当前页面位置: » 丰搜网 » 文档中心 » 详细内容
ssh secure shell 3.0.0 vulnerability scanner
the following tool will scan the.network for hosts using the vulnerable ssh version 3.0 that allows attackers to login to accounts without prompting for a user when their password is shorter than two characters.
for more information about this vulnerability, please see our previous post:
ssh secure shell 3.0.0 allows passwordless logons
tool:
#!/usr/bin/perl
#
# a local ssh 3.0.0 vulnerability scanner for the
# ssh short password login vulnerability
#
# note: you must have superuser access on the system to scan it.
#
# usage: ./ssh3.pl
# optional: -e turn off error
# -h specify a different /etc/shadow file
# (options must come before host name)
#
# written by hypoclear hypoclear@jungle.net - http://hypoclear.cjb.net
#
# this and all of my programs fall under my disclaimer, which
# can be found at: http://hypoclear.cjb.net/hypodisclaim.txt
use io::socket; use getopt::std;
getopts('h:e');
die "\nusage: $0 \n\toptional: -e turn off error\n\t\t -h specify a different /etc/shadow file\n\n" unless @argv > 0;
if (!defined $opt_h)
{ $opt_h = "/etc/shadow";
}
$out = &bannergrab($argv[0],22);
sysread $out, $message,100;
close $out;
if (($message =~ /3.0.0/) (defined $opt_e))
{ print "running ssh 3.0.0, checking for vulnerabilities...\n\n";
open(shadow, "<$opt_h") die "cannot open $opt_h!\nnote: you must have superuser access to run this script.\n\n";
while( )
{ $name = $_;
$name =~ s/:.*$//;
$_ =~ s/^.*?\://;
$_ =~ s/:.*$//;
$name =~ s/\s//g; $_=~s/\s//g;
push(@name,$name);
push(@hash,$_);
push(@lnnum,$cnt++); $cnt++;
}
close(shadow);
foreach $hash (@hash)
{ @chars = split(//,$hash);
foreach $char (@chars)
{ $count++;
}
if ($count <= 2)
{ print "$name[$line]\t(line $lnnum[$line]) may be vulnerable!\n";
$vulnflag = 1;
}
$count=0; $line++;
}
if ($vulnflag != 1)
{ print "no accounts appear to be vulnerable.\n";
}
}
else
{ if (!defined $opt_e)
{ print "you are not running ssh 3.0.0.\n";
die "if you feel that this is an error run with the -e option.\n";
}
}
print "\n";
sub bannergrab
{ $host = gethostbyname($_[0]) warn "cannot connect to $argv[0]\n";
$port = getservbyport($_[1], 'tcp');
$haddr = sockaddr_in($_[1], $host);
socket(out, pf_.net, sock_stream, getprotobyname('tcp')) warn "$!\n";
connect(out, $haddr) ;
return out;
}
