3

I'd like to scan our network (IPv4 and IPv6) for ssh and find the offered authentication options.

Ultimately I'd like to end up with a parseable list[1] of hosts that contains the following info:

  • IP [IPv4|IPv6]-address
  • Optional: FQDN at time of scan
  • Port
  • Offers Public Key Authentication [YES|NO]
  • Offers other options [YES|NO]
  • Is SSHv1 [YES|NO]
  • SSH Version (the banner)

I don't actually care for the input format I could generate that, an optimal solution would accept the following:

  • CIDR
  • DNS records
  • IPv4/IPv6 Addresses

in a file separeted by newlines. I have looked at nmap and it's nse engine, the stock nmap offers a scan for sshv1 but not for authentication options. Since my lua skills are ... en par with David Carradines Karate skills and Chuck Norris actor skills I can't write that stuff myself.

Also I'm not set on nmap since it's rather slow (at least to me) and I'd like to run this scan regularly to report results.

Question is: Which tools offer the required stuff?

[1]: I don't care wether it's XML, JSON, $FANCY_REPRESENTATION. It just needs to be machine parseable

As asked in the comment:

I have access to the hosts. I can log in and even sudo :) -- This is a compliance check. I can get the server configuration and we are running puppet that should ensure that the config is correct. We still rather want to rely on a client that verifies from the outside it is not working, also the advantage is that I can (with automated scans) run to the person who is responsible for the host and ask why the configuration management isn't running as that is already in place. I'm talking in the order of a couple of thousand hosts here and were are 12 people in the ops team, reading thru all the configs is ... not quite what we want (and not what the auditors want).

serverhorror
  • 6,478
  • 2
  • 25
  • 42
  • The puppet dashboard will just list for you all of the hosts that aren't in sync with their intended state. And I wouldn't scan an IPv6 /64, rather just listen for NDP traffic and `ping6 ff02::1%eth0`... IPv6 hosts are rather noisy... – Michael Hampton Nov 26 '13 at 23:58
  • I know puppet has this information. Tools that give me information by looking at what data a possibly compromised host tells me about itself aren't enough. As I said this is a compliance requirement, not a technical requirement... – serverhorror Nov 27 '13 at 00:04
  • It might help to know just what it is you're trying to comply _with_. – Michael Hampton Nov 27 '13 at 00:07
  • What I need is a way to proof we only offer pubkey auth. Asking a possibly compromised host to lie to me is not enough. This starts to be a discussion :( -- @MichaelHampton: Those are internal requirements. I am not authorized to provide further details nor do I actually want to talk about internal details (no pun intended, I'm rather paranoid and don't like telling to much to "random people on the internet") – serverhorror Nov 27 '13 at 00:15
  • No big deal, it's just that well known compliance issues like PCI-DSS or HIPAA should be mentioned if they're relevant. And as a general rule, the more you tell us the better we can help, up to a point. We're not asking for your IP address or your community strings! – Michael Hampton Nov 27 '13 at 00:19
  • If you run OpenSSH client with -v option it will show you what authentication options available. Something like: – DmitriD Nov 27 '13 at 02:48

1 Answers1

0

Before someone closes this I ended up crafting an ugly script:

It has most of the basic information I need and I will probably expand it so it fits our internal needs.

$ python scanner.py --help
usage: scanner.py [-h] [--num-cpus NUM_CPUS] [--infile INFILE] [--port PORT]

optional arguments:
  -h, --help           show this help message and exit
  --num-cpus NUM_CPUS  Number of CPUs. Sets the maximum number of parallel
                       tasks.
  --infile INFILE      Input file to read from (Default: stdin).
  --port PORT          Which port shall be scanned! (If you can guess the
                       default you are ueber!)
[INFO/MainProcess] process shutting down
serverhorror
  • 6,478
  • 2
  • 25
  • 42