Home

Awesome

ssh-audit

License Build Status PRs Welcome

PyPI Downloads Homebrew Downloads Docker Pulls Snap Downloads

Github Sponsors

ssh-audit is a tool for ssh server & client configuration auditing.

jtesta/ssh-audit (v2.0+) is the updated and maintained version of ssh-audit forked from arthepsy/ssh-audit (v1.x) due to inactivity.

Features

Usage

usage: ssh-audit.py [-h] [-1] [-2] [-4] [-6] [-b] [-c] [-d]
                    [-g <min1:pref1:max1[,min2:pref2:max2,...]> / <x-y[:step]>] [-j] [-l {info,warn,fail}] [-L]
                    [-M custom_policy.txt] [-m] [-n] [-P "Built-In Policy Name" / custom_policy.txt] [-p N]
                    [-T targets.txt] [-t N] [-v] [--conn-rate-test N[:max_rate]] [--dheat N[:kex[:e_len]]]
                    [--lookup alg1[,alg2,...]] [--skip-rate-test] [--threads N]
                    [host]

positional arguments:
  host                  target hostname or IPv4/IPv6 address

optional arguments:
  -h, --help            show this help message and exit
  -1, --ssh1            force ssh version 1 only
  -2, --ssh2            force ssh version 2 only
  -4, --ipv4            enable IPv4 (order of precedence)
  -6, --ipv6            enable IPv6 (order of precedence)
  -b, --batch           batch output
  -c, --client-audit    starts a server on port 2222 to audit client software config (use -p to change port; use -t
                        to change timeout)
  -d, --debug           enable debugging output
  -g <min1:pref1:max1[,min2:pref2:max2,...]> / <x-y[:step]>, --gex-test <min1:pref1:max1[,min2:pref2:max2,...]> / <x-y[:step]>
                        conducts a very customized Diffie-Hellman GEX modulus size test. Tests an array of minimum,
                        preferred, and maximum values, or a range of values with an optional incremental step amount
  -j, --json            enable JSON output (use -jj to enable indentation for better readability)
  -l {info,warn,fail}, --level {info,warn,fail}
                        minimum output level (default: info)
  -L, --list-policies   list all the official, built-in policies. Combine with -v to view policy change logs
  -M custom_policy.txt, --make-policy custom_policy.txt
                        creates a policy based on the target server (i.e.: the target server has the ideal
                        configuration that other servers should adhere to), and stores it in the file path specified
  -m, --manual          print the man page (Docker, PyPI, Snap, and Windows builds only)
  -n, --no-colors       disable colors (automatic when the NO_COLOR environment variable is set)
  -P "Built-In Policy Name" / custom_policy.txt, --policy "Built-In Policy Name" / custom_policy.txt
                        run a policy test using the specified policy (use -L to see built-in policies, or specify
                        filesystem path to custom policy created by -M)
  -p N, --port N        the TCP port to connect to (or to listen on when -c is used)
  -T targets.txt, --targets targets.txt
                        a file containing a list of target hosts (one per line, format HOST[:PORT]). Use -p/--port
                        to set the default port for all hosts. Use --threads to control concurrent scans
  -t N, --timeout N     timeout (in seconds) for connection and reading (default: 5)
  -v, --verbose         enable verbose output
  --conn-rate-test N[:max_rate]
                        perform a connection rate test (useful for collecting metrics related to susceptibility of
                        the DHEat vuln). Testing is conducted with N concurrent sockets with an optional maximum
                        rate of connections per second
  --dheat N[:kex[:e_len]]
                        continuously perform the DHEat DoS attack (CVE-2002-20001) against the target using N
                        concurrent sockets. Optionally, a specific key exchange algorithm can be specified instead
                        of allowing it to be automatically chosen. Additionally, a small length of the fake e value
                        sent to the server can be chosen for a more efficient attack (such as 4).
  --lookup alg1[,alg2,...]
                        looks up an algorithm(s) without connecting to a server.
  --skip-rate-test      skip the connection rate test during standard audits (used to safely infer whether the DHEat
                        attack is viable)
  --threads N           number of threads to use when scanning multiple targets (-T/--targets) (default: 32)

Basic server auditing:

ssh-audit localhost
ssh-audit 127.0.0.1
ssh-audit 127.0.0.1:222
ssh-audit ::1
ssh-audit [::1]:222

To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]):

ssh-audit -T servers.txt

To audit a client configuration (listens on port 2222 by default; connect using ssh -p 2222 anything@localhost):

ssh-audit -c

To audit a client configuration, with a listener on port 4567:

ssh-audit -c -p 4567

To list all official built-in policies (hint: use resulting policy names with -P/--policy):

ssh-audit -L

To run a policy audit against a server:

ssh-audit -P ["policy name" | path/to/server_policy.txt] targetserver

To run a policy audit against a client:

ssh-audit -c -P ["policy name" | path/to/client_policy.txt]

To run a policy audit against many servers:

ssh-audit -T servers.txt -P ["policy name" | path/to/server_policy.txt]

To create a policy based on a target server (which can be manually edited):

ssh-audit -M new_policy.txt targetserver

To run the DHEat CPU exhaustion DoS attack (CVE-2002-20001) against a target using 10 concurrent sockets:

ssh-audit --dheat=10 targetserver

To run the DHEat attack using the diffie-hellman-group-exchange-sha256 key exchange algorithm:

ssh-audit --dheat=10:diffie-hellman-group-exchange-sha256 targetserver

To run the DHEat attack using the diffie-hellman-group-exchange-sha256 key exchange algorithm along with very small but non-standard packet lengths (this may result in the same CPU exhaustion, but with many less bytes per second being sent):

ssh-audit --dheat=10:diffie-hellman-group-exchange-sha256:4 targetserver

Screenshots

Server Standard Audit Example

Below is a screen shot of the standard server-auditing output when connecting to an unhardened OpenSSH v5.3 service: screenshot

Server Policy Audit Example

Below is a screen shot of the policy auditing output when connecting to an un-hardened Ubuntu Server 20.04 machine (hint: use -L/--list-policies to see names of built-in policies to use with -P/--policy): screenshot

After applying the steps in the hardening guide (see below), the output changes to the following: screenshot

Client Standard Audit Example

Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects: client_screenshot

Hardening Guides

Guides to harden server & client configuration can be found here: https://www.ssh-audit.com/hardening_guides.html

Pre-Built Packages

Pre-built packages are available for Windows (see the Releases page), PyPI, Snap, and Docker:

To install from PyPI:

$ pip3 install ssh-audit

To install the Snap package:

$ snap install ssh-audit

To install from Dockerhub:

$ docker pull positronsecurity/ssh-audit

(Then run with: docker run -it --rm -p 2222:2222 positronsecurity/ssh-audit 10.1.1.1)

The status of various other platform packages can be found below (via Repology):

<a href="https://repology.org/project/ssh-audit/versions"><img src="https://repology.org/badge/vertical-allrepos/ssh-audit.svg?columns=4" alt="Packaging status" align="center"></a>

Web Front-End

For convenience, a web front-end on top of the command-line tool is available at https://www.ssh-audit.com/.

ChangeLog

v3.4.0-dev

v3.3.0 (2024-10-15)

v3.2.0 (2024-04-22)

v3.1.0 (2023-12-20)

v3.0.0 (2023-09-07)

v2.9.0 (2023-04-29)

v2.5.0 (2021-08-26)

v2.4.0 (2021-02-23)

v2.3.1 (2020-10-28)

v2.3.0 (2020-09-27)

v2.2.0 (2020-03-11)

v2.1.1 (2019-11-26)

v2.1.0 (2019-11-14)

v2.0.0 (2019-08-29)

v1.7.0 (2016-10-26)

v1.6.0 (2016-10-14)

v1.5.0 (2016-09-20)

v1.0.20160902

v1.0.20160812

v1.0.20160803

v1.0.20160207

v1.0.20160105

v1.0.20151230

v1.0.20151223