Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[nse]: ssh2-enum-algos: Add dropbear server support #1460

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
1 participant
@scottellis
Copy link

scottellis commented Feb 5, 2019

Dropbear servers send key exchange algorithms as part of the first
transfer along with the banner.

There is no need to send a separate kex-init request and the server
ignores the request anyway resulting in no output from the script.

[nse]: ssh2-enum-algos: Add dropbear server support
Dropbear servers send key exchange algorithms as part of the first
transfer along with the banner.

There is no need to send a separate kex-init request and the server
ignores the request anyway resulting in no output from the script.
@scottellis

This comment has been minimized.

Copy link
Author

scottellis commented Feb 5, 2019

Tested with several Dropbear versions

  • dropbear-2014.63
  • dropbear-2015.68
  • dropbear-2016.74
  • dropbear-2017-75
  • dropbear-2018.76

Some sample runs

A wifi AP running asuswrt-merlin

# nmap -p22 -n -sV --script ssh2-enum-algos 192.168.10.13
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 10:06 EST
Nmap scan report for 192.168.10.13
Host is up (0.00076s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd 2018.76 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (8)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp521
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp256
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       kexguess2@matt.ucc.asn.au
|   server_host_key_algorithms: (3)
|       ecdsa-sha2-nistp256
|       ssh-rsa
|       ssh-dss
|   encryption_algorithms: (6)
|       aes128-ctr
|       aes256-ctr
|       aes128-cbc
|       aes256-cbc
|       3des-ctr
|       3des-cbc
|   mac_algorithms: (2)
|       hmac-sha1
|       hmac-sha2-256
|   compression_algorithms: (1)
|_      none
MAC Address: E4:F4:C6:0D:91:F2 (Netgear)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.26 seconds

Current Yocto 2.6

# nmap -p22 -n -sV --script ssh2-enum-algos 192.168.10.203
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 10:07 EST
Nmap scan report for 192.168.10.203
Host is up (0.00095s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd 2018.76 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (8)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp521
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp256
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       kexguess2@matt.ucc.asn.au
|   server_host_key_algorithms: (1)
|       ssh-rsa
|   encryption_algorithms: (6)
|       aes128-ctr
|       aes256-ctr
|       aes128-cbc
|       aes256-cbc
|       3des-ctr
|       3des-cbc
|   mac_algorithms: (3)
|       hmac-sha1-96
|       hmac-sha1
|       hmac-sha2-256
|   compression_algorithms: (2)
|       zlib@openssh.com
|_      none
MAC Address: B8:27:EB:7B:E8:32 (Raspberry Pi Foundation)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.19 seconds

Current Buildroot with BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO enabled (unsafe)

# nmap -p22 -n -sV --script ssh2-enum-algos 192.168.10.203
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 10:23 EST
Nmap scan report for 192.168.10.203
Host is up (0.00088s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd 2018.76 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (8)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp521
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp256
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       kexguess2@matt.ucc.asn.au
|   server_host_key_algorithms: (3)
|       ecdsa-sha2-nistp256
|       ssh-rsa
|       ssh-dss
|   encryption_algorithms: (9)
|       aes128-ctr
|       aes256-ctr
|       aes128-cbc
|       aes256-cbc
|       twofish256-cbc
|       twofish-cbc
|       twofish128-cbc
|       3des-ctr
|       3des-cbc
|   mac_algorithms: (3)
|       hmac-sha1-96
|       hmac-sha1
|       hmac-sha2-256
|   compression_algorithms: (2)
|       zlib@openssh.com
|_      none
MAC Address: B8:27:EB:7B:E8:32 (Raspberry Pi Foundation)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.21 seconds

And old version of Dropbear (2014.63)

# nmap -p2222 -n -sV --script ssh2-enum-algos 192.168.10.12
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 10:43 EST
Nmap scan report for 192.168.10.12
Host is up (0.00078s latency).

PORT     STATE SERVICE VERSION
2222/tcp open  ssh     Dropbear sshd 2014.63 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (7)
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp521
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp256
|       diffie-hellman-group1-sha1
|       diffie-hellman-group14-sha1
|       kexguess2@matt.ucc.asn.au
|   server_host_key_algorithms: (3)
|       ecdsa-sha2-nistp521
|       ssh-rsa
|       ssh-dss
|   encryption_algorithms: (9)
|       aes128-ctr
|       3des-ctr
|       aes256-ctr
|       aes128-cbc
|       3des-cbc
|       aes256-cbc
|       twofish256-cbc
|       twofish-cbc
|       twofish128-cbc
|   mac_algorithms: (3)
|       hmac-sha1-96
|       hmac-sha1
|       hmac-md5
|   compression_algorithms: (3)
|       zlib
|       zlib@openssh.com
|_      none
MAC Address: 08:62:66:4C:29:91 (Asustek Computer)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds

Some results showing OpenSSH detection is not impacted

OpenBSD 6.4

# nmap -p22 -n -sV --script ssh2-enum-algos 192.168.10.2
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 10:37 EST
Nmap scan report for 192.168.10.2
Host is up (0.00051s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (10)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (5)
|       rsa-sha2-512
|       rsa-sha2-256
|       ssh-rsa
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (6)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|   mac_algorithms: (10)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com
MAC Address: 00:1D:7D:9D:3E:54 (Giga-byte Technology)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.24 seconds

Ubuntu 16.04

# nmap -p22 -n -sV --script ssh2-enum-algos 192.168.10.12
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 10:39 EST
Nmap scan report for 192.168.10.12
Host is up (0.00076s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (6)
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (5)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (6)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|   mac_algorithms: (10)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com
MAC Address: 08:62:66:4C:29:91 (Asustek Computer)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.21 seconds
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.