Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/xaitax/cve-2024-6387_check

CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH
https://github.com/xaitax/cve-2024-6387_check

cve-2024-6387 exploit pentesting python3 redteam

Last synced: about 5 hours ago
JSON representation

CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH

Host: GitHub
URL: https://github.com/xaitax/cve-2024-6387_check
Owner: xaitax
License: gpl-3.0
Created: 2024-07-01T20:33:20.000Z (5 months ago)
Default Branch: main
Last Pushed: 2024-09-24T19:18:56.000Z (about 2 months ago)
Last Synced: 2024-11-08T07:35:36.297Z (7 days ago)
Topics: cve-2024-6387, exploit, pentesting, python3, redteam
Language: Python
Homepage:
Size: 51.8 KB
Stars: 457
Watchers: 6
Forks: 87
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# CVE-2024-6387_Check

![image](https://github.com/xaitax/CVE-2024-6387_Check/assets/5014849/cf7826b3-0e01-42c1-acc1-2a393b6aba92)

## 📜 Description

CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH, specifically targeting the recently discovered `regreSSHion` vulnerability (CVE-2024-6387). This script facilitates rapid scanning of multiple IP addresses, domain names, and CIDR network ranges to detect potential vulnerabilities and ensure your infrastructure is secure.

## 🌟 Features

- **Rapid Scanning**: Quickly scan multiple IP addresses, domain names, and CIDR ranges for the CVE-2024-6387 vulnerability.
- **Banner Retrieval**: Efficiently retrieves SSH banners without authentication.
- **Grace Time Detection**: Optionally detect if servers have mitigated vulnerabilities using the LoginGraceTime setting.
- **IPv6 Support**: Fully supports IPv6 addresses for both direct and hostname-based scanning.
- **Multi-threading**: Uses threading for concurrent checks, significantly reducing scan times.
- **Detailed Output**: Provides clear, emoji-coded output summarizing scan results.
- **Port Check**: Identifies closed ports and provides a summary of non-responsive hosts.
- **Patched Versions Detection**: Recognizes and excludes known patched versions from vulnerability reports.
- **DNS/Hostname Resolution**: Resolve and display hostnames for IP addresses.

## 🚀 Usage

```bash
python CVE-2024-6387_Check.py [--ports PORTS] [--timeout TIMEOUT] [--list FILE] [--grace-time-check [SECONDS]] [--dns-resolve] [--use-help-request]
```

### Command Line Arguments

- ``: IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.
- `--timeout TIMEOUT`: Set connection timeout in seconds (default: 1 second).
- `--list FILE`: File containing a list of IP addresses to check.
- `--ports PORTS`: Specify a comma-separated list of port numbers to check (default: 22).
- `--use-help-request`: Enable sending a HELP request if the initial SSH banner retrieval fails.
- `--grace-time-check [SECONDS]`: Time in seconds to wait after identifying the version to check for `LoginGraceTime` mitigation (default: 120 seconds).
- `--dns-resolve`: Resolve and display hostnames for IP addresses.

### Examples

#### Single IP

```bash
python CVE-2024-6387_Check.py 192.168.1.1
```

#### IPs from a file

```bash
python CVE-2024-6387_Check.py -l ip_list.txt
```

#### Multiple IPs and Domains

```bash
python CVE-2024-6387_Check.py 192.168.1.1 example.com 192.168.1.2
```

#### CIDR Range

```bash
python CVE-2024-6387_Check.py 192.168.1.0/24
```

#### With Multiple Ports

```bash
python CVE-2024-6387_Check.py 192.168.1.1 example.com --ports 22,2222
```

#### Checking LoginGraceTime Mitigation

```bash
python CVE-2024-6387_Check.py 192.168.1.1 --grace-time-check
```

#### Checking LoginGraceTime Mitigation with Custom Time

```bash
python CVE-2024-6387_Check.py 192.168.1.1 --grace-time-check 150
```

#### Enabling HELP request
```bash
python CVE-2024-6387_Check.py 192.168.1.1 --use-help-request
```

#### Enabling DNS/Hostname Resolution
```bash
python CVE-2024-6387_Check.py 192.168.1.1 --dns-resolve
```

### ✨ Features Explained

#### Grace Time Detection

The tool supports checking for [LoginGraceTime mitigation](https://www.cynet.com/blog/regresshion-cve-2024-6387/). When the --grace-time-check option is used, the script will wait for the specified duration after retrieving the SSH banner to see if the connection remains open, which indicates that the LoginGraceTime setting might be set to 0 as a mitigation measure.

#### IPv6 Support

The tool fully supports IPv6 addresses. You can scan both IPv4 and IPv6 addresses directly or through hostname resolution.

#### Patched Versions Detection

The tool recognizes certain patched versions of OpenSSH and excludes them from the vulnerability report, ensuring more accurate results.

#### DNS/Hostname Resolution

When the `--dns-resolve` option is used, the script resolves and displays hostnames for IP addresses in the output. This feature helps identify the scanned hosts more clearly.

### HELP Request Handling

The tool includes an option to handle restrictive SSH services that do not immediately return a banner. When the `--use-help-request` option is used, the script will send a "HELP" request if the initial SSH banner retrieval fails, increasing "mitigation" detections.

### Output

The script will provide a summary of the scanned targets:

* 🚨 Vulnerable: Servers running a vulnerable version of OpenSSH.
* 🛡️ Not Vulnerable: Servers running a non-vulnerable version of OpenSSH.
* ⚠️ Unknown: Servers running an unknown version of SSH
* 🔒 Closed Ports: Count of servers with port 22 (or specified port) closed.
* 📊 Total Scanned: Total number of targets scanned.

```text
🛡️ Servers not vulnerable: 2

[+] Server at somedomain.cloudapp.azure.com (running SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11)
[+] Server at regresshion_test.cc (running SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3)

🚨 Servers likely vulnerable: 1

[+] Server at 4.231.170.122 (abc.com) (running SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2)
[+] Server at 4.231.170.121 (running SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2) vulnerable and LoginGraceTime remediation not done (Session was closed by server at 120.1 seconds)

⚠️ Servers with unknown SSH version: 1

[+] Server at 103.97.85.85 (xxx.com) (banner: SSH-2.0-ROSSSH)

🔒 Servers with port 22 closed: 254

📊 Total scanned targets: 257
```

## 📆 Changelog

### [08. July 2024] - Version 0.8

- [Added] Included patched versions for FreeBSD 13.3, 14.x and 15
- [Added] Hostname resolution via `-d` or `--dns-resolve`
- [Fixed] LoginGraceTime detection [@agibson2](https://github.com/agibson2)

### [06. July 2024] - Version 0.7

- [Added] Introduced an option to use a "HELP" request to retrieve the SSH banner if the initial attempt fails. This feature can be enabled using the `--use-help-request` argument. This helps to bypass certain SSH configurations that do not immediately return the banner, improving compatibility with more restrictive SSH services.
- [Added] #30 Allow multiple ports to be scanned.

### [05. July 2024] - Version 0.6

- [Added] Introduced LoginGraceTime detection.
- [Fixed] Resolved issue where hosts with only an IPv6 address could not be tested by hostname.

## 📚 References
[Qualys Blog on regreSSHion Vulnerability](https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server)