Closed phra closed 5 years ago
As noted in my article:
Endlessh: an SSH Tarpit https://nullprogram.com/blog/2019/03/22/
The "SSH-" version string marks the end of the protocol version exchange, and so no "other lines of data" can follow. Endlessh is exploiting those extra lines. To satisfy nmap's probe, it would need to implement more of the SSH protocol and establish the tarpit at a later point instead. I don't really want to take it that far.
Technically nmap is being a bit too rigid by expecting the version string to be the first line, but that decision is by far the most practical. That's how real servers behave, and strictly following the protocol would get it stuck in such tarpits. The scan isn't intended to be 100% precise anyway.
Attackers looking to brute force password attempts have to tolerate at least some "other lines of data" because, otherwise, adding a single extra line would be enough to keep them out.
Yes, I confirm the cited behavior. I tried to fuzz the cipher list but without success:
$ time ssh localhost -p2222
Bad packet length 1397966893.
ssh_dispatch_run_fatal: Connection to ::1 port 2222: message authentication code incorrect
real 9m35.597s
user 0m0.009s
sys 0m0.001s
Hi,
it would be nice if the service will be recognized as a regular OpenSSH server when scanned with Nmap.
At the moment, the output is:
A simple test shows that sending an initial banner with a default OpenSSH response does the trick:
This will result in the following Nmap output: