NETSYS.COM - The Intelligent Hacker's Choice - http://www.netsys.com/library/blackshell-sshd.txtThe Intelligent Hacker's Choice.. Systems, Networks, Administration.. since 1977 >>>> advertisement #!/usr/bin/perl -w #--blackshell tool1--# #--blackshell-sshd.pl--# # this is a mass scanner for remote security testing # of networks for the ssh crc32(deattack) bug. # this is being exploited in the wild at the present time # and it leads to complete remote compromisation # of a vulnerable server # vulnerable OS'es include aix, irix, linux, solaris, hpux, unicos(yes) # a few thanks: dave dittrich, bindview, team-teso, #!blackshell contributors use Thread; #use strict; use Socket; use Getopt::Std; use Config; my $banner = qq( Mass SSHD Vulnerability Scanner by BlackShell blackshell\@hushmail.com ); my $exploit_information = qq( Advisories: http://www.securityfocus.com/advisories/3088 http://xforce.iss.net/alerts/advise100.php http://razor.bindview.com/publish/advisories/adv_ssh1crc.html http://www.securityfocus.com/bugid=2347 http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm http://openssh.org/security.html http://www.cisco.com/warp/public/707/SSH-multiple-pub.html Information: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1 http://staff.washington.edu/dittrich/misc/ssh-analysis.txt http://www.newsbytes.com/news/01/171291.html http://www.cert.org/incident_notes/IN-2001-12.html Incidents: http://archives.neohapsis.com/archives/incidents/2001-12/0009.html http://archives.neohapsis.com/archives/incidents/2001-12/0047.html http://archives.neohapsis.com/archives/incidents/2001-12/0102.html http://archives.neohapsis.com/archives/incidents/2001-12/0103.html http://archives.neohapsis.com/archives/incidents/2001-12/0189.html http://archives.neohapsis.com/archives/incidents/2001-12/0225.html http://archives.neohapsis.com/archives/incidents/2001-12/0240.html ); # borrowed from dave's code(thanks :>) my @affected = ( 'SSH-1.5-1.2.24', 'SSH-1.5-1.2.25', 'SSH-1.5-1.2.26', 'SSH-1.5-1.2.27', 'SSH-1.5-1.2.28', 'SSH-1.5-1.2.29', 'SSH-1.5-1.2.30', 'SSH-1.5-1.2.31', 'SSH-1.5-OpenSSH-1.2', 'SSH-1.5-OpenSSH-1.2.1', 'SSH-1.5-OpenSSH-1.2.2', 'SSH-1.5-OpenSSH-1.2.3', 'SSH-1.99-OpenSSH-2.1', 'SSH-1.99-OpenSSH_2.1.1', 'SSH-1.99-OpenSSH_2.2.0', 'SSH-1.99-OpenSSH_2.2.0p1', ); if(! $Config{'usethreads'}) { print "\nNo Threading Supported"; exit 1; } getopts("d:t:l:i:",%args); my $debug; my $infile; if($args{i}) { $infile = $args{i} || "sshd.in"; print "\nUsing infile: $infile"; } if($args{d}) { $debug = 1; print "\nUsing Debuging!"; } if($args{t}) { my $timeout = $args{t} || 5; print "\nUsing Timeout: $args{t}!"; } if($args{l}) { my $logfile = $args{l}; print "\nUsing logfile: $logfile"; } open(FILE,"<$infile") || die "\nCant read from $logfile"; my @return; while() { chomp($host = $_); print "\nScanning $host..."; my $thread = Thread->new(\&check_scan,$host); print "\nScanning $host..."; @return = $thread->join; } if($debug) { my $check; foreach $check (@return) { print "\nDebugging running...."; print "\n$debug info...:"; print "\n$check"; } } else { print "\n\n$banner\n"; print "\n\nOptions: "; print "\n./$0 -i -l -d -t 15"; print "\n"; print "\ndefaults: "; print "\ntimeout: 5"; print "\nhost list: sshd.in"; print "\nlogfile: sshd.log"; print "\ndebug: no"; } sub check_scan($) { eval { my $host = shift; my $iaddr = inet_aton($host); my $port = "22"; my $paddr = sockaddr_in($port, $host); my $proto = getprotobyname('tcp'); socket(SOCK,AF_INET,SOCK_STREAM,$proto) || die "\nCant make Socket: $!"; alarm($args{t}); if(connect(SOCK,$paddr)) { print "\nSSHD is open on $host"; print "\n${host}'s response..."; } while() { chomp; print; $response = $_; &log($host, $response); print "analyzing ${host}'s response..."; &analyze($host, $response); } }; close(SOCK); } sub log ($$) { open(LOG,">$logfile") || die "\nCan't open $logfile for writing"; select(LOG); print "\n$banner\n"; print "\n$exploit_information"; close(LOG); $host = shift; $rez = shift; open(LOG,">>$logfile") || die "\nCant open $logfile"; flock(LOG,2) || die "\nCant file lock"; select(LOG); print "\nResults:"; print "\n${host}: $rez"; print "\n\nFinished...\n"; close(LOG); } sub analyze($$) { $host = shift; $result = shift; foreach $checkz (@affected) { if($result = $checkz) { print "\n$host is running a vulnerable version of SSHD"; print "\nversion is: $result"; } } } Copyright © 2003 netsys.com All Rights Reserved.