search

xaitax / CVE-2024-6387_Check

CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH
GNU General Public License v3.0
436 stars 85 forks source link

add multiple port scan #30

Closed omponggosong closed 2 months ago

omponggosong commented 2 months ago

!/usr/bin/env python3

import socket import argparse import ipaddress import threading import time from queue import Queue from concurrent.futures import ThreadPoolExecutor

VERSION = "0.5"

BLUE = "\033[94m" GREEN = "\033[92m" RED = "\033[91m" ORANGE = "\033[33m" ENDC = "\033[0m"

progress_lock = threading.Lock() progress_counter = 0 total_hosts = 0

def displaybanner(): banner = rf""" {BLUE} ____ ___ _ _ ._ ____ ___ ___ / // // | || \ _/ \ / __\ _/ \ ___ \ __ \/ ~ \ |/ \ / \ | | \/\ _// /_/ > | \/\ / / \/ \ Y / ( <> ) | \ || _ > /|| \ > / /_|_ /||__/|_| / \/_____/ \/ \/ \/ \/ \/ CVE-2024-6387 Vulnerability Checker v{VERSION} / Alex Hagenah / @xaitax / ah@primepage.de {ENDC} """ print(banner)

def get_ssh_sock(ip, port, timeout): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(timeout) try: sock.connect((ip, port)) return sock except: sock.close() return None

def get_ssh_banner(sock): try: banner = sock.recv(1024).decode(errors='ignore').strip() sock.close() return banner except Exception as e: return str(e)

def check_vulnerability(ip, ports, timeout, result_queue): global progress_counter

for port in ports:
    sshsock = get_ssh_sock(ip, port, timeout)
    if not sshsock:
        result_queue.put((ip, port, 'closed', "Port closed"))
        with progress_lock:
            progress_counter += 1
        continue

    banner = get_ssh_banner(sshsock)
    if "SSH-2.0" not in banner:
        result_queue.put(
            (ip, port, 'failed', f"Failed to retrieve SSH banner: {banner}"))
        with progress_lock:
            progress_counter += 1
        continue

    if "SSH-2.0-OpenSSH" not in banner:
        result_queue.put((ip, port, 'unknown', f"(banner: {banner})"))
        with progress_lock:
            progress_counter += 1
        continue

    vulnerable_versions = [
        'SSH-2.0-OpenSSH_1',
        'SSH-2.0-OpenSSH_2',
        'SSH-2.0-OpenSSH_3',
        'SSH-2.0-OpenSSH_4.0',
        'SSH-2.0-OpenSSH_4.1',
        'SSH-2.0-OpenSSH_4.2',
        'SSH-2.0-OpenSSH_4.3',
        'SSH-2.0-OpenSSH_4.4',
        'SSH-2.0-OpenSSH_8.5',
        'SSH-2.0-OpenSSH_8.6',
        'SSH-2.0-OpenSSH_8.7',
        'SSH-2.0-OpenSSH_8.8',
        'SSH-2.0-OpenSSH_8.9',
        'SSH-2.0-OpenSSH_9.0',
        'SSH-2.0-OpenSSH_9.1',
        'SSH-2.0-OpenSSH_9.2',
        'SSH-2.0-OpenSSH_9.3',
        'SSH-2.0-OpenSSH_9.4',
        'SSH-2.0-OpenSSH_9.5',
        'SSH-2.0-OpenSSH_9.6',
        'SSH-2.0-OpenSSH_9.7'
    ]

    excluded_versions = [
        'SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10',
        'SSH-2.0-OpenSSH_9.3p1 Ubuntu-3ubuntu3.6',
        'SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3',
        'SSH-2.0-OpenSSH_9.3p1 Ubuntu-1ubuntu3.6',
        'SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3',
        'SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3'
    ]

    if any(version in banner for version in vulnerable_versions) and banner not in excluded_versions:
        result_queue.put((ip, port, 'vulnerable', f"(running {banner})"))
    else:
        result_queue.put((ip, port, 'not_vulnerable', f"(running {banner})"))

    with progress_lock:
        progress_counter += 1

def process_ip_list(ip_list_file): ips = [] try: with open(ip_list_file, 'r') as file: ips.extend(file.readlines()) except IOError: print(f"❌ [-] Could not read file: {ip_list_file}") return [ip.strip() for ip in ips]

def main(): global total_hosts display_banner()

parser = argparse.ArgumentParser(
    description="Check if servers are running a vulnerable version of OpenSSH (CVE-2024-6387).")
parser.add_argument(
    "targets", nargs='*', help="IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.")
parser.add_argument("--ports", type=str, default="22",
                    help="Comma-separated list of ports to check (default: 22).")
parser.add_argument("-t", "--timeout", type=float, default=1.0,
                    help="Connection timeout in seconds (default: 1 second).")
parser.add_argument(
    "-l", "--list", help="File containing a list of IP addresses to check.")

args = parser.parse_args()
targets = args.targets
timeout = args.timeout

ports = [int(port.strip()) for port in args.ports.split(',')]

ips = []

if args.list:
    ips.extend(process_ip_list(args.list))

for target in targets:
    try:
        with open(target, 'r') as file:
            ips.extend(file.readlines())
    except IOError:
        if '/' in target:
            try:
                network = ipaddress.ip_network(target, strict=False)
                ips.extend([str(ip) for ip in network.hosts()])
            except ValueError:
                print(f"❌ [-] Invalid CIDR notation: {target}")
        else:
            ips.append(target)

result_queue = Queue()

total_hosts = len(ips)

max_workers = 100

with ThreadPoolExecutor(max_workers=max_workers) as executor:
    futures = [executor.submit(check_vulnerability, ip.strip(
    ), ports, timeout, result_queue) for ip in ips]

    while any(future.running() for future in futures):
        with progress_lock:
            print(f"\rProgress: {progress_counter}/{total_hosts} hosts scanned", end="")
        time.sleep(1)

for future in futures:
    future.result()

print(f"\rProgress: {progress_counter}/{total_hosts} hosts scanned")

total_scanned = len(ips)
closed_ports = 0
unknown = []
not_vulnerable = []
vulnerable = []

while not result_queue.empty():
    ip, port, status, message = result_queue.get()
    if status == 'closed':
        closed_ports += 1
    elif status == 'unknown':
        unknown.append((ip, message))
    elif status == 'vulnerable':
        vulnerable.append((ip, message))
    elif status == 'not_vulnerable':
        not_vulnerable.append((ip, message))
    else:
        print(f"⚠️ [!] Server at {ip}:{port} is {message}")

print(f"\n🛡️ Servers not vulnerable: {len(not_vulnerable)}\n")
for ip, msg in not_vulnerable:
    print(f"   [+] Server at {GREEN}{ip}{ENDC} {msg}")
print(f"\n🚨 Servers likely vulnerable: {len(vulnerable)}\n")
for ip, msg in vulnerable:
    print(f"   [+] Server at {RED}{ip}{ENDC} {msg}")
print(f"\n⚠️ Servers with unknown SSH version: {len(unknown)}\n")
for ip, msg in unknown:
    print(f"   [+] Server at {ORANGE}{ip}{ENDC} {msg}")
print(f"\n🔒 Servers with port(s) {args.ports} closed: {closed_ports}")
print(f"\n📊 Total scanned targets: {total_scanned}\n")

if name == "main": main() sorry for interrupt because i dont understand to request add feature. i was adding for multiple port using --ports

thanks

xaitax commented 2 months ago

You can define multiple ports now by using a -p or --ports when they are comma-separated.