-
Notifications
You must be signed in to change notification settings - Fork 0
Home
SentinelSSH is designed to efficiently scan and identify SSH servers that may be vulnerable to CVE-2024-6387. Here's a step-by-step breakdown of how the vulnerability detection process works:
SentinelSSH attempts to establish a TCP connection with the target host on the specified port (default is 22 for SSH). This initial connection doesn't involve any authentication or session establishment.
Upon successful connection, the SSH server responds with a banner message. This banner typically includes version information about the SSH server. SentinelSSH captures this banner for analysis.
The tool examines the received banner, focusing on the version information. The analysis process involves the following steps:
- The banner is first checked to ensure it starts with
"SSH-2.0-", which is standard for SSH version 2 servers. - If this prefix is missing, the version is marked as "unknown".
- The banner is compared against a predefined list of known vulnerable OpenSSH versions.
- This list includes versions that are potentially susceptible to CVE-2024-6387.
- To avoid false positives, SentinelSSH also maintains a list of exception versions.
- These are typically patched versions that might appear vulnerable based on version number alone but are actually secure.
Based on the analysis, the tool categorizes the target into one of four states:
- Vulnerable: The version matches a known vulnerable version and is not in the exception list.
- Patched: The version matches a known vulnerable version but is also in the exception list.
- Secure: The version does not match any known vulnerable versions.
- Unknown: The banner doesn't conform to expected SSH-2.0 format.
- If a target is identified as vulnerable, SentinelSSH immediately reports this finding.
- In non-silent mode, the tool also provides real-time progress updates and a summary of findings at the end of the scan.
- SentinelSSH does not attempt to exploit the vulnerability or access the server beyond the initial banner exchange.
- The accuracy of detection depends on the comprehensiveness and up-to-date nature of the vulnerable and exception version lists.
- Regular updates to these lists are crucial for maintaining the tool's effectiveness.
The core of the version analysis is performed by the analyzeVersion function:
func analyzeVersion(banner string) string {
if !strings.HasPrefix(banner, "SSH-2.0-") {
return "unknown"
}
for _, v := range vulnerableVersions {
if strings.HasPrefix(banner, v) {
for _, e := range excludedVersions {
if banner == e {
return "patched"
}
}
return "vulnerable"
}
}
return "secure"
}This function encapsulates the logic of comparing the banner against known vulnerable versions and exceptions.
By following this process, SentinelSSH provides a quick and non-intrusive method to identify potentially vulnerable SSH servers, aiding in the crucial task of maintaining secure infrastructure.