Skip to content

ncsa/ssh-auditor

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
6 branches 17 tags
Code

Latest commit

Justin Azoff update goreleaser config
db27fb8 Jun 24, 2021
update goreleaser config
db27fb8

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
cmd
 
 
demo
 
 
sshauditor
 
 
testing/docker
 
 
.dockerignore
 
 
.gitignore
 
 
.goreleaser.yml
 
 
.travis.yml
 
 
Dockerfile
 
 
LICENSE.txt
 
 
Makefile
 
 
README.md
 
 
docker-compose.yml
 
 
go.mod
 
 
go.sum
 
 
main.go
 
 
SSH Auditor Features Demos Earlier demo showing all of the features Demo showing improved log output Usage Install or Build from a git clone Build a static binary including sqlite Ensure you can use enough file descriptors Create initial database and discover ssh servers Add credential pairs to check Try credentials against discovered hosts Output a report on what credentials worked RE-Check credentials that worked Output a report on duplicate key usage TODO Report query.

README.md

Build Status

SSH Auditor

Features

ssh-auditor will automatically:

  • Re-check all known hosts as new credentials are added. It will only check the new credentials.
  • Queue a full credential scan on any new host discovered.
  • Queue a full credential scan on any known host whose ssh version or key fingerprint changes.
  • Attempt command execution as well as attempt to tunnel a TCP connection.
  • Re-check each credential using a per credential scan_interval - default 14 days.

It's designed so that you can run ssh-auditor discover + ssh-auditor scan from cron every hour to to perform a constant audit.

Demos

Earlier demo showing all of the features

demo

Demo showing improved log output

demo

Usage

Install

$ brew install go # or however you want to install the go compiler
$ go get github.com/ncsa/ssh-auditor

or Build from a git clone

$ go build

Build a static binary including sqlite

$ make static

Ensure you can use enough file descriptors

$ ulimit -n 4096

Create initial database and discover ssh servers

$ ./ssh-auditor discover -p 22 -p 2222 192.168.1.0/24 10.0.0.1/24

Add credential pairs to check

$ ./ssh-auditor addcredential root root
$ ./ssh-auditor addcredential admin admin
$ ./ssh-auditor addcredential guest guest --scan-interval 1 #check this once per day

Try credentials against discovered hosts

$ ./ssh-auditor scan

Output a report on what credentials worked

$ ./ssh-auditor vuln

RE-Check credentials that worked

$ ./ssh-auditor rescan

Output a report on duplicate key usage

$ ./ssh-auditor dupes

TODO

  • update the 'host changes' table
  • handle false positives from devices that don't use ssh password authentication but instead use the shell to do it.
  • variable re-check times - each credential has a scan_interval in days
  • better support non-standard ports - discover is the only thing that needs to be updated, the rest doesn't care.
  • possibly daemonize and add an api that bro could hook into to kick off a discover as soon as a new SSH server is detected.
  • make the store pluggable (mysql, postgresql).
  • differentiate between a failed password attempt and a failed connection or timeout. Mostly done. Things like fail2ban complicate this.
  • add go implementations for the report sqlite3 command.

Report query.

This query that ssh-auditor vuln runs is

select
        hc.hostport, hc.user, hc.password, hc.result, hc.last_tested, h.version
 from
        host_creds hc, hosts h
 where
        h.hostport = hc.hostport
 and    result!='' order by last_tested asc

About

The best way to scan for weak ssh passwords on your network

Topics

ssh security auditing brute-force discover

Resources

Readme

License

View license
Activity

Stars

581 stars

Watchers

27 watching

Forks

87 forks
Report repository

Releases 11

v0.18 Latest
Jun 24, 2021
+ 10 releases

Packages

No packages published

Contributors 2

Languages