Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[nse]: ssh2-enum-algos: Add dropbear server support #1460

Closed
wants to merge 1 commit into from

Conversation

@scottellis
Copy link

@scottellis scottellis commented Feb 5, 2019

Dropbear servers send key exchange algorithms as part of the first
transfer along with the banner.

There is no need to send a separate kex-init request and the server
ignores the request anyway resulting in no output from the script.

Dropbear servers send key exchange algorithms as part of the first
transfer along with the banner.

There is no need to send a separate kex-init request and the server
ignores the request anyway resulting in no output from the script.
@scottellis
Copy link
Author

@scottellis scottellis commented Feb 5, 2019

Tested with several Dropbear versions

  • dropbear-2014.63
  • dropbear-2015.68
  • dropbear-2016.74
  • dropbear-2017-75
  • dropbear-2018.76

Some sample runs

A wifi AP running asuswrt-merlin

# nmap -p22 -n -sV --script ssh2-enum-algos 192.168.10.13
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 10:06 EST
Nmap scan report for 192.168.10.13
Host is up (0.00076s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd 2018.76 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (8)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp521
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp256
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       kexguess2@matt.ucc.asn.au
|   server_host_key_algorithms: (3)
|       ecdsa-sha2-nistp256
|       ssh-rsa
|       ssh-dss
|   encryption_algorithms: (6)
|       aes128-ctr
|       aes256-ctr
|       aes128-cbc
|       aes256-cbc
|       3des-ctr
|       3des-cbc
|   mac_algorithms: (2)
|       hmac-sha1
|       hmac-sha2-256
|   compression_algorithms: (1)
|_      none
MAC Address: E4:F4:C6:0D:91:F2 (Netgear)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.26 seconds

Current Yocto 2.6

# nmap -p22 -n -sV --script ssh2-enum-algos 192.168.10.203
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 10:07 EST
Nmap scan report for 192.168.10.203
Host is up (0.00095s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd 2018.76 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (8)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp521
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp256
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       kexguess2@matt.ucc.asn.au
|   server_host_key_algorithms: (1)
|       ssh-rsa
|   encryption_algorithms: (6)
|       aes128-ctr
|       aes256-ctr
|       aes128-cbc
|       aes256-cbc
|       3des-ctr
|       3des-cbc
|   mac_algorithms: (3)
|       hmac-sha1-96
|       hmac-sha1
|       hmac-sha2-256
|   compression_algorithms: (2)
|       zlib@openssh.com
|_      none
MAC Address: B8:27:EB:7B:E8:32 (Raspberry Pi Foundation)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.19 seconds

Current Buildroot with BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO enabled (unsafe)

# nmap -p22 -n -sV --script ssh2-enum-algos 192.168.10.203
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 10:23 EST
Nmap scan report for 192.168.10.203
Host is up (0.00088s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd 2018.76 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (8)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp521
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp256
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       kexguess2@matt.ucc.asn.au
|   server_host_key_algorithms: (3)
|       ecdsa-sha2-nistp256
|       ssh-rsa
|       ssh-dss
|   encryption_algorithms: (9)
|       aes128-ctr
|       aes256-ctr
|       aes128-cbc
|       aes256-cbc
|       twofish256-cbc
|       twofish-cbc
|       twofish128-cbc
|       3des-ctr
|       3des-cbc
|   mac_algorithms: (3)
|       hmac-sha1-96
|       hmac-sha1
|       hmac-sha2-256
|   compression_algorithms: (2)
|       zlib@openssh.com
|_      none
MAC Address: B8:27:EB:7B:E8:32 (Raspberry Pi Foundation)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.21 seconds

And old version of Dropbear (2014.63)

# nmap -p2222 -n -sV --script ssh2-enum-algos 192.168.10.12
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 10:43 EST
Nmap scan report for 192.168.10.12
Host is up (0.00078s latency).

PORT     STATE SERVICE VERSION
2222/tcp open  ssh     Dropbear sshd 2014.63 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (7)
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp521
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp256
|       diffie-hellman-group1-sha1
|       diffie-hellman-group14-sha1
|       kexguess2@matt.ucc.asn.au
|   server_host_key_algorithms: (3)
|       ecdsa-sha2-nistp521
|       ssh-rsa
|       ssh-dss
|   encryption_algorithms: (9)
|       aes128-ctr
|       3des-ctr
|       aes256-ctr
|       aes128-cbc
|       3des-cbc
|       aes256-cbc
|       twofish256-cbc
|       twofish-cbc
|       twofish128-cbc
|   mac_algorithms: (3)
|       hmac-sha1-96
|       hmac-sha1
|       hmac-md5
|   compression_algorithms: (3)
|       zlib
|       zlib@openssh.com
|_      none
MAC Address: 08:62:66:4C:29:91 (Asustek Computer)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds

Some results showing OpenSSH detection is not impacted

OpenBSD 6.4

# nmap -p22 -n -sV --script ssh2-enum-algos 192.168.10.2
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 10:37 EST
Nmap scan report for 192.168.10.2
Host is up (0.00051s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (10)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (5)
|       rsa-sha2-512
|       rsa-sha2-256
|       ssh-rsa
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (6)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|   mac_algorithms: (10)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com
MAC Address: 00:1D:7D:9D:3E:54 (Giga-byte Technology)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.24 seconds

Ubuntu 16.04

# nmap -p22 -n -sV --script ssh2-enum-algos 192.168.10.12
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 10:39 EST
Nmap scan report for 192.168.10.12
Host is up (0.00076s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (6)
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (5)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (6)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|   mac_algorithms: (10)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com
MAC Address: 08:62:66:4C:29:91 (Asustek Computer)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.21 seconds
@aaronnad
Copy link

@aaronnad aaronnad commented Sep 11, 2020

+1 for this to be merged. Manually pulled the commit in to the file to scan some AP's using DropBear and this now returns with the information as expected

@nnposter
Copy link

@nnposter nnposter commented Sep 13, 2020

Thank you for identifying the issue and proposing a remediation.

A different, more general fix has been committed as r38025. Please give it a try and report back if it does not address the problem.

@nmap-bot nmap-bot closed this in fa6bd3f Sep 13, 2020
@nnposter nnposter self-assigned this Sep 14, 2020
@nnposter nnposter added bug NSE labels Sep 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.