##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::Tcp
	include Msf::Auxiliary::Scanner
	include Msf::Auxiliary::Report

	def initialize
		super(
			'Name'        => 'SSH Version Scanner',
			'Version'     => '$Revision$',
			'Description' => 'Detect SSH Version.',
			'References'  =>
				[
					[ 'URL', 'http://en.wikipedia.org/wiki/SecureShell' ],
				],
			'Author'      => [ 'Daniel van Eeden <metasploit[at]myname.nl>' ],
			'License'     => MSF_LICENSE
		)

		register_options(
		[
			Opt::RPORT(22),
			OptInt.new('TIMEOUT', [true, 'Timeout for the SSH probe', 30])
		], self.class)
	end

	def to
		return 30 if datastore['TIMEOUT'].to_i.zero?
		datastore['TIMEOUT'].to_i
	end

	def run_host(target_host)
		begin
			::Timeout.timeout(to) do

				connect

				resp = sock.get_once(-1, 5)

				if (resp and resp =~ /SSH/)
					ver,msg = (resp.split(/[\r\n]+/))
					# Check to see if this is Kippo, which sends a premature
					# key init exchange right on top of the SSH version without
					# waiting for the required client identification string.
					if msg and msg.size >= 5
						extra = msg.unpack("NCCA*") # sz, pad_sz, code, data
						if (extra.last.size+2 == extra[0]) and extra[2] == 20
							ver << " (Kippo Honeypot)"
						end
					end
					print_status("#{target_host}:#{rport}, SSH server version: #{ver}")
					report_service(:host => rhost, :port => rport, :name => "ssh", :proto => "tcp", :info => ver)
				else
					print_error("#{target_host}:#{rport}, SSH server version detection failed!")
				end

				disconnect
			end

		rescue Timeout::Error
			print_error("#{target_host}:#{rport}, Server timed out after #{to} seconds. Skipping.")
		end
	end
end