "/Users/seb/.pyenv/versions/3.12.2/lib/python3.12/threading.py", line 1010, in run
  File "/Users/seb/Downloads/CVE-2024-6387_Check.py", line 27, in check_vulnerability
  File "/Users/seb/Downloads/CVE-2024-6387_Check.py", line 10, in get_ssh_sock
  File "/Users/seb/.pyenv/versions/3.12.2/lib/python3.12/socket.py", line 233, in __init__
OSError: [Errno 24] Too many open files

πŸ›‘οΈ Servers not vulnerable: 3

[...]

🚨 Servers likely vulnerable: 4

[...]

πŸ”’ Servers with port 22 closed: 245

πŸ“Š Total scanned targets: 254
➜ python -c "import os; print(os.uname())"             
posix.uname_result(sysname='Darwin', nodename='myhostname.local', release='23.5.0', version='Darwin Kernel Version 23.5.0: Wed May  1 20:16:51 PDT 2024; root:xnu-10063.121.3~5/RELEASE_ARM64_T8103', machine='arm64')

Hosts that only have an IPv6 address cannot be tested by hostname 

pete@ardbeg ~ % dig +short cerberus2.xxxx.com A
pete@ardbeg ~ % dig +short cerberus2.xxxx.com AAAA
xxxx:xxxx:xxxx:xxxx::1400:0
pete@ardbeg ~ % ./CVE-2024-6387_Check.py cerberus2.xxxx.com


                                      _________ _________ ___ ___ .__
_______   ____   ___________   ____  /   _____//   _____//   |   \|__| ____   ____
\_  __ \_/ __ \ / ___\_  __ \_/ __ \ \_____  \ \_____  \/    ~    \  |/  _ \ /    \
 |  | \/\  ___// /_/  >  | \/\  ___/ /        \/        \    Y    /  (  <_> )   |  \
 |__|    \___  >___  /|__|    \___  >_______  /_______  /\___|_  /|__|\____/|___|  /
             \/_____/             \/        \/        \/       \/                \/
    CVE-2024-6387 Vulnerability Checker
    v0.5 / Alex Hagenah / @xaitax / [email protected]


Progress: 1/1 hosts scanned

πŸ›‘οΈ Servers not vulnerable: 0


🚨 Servers likely vulnerable: 0


⚠️ Servers with unknown SSH version: 0


πŸ”’ Servers with port 22 closed: 1

πŸ“Š Total scanned targets: 1

pete@ardbeg ~ % ./CVE-2024-6387_Check.py xxxx:xxxx:xxxx:xxxx::1400:0  


                                      _________ _________ ___ ___ .__
_______   ____   ___________   ____  /   _____//   _____//   |   \|__| ____   ____
\_  __ \_/ __ \ / ___\_  __ \_/ __ \ \_____  \ \_____  \/    ~    \  |/  _ \ /    \
 |  | \/\  ___// /_/  >  | \/\  ___/ /        \/        \    Y    /  (  <_> )   |  \
 |__|    \___  >___  /|__|    \___  >_______  /_______  /\___|_  /|__|\____/|___|  /
             \/_____/             \/        \/        \/       \/                \/
    CVE-2024-6387 Vulnerability Checker
    v0.5 / Alex Hagenah / @xaitax / [email protected]


Progress: 1/1 hosts scanned

πŸ›‘οΈ Servers not vulnerable: 0


🚨 Servers likely vulnerable: 1

   [+] Server at xxxx:xxxx:xxxx:xxxx::1400:0 (running SSH-2.0-OpenSSH_9.2p1)

⚠️ Servers with unknown SSH version: 0


πŸ”’ Servers with port 22 closed: 0

πŸ“Š Total scanned targets: 1

Failed to retrieve SSH banner

python3 CVE-2024-6387_Check.py 192.168.102.10

⚠️ [!] Server at 192.168.102.10:22 is Failed to retrieve SSH banner: 'utf-8' codec can't decode byte 0x84 in position 21: invalid start byte

πŸ›‘οΈ Servers not vulnerable: 0


🚨 Servers likely vulnerable: 0


πŸ”’ Servers with port 22 closed: 0

πŸ“Š Total scanned targets: 1

nc 192.168.102.10 22 -w 1

SSH-2.0-dropbear
οΏ½οΏ½@οΏ½/οΏ½οΏ½οΏ½οΏ½οΏ½:οΏ½
            οΏ½οΏ½οΏ½curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,[email protected] ssh-ed25519,rsa-sha2-256,[email protected],aes128-ctr,[email protected],aes128-ctr,aes256-ctrhmac-sha1,hmac-sha2-256hmac-sha1,hmac-sha2-256nonenone!a

Why contacting open ports twice?

First, thanks for writing the script!

I was just curious - since the first benefit listed in README is "rapid scanning", why is each open port connected to twice? First to check if it's open and if it is, then another connection is used to fetch the banner?

It' be more efficient if the is_port_open() didn't exist at all and get_ssh_banner() raised an exception for closed ports that would then be handled in the check_vulnerability()

Just my 2 cents :)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.