2009-05-11 02:46:59 +00:00
|
|
|
##
|
2010-01-15 03:25:34 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2009-05-11 02:46:59 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2009-05-11 02:46:59 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
2010-01-15 03:25:34 +00:00
|
|
|
|
2009-05-11 02:46:59 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
2010-11-22 22:43:34 +00:00
|
|
|
'Name' => 'SSH Version Scanner',
|
2009-05-11 02:46:59 +00:00
|
|
|
'Description' => 'Detect SSH Version.',
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'URL', 'http://en.wikipedia.org/wiki/SecureShell' ],
|
|
|
|
],
|
2010-02-17 14:42:11 +00:00
|
|
|
'Author' => [ 'Daniel van Eeden <metasploit[at]myname.nl>' ],
|
2009-05-11 02:46:59 +00:00
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(22),
|
2010-09-18 03:00:19 +00:00
|
|
|
OptInt.new('TIMEOUT', [true, 'Timeout for the SSH probe', 30])
|
2009-05-11 02:46:59 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
2010-09-18 03:00:19 +00:00
|
|
|
def to
|
|
|
|
return 30 if datastore['TIMEOUT'].to_i.zero?
|
|
|
|
datastore['TIMEOUT'].to_i
|
|
|
|
end
|
|
|
|
|
2009-05-11 02:46:59 +00:00
|
|
|
def run_host(target_host)
|
2010-09-18 03:00:19 +00:00
|
|
|
begin
|
2010-09-18 04:15:32 +00:00
|
|
|
::Timeout.timeout(to) do
|
2009-05-11 02:46:59 +00:00
|
|
|
|
2010-09-18 03:00:19 +00:00
|
|
|
connect
|
2009-05-11 02:46:59 +00:00
|
|
|
|
2011-02-24 13:57:26 +00:00
|
|
|
resp = sock.get_once(-1, 5)
|
2009-05-11 02:46:59 +00:00
|
|
|
|
2011-02-24 13:57:26 +00:00
|
|
|
if (resp and resp =~ /SSH/)
|
|
|
|
ver,msg = (resp.split(/[\r\n]+/))
|
|
|
|
# Check to see if this is Kippo, which sends a premature
|
|
|
|
# key init exchange right on top of the SSH version without
|
|
|
|
# waiting for the required client identification string.
|
|
|
|
if msg and msg.size >= 5
|
|
|
|
extra = msg.unpack("NCCA*") # sz, pad_sz, code, data
|
|
|
|
if (extra.last.size+2 == extra[0]) and extra[2] == 20
|
|
|
|
ver << " (Kippo Honeypot)"
|
|
|
|
end
|
|
|
|
end
|
2010-09-18 03:00:19 +00:00
|
|
|
print_status("#{target_host}:#{rport}, SSH server version: #{ver}")
|
2011-02-24 13:57:26 +00:00
|
|
|
report_service(:host => rhost, :port => rport, :name => "ssh", :proto => "tcp", :info => ver)
|
2010-09-18 03:00:19 +00:00
|
|
|
else
|
|
|
|
print_error("#{target_host}:#{rport}, SSH server version detection failed!")
|
|
|
|
end
|
|
|
|
|
|
|
|
disconnect
|
|
|
|
end
|
|
|
|
|
|
|
|
rescue Timeout::Error
|
|
|
|
print_error("#{target_host}:#{rport}, Server timed out after #{to} seconds. Skipping.")
|
|
|
|
end
|
2009-05-11 02:46:59 +00:00
|
|
|
end
|
|
|
|
end
|