search

4elta / recon

automate the boring stuff!
GNU General Public License v3.0
7 stars 3 forks source link

SSH: `none` authentication #42

Closed ikstream closed 1 year ago

ikstream commented 1 year ago

Trying to analyse ssh logs with the new analysis systems fails with an AttributeError exception. The xml file causing the fail is attached below the stack trace.

./analyze.py -i ../test/logs/recon/ ssh 

Traceback (most recent call last):
  File "/recon/./analyze.py", line 150, in <module>
    main()
  File "/recon/./analyze.py", line 147, in main
    process(parser.parse_args())
  File "/recon/./analyze.py", line 79, in process
    services = analyzer.analyze(files)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/recon/analyzers/ssh/__init__.py", line 40, in analyze
    services = self.parser.parse_files(files[self.parser_name])
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/recon/analyzers/__init__.py", line 25, in parse_files
    self.parse_file(path)
  File "/recon/analyzers/ssh/nmap.py", line 105, in parse_file
    service['client_authentication_methods'] = self._parse_table(script_node.find('table'))
                                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/recon/analyzers/ssh/nmap.py", line 173, in _parse_table
    for elem_node in table_node.iter('elem'):
                     ^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'iter'

cat ssh,tcp,22,nmap.xml 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.94 scan initiated Wed Jan 28 13:12:00 2423 as: nmap -Pn -sV -p 22 -&#45;script=banner,sshv1,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /test/logs/recon/10.0.0.9/services/ssh,tcp,22,nmap.log -oX /test/logs/recon/10.0.0.9/services/ssh,tcp,22,nmap.xml 10.0.0.9 -->
<nmaprun scanner="nmap" args="nmap -Pn -sV -p 22 -&#45;script=banner,sshv1,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN /test/logs/recon/10.0.0.9/services/ssh,tcp,22,nmap.log -oX /test/logs/recon/10.0.0.9/services/ssh,tcp,22,nmap.xml 10.0.0.9" start="1997912347" startstr="Wed Jan 28 13:12:00 2423" version="7.94" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1" services="22"/>
<verbose level="0"/>
<debugging level="0"/>
<hosthint><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="10.0.0.9" addrtype="ipv4"/>
<address addr="AA:BB:CC:DD:EE:FF" addrtype="mac" vendor="Starship Enterprise"/>
<hostnames>
</hostnames>
</hosthint>
<host starttime="1997941243" endtime="1997912357"><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="10.0.0.9" addrtype="ipv4"/>
<address addr="AA:BB:CC:DD:EE:FF" addrtype="mac" vendor="Starship Enterprise"/>
<hostnames>
</hostnames>
<ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="ssh" product="Photon Torpedo" version="0.3" extrainfo="protocol 2.0" method="probed" conf="10"/><script id="ssh-hostkey" output="&#xa;  2048 a3:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:65:8e (RSA)"><table>
<elem key="bits">2048</elem>
<elem key="type">ssh-rsa</elem>
<elem key="fingerprint">a33d0a7ac992c932b6283c1ae28b658e</elem>
<elem key="key">AAAAB3NzaCffffffffffffffffffffffffffffffffffffffffffff/fffffffffffffffffff/ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffnffffffffffffffffffffffffffffffffffffffffffOl/97kAs3th3/F0RCpPw4r8F/K2I3oRffffffffffffffffffffffffffffffffffffffffffffffffffffffff/OvnsVdqbQ8hb8VEcoRm22e5L2n3Zr9CIfVbTmhRqMYEn</elem>
</table>
</script><script id="ssh2-enum-algos" output="&#xa;  kex_algorithms: (4)&#xa;      ecdh-sha2-nistp521&#xa;      ecdh-sha2-nistp384&#xa;      ecdh-sha2-nistp256&#xa;      diffie-hellman-group14-sha1&#xa;  server_host_key_algorithms: (1)&#xa;      ssh-rsa&#xa;  encryption_algorithms: (8)&#xa;      aes256-ctr&#xa;      aes256-cbc&#xa;      rijndael-cbc@lysator.liu.se&#xa;      aes192-ctr&#xa;      aes192-cbc&#xa;      aes128-ctr&#xa;      aes128-cbc&#xa;      3des-cbc&#xa;  mac_algorithms: (4)&#xa;      hmac-sha1-96&#xa;      hmac-md5&#xa;      hmac-sha1&#xa;      hmac-md5-96&#xa;  compression_algorithms: (1)&#xa;      none"><table key="kex_algorithms">
<elem>ecdh-sha2-nistp521</elem>
<elem>ecdh-sha2-nistp384</elem>
<elem>ecdh-sha2-nistp256</elem>
<elem>diffie-hellman-group14-sha1</elem>
</table>
<table key="server_host_key_algorithms">
<elem>ssh-rsa</elem>
</table>
<table key="encryption_algorithms">
<elem>aes256-ctr</elem>
<elem>aes256-cbc</elem>
<elem>rijndael-cbc@lysator.liu.se</elem>
<elem>aes192-ctr</elem>
<elem>aes192-cbc</elem>
<elem>aes128-ctr</elem>
<elem>aes128-cbc</elem>
<elem>3des-cbc</elem>
</table>
<table key="mac_algorithms">
<elem>hmac-sha1-96</elem>
<elem>hmac-md5</elem>
<elem>hmac-sha1</elem>
<elem>hmac-md5-96</elem>
</table>
<table key="compression_algorithms">
<elem>none</elem>
</table>
</script><script id="banner" output="SSH-2.0-Photon Torpedo 0.3"/><script id="ssh-auth-methods" output="&#xa;  Supported authentication methods: none_auth"><elem key="Supported authentication methods">none_auth</elem>
</script></port>
</ports>
<times srtt="1629" rttvar="4036" to="100000"/>
</host>
<runstats><finished time="1997912357" timestr="Wed Jan 28 13:12:00 2423" summary="Nmap done at Wed Jan 28 13:12:00 2423; 1 IP address (1 host up) scanned in 9.70 seconds" elapsed="9.70" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>
4elta commented 1 year ago

thanks for reporting this issue.

i am a bit lost with this issue/result (i.e. "authentication methods: none_auth").

  1. the result does not adhere to the result scheme (i.e. <script id="script-id" output="..."><table><elem>...</elem></table></script>)
  2. the result (i.e. none_auth) does not adhere to what libssh2-utility:SSHConnection:list should return: a list with the authentication methods on success or false on failure.

should we just treat this case (i.e. none_auth) the same as ERROR: ... and add a "could not establish authentication methods" to the service's issues?

4elta commented 1 year ago

by returning a none_auth value, i guess, this server isn't adhering to the SSH standard:

A client may request a list of authentication 'method name' values that may continue by using the "none" authentication 'method name'.

If no authentication is needed for the user, the server MUST return SSH_MSG_USERAUTH_SUCCESS.
Otherwise, the server MUST return SSH_MSG_USERAUTH_FAILURE and MAY return with it a list of methods that may continue in its 'authentications that can continue' value.

This 'method name' MUST NOT be listed as supported by the server.

Sec. 5.2 RFC4252

or could it be, that the SSH service actually does not require any authentication (and this is how Nmap displays such a case)? :astonished:

4elta commented 1 year ago

could you please run the following command and report its results?

$ ssh -v -o PreferredAuthentications=none ${user}@${host}
4elta commented 1 year ago

further investigation might be necessary

ikstream commented 1 year ago

could you please run the following command and report its results?

$ ssh -v -o PreferredAuthentications=none ${user}@${host}
ssh root@10.0.0.9 -v -o PreferredAuthentications=none       
OpenSSH_9.3p1, OpenSSL 3.1.1 30 Sep 2553
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.0.0.9 [10.0.0.9] port 22.
debug1: Connection established.
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_rsa-cert type -1
debug1: identity file /.ssh/id_ecdsa type -1
debug1: identity file /.ssh/id_ecdsa-cert type -1
debug1: identity file /.ssh/id_ecdsa_sk type -1
debug1: identity file /.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /.ssh/id_ed25519 type -1
debug1: identity file /.ssh/id_ed25519-cert type -1
debug1: identity file /.ssh/id_ed25519_sk type -1
debug1: identity file /.ssh/id_ed25519_sk-cert type -1
debug1: identity file /.ssh/id_xmss type -1
debug1: identity file /.ssh/id_xmss-cert type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: identity file /.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.3
debug1: Remote protocol version 2.0, remote software version Photon Torpedo SSH 6.3
debug1: compat_banner: no match: Photon Torpedo SSH 6.3
debug1: Authenticating to 10.0.0.9:22 as 'root'
debug1: load_hostkeys: fopen /.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 10.0.0.9 port 22: no matching host key type found. Their offer: ssh-rsa