ecki
commented
11 months ago I have an example of this with putty, find the output attached. NB: this putty has custom algorithm order.
# general
(gen) client IP: ::1
(gen) banner: SSH-2.0-PuTTY_Release_0.79
(gen) software: PuTTY 0.79
(gen) compression: enabled (zlib, zlib@openssh.com)
# key exchange algorithms
(kex) gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==
(kex) gss-nistp521-sha512-toWM5Slw5Ew8Mqkay+al2g== -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) gss-nistp384-sha384-toWM5Slw5Ew8Mqkay+al2g== -- [warn] unknown algorithm
(kex) gss-nistp256-sha256-toWM5Slw5Ew8Mqkay+al2g== -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) gss-group16-sha512-toWM5Slw5Ew8Mqkay+al2g==
(kex) gss-group17-sha512-toWM5Slw5Ew8Mqkay+al2g==
(kex) gss-group18-sha512-toWM5Slw5Ew8Mqkay+al2g==
(kex) gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==
(kex) gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g== -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
(kex) gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== -- [fail] using broken SHA-1 hash algorithm
(kex) gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g== -- [fail] using broken SHA-1 hash algorithm
`- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
(kex) gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g== -- [fail] using small 1024-bit modulus
`- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
`- [fail] using broken SHA-1 hash algorithm
(kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5
(kex) curve448-sha512
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
`- [info] default key exchange since OpenSSH 6.4
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
`- [info] default key exchange since OpenSSH 6.4
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha1 -- [fail] using broken SHA-1 hash algorithm
`- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group17-sha512
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group15-sha512
(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
`- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) rsa2048-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
(kex) rsa1024-sha1 -- [fail] using small 1024-bit modulus
`- [fail] using broken SHA-1 hash algorithm
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
`- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
`- [fail] using broken SHA-1 hash algorithm
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
(kex) ext-info-c -- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions
# host-key algorithms
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [warn] using weak random number generator could reveal the key
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ecdsa-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [warn] using weak random number generator could reveal the key
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ecdsa-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [warn] using weak random number generator could reveal the key
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ssh-ed448
(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2
(key) ssh-rsa -- [fail] using broken SHA-1 hash algorithm
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
(key) ssh-dss -- [fail] using small 1024-bit modulus
`- [warn] using weak random number generator could reveal the key
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
`- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
(key) null -- [fail] no encryption/integrity
# encryption algorithms (ciphers)
(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes256-cbc -- [warn] using weak cipher mode
`- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher
`- [warn] using weak cipher mode
`- [info] available since OpenSSH 2.3.0
`- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
(enc) aes192-ctr -- [info] available since OpenSSH 3.7
(enc) aes192-cbc -- [warn] using weak cipher mode
`- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 2.3.0
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-cbc -- [warn] using weak cipher mode
`- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 6.5
`- [info] default cipher since OpenSSH 6.9
(enc) 3des-ctr -- [fail] using broken & deprecated 3DES cipher
`- [info] available since Dropbear SSH 0.52
(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
`- [warn] using weak cipher mode
`- [warn] using small 64-bit block size
`- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
(enc) blowfish-ctr -- [fail] using weak & deprecated Blowfish cipher
`- [warn] using weak cipher mode
`- [warn] using small 64-bit block size
(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
`- [warn] using weak cipher mode
`- [warn] using small 64-bit block size
`- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
(enc) arcfour256 -- [fail] using broken RC4 cipher
`- [info] available since OpenSSH 4.2
(enc) arcfour128 -- [fail] using broken RC4 cipher
`- [info] available since OpenSSH 4.2
# message authentication code algorithms
(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
`- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
`- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
`- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) hmac-sha2-256-etm@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 6.2
(mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm
`- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 6.2
(mac) hmac-sha1-96-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm
`- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 6.2
(mac) hmac-md5-etm@openssh.com -- [fail] using broken MD5 hash algorithm
`- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 6.2
# additional info
(nfo) PuTTY does not have the option of restricting any algorithms during the SSH handshake.
!!! WARNING: unknown algorithm(s) found!: gss-nistp384-sha384-*. Please email the full output above to the maintainer (jtesta@positronsecurity.com), or create a Github issue at <https://github.com/jtesta/ssh-audit/issues>.
jtesta
The following key exchanges are perhaps not detected properly: