CVE-2024-6387_Check

📜 Description

CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH, specifically targeting the recently discovered regreSSHion vulnerability (CVE-2024-6387). This script facilitates rapid scanning of multiple IP addresses, domain names, and CIDR network ranges to detect potential vulnerabilities and ensure your infrastructure is secure.

🌟 Features

• Rapid Scanning: Quickly scan multiple IP addresses, domain names, and CIDR ranges for the CVE-2024-6387 vulnerability.
• Banner Retrieval: Efficiently retrieves SSH banners without authentication.
• Grace Time Detection: Optionally detect if servers have mitigated vulnerabilities using the LoginGraceTime setting.
• IPv6 Support: Fully supports IPv6 addresses for both direct and hostname-based scanning.
• Multi-threading: Uses threading for concurrent checks, significantly reducing scan times.
• Detailed Output: Provides clear, emoji-coded output summarizing scan results.
• Port Check: Identifies closed ports and provides a summary of non-responsive hosts.
• Patched Versions Detection: Recognizes and excludes known patched versions from vulnerability reports.
• DNS/Hostname Resolution: Resolve and display hostnames for IP addresses.

🚀 Usage

python CVE-2024-6387_Check.py <targets> [--ports PORTS] [--timeout TIMEOUT] [--list FILE] [--grace-time-check [SECONDS]] [--dns-resolve] [--use-help-request]

Command Line Arguments

• <targets>: IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.
• --timeout TIMEOUT: Set connection timeout in seconds (default: 1 second).
• --list FILE: File containing a list of IP addresses to check.
• --ports PORTS: Specify a comma-separated list of port numbers to check (default: 22).
• --use-help-request: Enable sending a HELP request if the initial SSH banner retrieval fails.
• --grace-time-check [SECONDS]: Time in seconds to wait after identifying the version to check for LoginGraceTime mitigation (default: 120 seconds).
• --dns-resolve: Resolve and display hostnames for IP addresses.

Examples

Single IP

python CVE-2024-6387_Check.py 192.168.1.1

IPs from a file

python CVE-2024-6387_Check.py -l ip_list.txt

Multiple IPs and Domains

python CVE-2024-6387_Check.py 192.168.1.1 example.com 192.168.1.2

CIDR Range

python CVE-2024-6387_Check.py 192.168.1.0/24

With Multiple Ports

python CVE-2024-6387_Check.py 192.168.1.1 example.com --ports 22,2222

Checking LoginGraceTime Mitigation

python CVE-2024-6387_Check.py 192.168.1.1 --grace-time-check

Checking LoginGraceTime Mitigation with Custom Time

python CVE-2024-6387_Check.py 192.168.1.1 --grace-time-check 150

Enabling HELP request

python CVE-2024-6387_Check.py 192.168.1.1 --use-help-request

Enabling DNS/Hostname Resolution

python CVE-2024-6387_Check.py 192.168.1.1 --dns-resolve

✨ Features Explained

Grace Time Detection

The tool supports checking for LoginGraceTime mitigation. When the --grace-time-check option is used, the script will wait for the specified duration after retrieving the SSH banner to see if the connection remains open, which indicates that the LoginGraceTime setting might be set to 0 as a mitigation measure.

IPv6 Support

The tool fully supports IPv6 addresses. You can scan both IPv4 and IPv6 addresses directly or through hostname resolution.

Patched Versions Detection

The tool recognizes certain patched versions of OpenSSH and excludes them from the vulnerability report, ensuring more accurate results.

DNS/Hostname Resolution

When the --dns-resolve option is used, the script resolves and displays hostnames for IP addresses in the output. This feature helps identify the scanned hosts more clearly.

HELP Request Handling

The tool includes an option to handle restrictive SSH services that do not immediately return a banner. When the --use-help-request option is used, the script will send a "HELP" request if the initial SSH banner retrieval fails, increasing "mitigation" detections.

Output

The script will provide a summary of the scanned targets:

• 🚨 Vulnerable: Servers running a vulnerable version of OpenSSH.
• 🛡️ Not Vulnerable: Servers running a non-vulnerable version of OpenSSH.
• ⚠️ Unknown: Servers running an unknown version of SSH
• 🔒 Closed Ports: Count of servers with port 22 (or specified port) closed.
• 📊 Total Scanned: Total number of targets scanned.

🛡️ Servers not vulnerable: 2

   [+] Server at somedomain.cloudapp.azure.com (running SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11)
   [+] Server at regresshion_test.cc (running SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3)

🚨 Servers likely vulnerable: 1

   [+] Server at 4.231.170.122 (abc.com) (running SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2)
   [+] Server at 4.231.170.121 (running SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2) vulnerable and LoginGraceTime remediation not done (Session was closed by server at 120.1 seconds)

⚠️ Servers with unknown SSH version: 1

   [+] Server at 103.97.85.85 (xxx.com) (banner: SSH-2.0-ROSSSH)

🔒 Servers with port 22 closed: 254

📊 Total scanned targets: 257

📆 Changelog

[08. July 2024] - Version 0.8

• [Added] Included patched versions for FreeBSD 13.3, 14.x and 15
• [Added] Hostname resolution via -d or --dns-resolve
• [Fixed] LoginGraceTime detection @agibson2

[06. July 2024] - Version 0.7

• [Added] Introduced an option to use a "HELP" request to retrieve the SSH banner if the initial attempt fails. This feature can be enabled using the --use-help-request argument. This helps to bypass certain SSH configurations that do not immediately return the banner, improving compatibility with more restrictive SSH services.
• [Added] #30 Allow multiple ports to be scanned.

[05. July 2024] - Version 0.6

• [Added] Introduced LoginGraceTime detection.
• [Fixed] Resolved issue where hosts with only an IPv6 address could not be tested by hostname.

📚 References

Qualys Blog on regreSSHion Vulnerability