search

RUB-NDS / Terrapin-Scanner

This repository contains a simple vulnerability scanner for the Terrapin attack present in the paper "Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation".
https://terrapin-attack.com
Apache License 2.0
944 stars 64 forks source link

Error scanning the Cisco CBS250 series #21

Open jamieleinchen opened 10 months ago

jamieleinchen commented 10 months ago

I tried to scan my Cisco Business Switch for the vulnerability.

Client Info

Operating System: Debian GNU/Linux 12 (bookworm) Used binary: Terrapin_Scanner_Linux_amd64 v1.1.1 via go install github.com/RUB-NDS/Terrapin-Scanner@latest but similar problem with v1.1.0 on the Release Page Usual SSH Client I use: openssh-client/stable-security,now 1:9.2p1-2+deb12u2 amd64 Switch Connect Method: ~/.ssh/config:

Host switch
        User                          jamie
        HostName                YUSW1.yumix.local
        HostkeyAlgorithms +ssh-rsa
        PubkeyAcceptedKeyTypes +ssh-rsa

Why? It won't connect with just ssh jamie@yusw1, you need to specify the support of these keys

Scanned Device Info

Model: Cisco CBS250-8T-D Firmware Version: 3.3.0.16

Error

v1.1.1 via go install github.com/RUB-NDS/Terrapin-Scanner@latest

root@host:~# Terrapin-Scanner -connect 172.16.0.253:22
panic: error while reading packet length of binary packet: EOF

goroutine 1 [running]:
main.main()
        /root/go/pkg/mod/github.com/!r!u!b-!n!d!s/!terrapin-!scanner@v1.1.1/main.go:150 +0x36d

v1.1.0 from Release Page

root@host:~# ./Terrapin_Scanner_Linux_amd64 -connect 172.16.0.253:22
panic: error while reading packet length of binary packet: EOF

goroutine 1 [running]:
main.main()
        /home/fabian/GolandProjects/Terrapin-Scanner/main.go:389 +0x351

Comments: I don't have a user "Fabian", seems to be something static? See y'all

TrueSkrillor commented 10 months ago

Thanks for the report; I'll dig into this (although I'll have to check if and how I can reproduce this issue). The user "fabian" is my local user and is displayed as I don't strip debug info from the resulting binaries before release. It doesn't affect the tool's execution on your local system.

TrueSkrillor commented 10 months ago

Okay, I think I have an idea what is causing this issue. As I don't have the switch you mentioned laying around, would you mind providing me two Wireshark captures? One when connecting to your switch via OpenSSH from command line, and the second one when connecting with the tool?