CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH, specifically targeting the recently discovered regreSSHion
vulnerability (CVE-2024-6387). This script facilitates rapid scanning of multiple IP addresses, domain names, and CIDR network ranges to detect potential vulnerabilities and ensure your infrastructure is secure.
- Rapid Scanning: Quickly scan multiple IP addresses, domain names, and CIDR ranges for the CVE-2024-6387 vulnerability.
- Banner Retrieval: Efficiently retrieves SSH banners without authentication.
- Grace Time Detection: Optionally detect if servers have mitigated vulnerabilities using the LoginGraceTime setting.
- IPv6 Support: Fully supports IPv6 addresses for both direct and hostname-based scanning.
- Multi-threading: Uses threading for concurrent checks, significantly reducing scan times.
- Detailed Output: Provides clear, emoji-coded output summarizing scan results.
- Port Check: Identifies closed ports and provides a summary of non-responsive hosts.
- Patched Versions Detection: Recognizes and excludes known patched versions from vulnerability reports.
- DNS/Hostname Resolution: Resolve and display hostnames for IP addresses.
python CVE-2024-6387_Check.py <targets> [--ports PORTS] [--timeout TIMEOUT] [--list FILE] [--grace-time-check [SECONDS]] [--dns-resolve] [--use-help-request]
<targets>
: IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.--timeout TIMEOUT
: Set connection timeout in seconds (default: 1 second).--list FILE
: File containing a list of IP addresses to check.--ports PORTS
: Specify a comma-separated list of port numbers to check (default: 22).--use-help-request
: Enable sending a HELP request if the initial SSH banner retrieval fails.--grace-time-check [SECONDS]
: Time in seconds to wait after identifying the version to check forLoginGraceTime
mitigation (default: 120 seconds).--dns-resolve
: Resolve and display hostnames for IP addresses.
python CVE-2024-6387_Check.py 192.168.1.1
python CVE-2024-6387_Check.py -l ip_list.txt
python CVE-2024-6387_Check.py 192.168.1.1 example.com 192.168.1.2
python CVE-2024-6387_Check.py 192.168.1.0/24
python CVE-2024-6387_Check.py 192.168.1.1 example.com --ports 22,2222
python CVE-2024-6387_Check.py 192.168.1.1 --grace-time-check
python CVE-2024-6387_Check.py 192.168.1.1 --grace-time-check 150
python CVE-2024-6387_Check.py 192.168.1.1 --use-help-request
python CVE-2024-6387_Check.py 192.168.1.1 --dns-resolve
The tool supports checking for LoginGraceTime mitigation. When the --grace-time-check option is used, the script will wait for the specified duration after retrieving the SSH banner to see if the connection remains open, which indicates that the LoginGraceTime setting might be set to 0 as a mitigation measure.
The tool fully supports IPv6 addresses. You can scan both IPv4 and IPv6 addresses directly or through hostname resolution.
The tool recognizes certain patched versions of OpenSSH and excludes them from the vulnerability report, ensuring more accurate results.
When the --dns-resolve
option is used, the script resolves and displays hostnames for IP addresses in the output. This feature helps identify the scanned hosts more clearly.
The tool includes an option to handle restrictive SSH services that do not immediately return a banner. When the --use-help-request
option is used, the script will send a "HELP" request if the initial SSH banner retrieval fails, increasing "mitigation" detections.
The script will provide a summary of the scanned targets:
- π¨ Vulnerable: Servers running a vulnerable version of OpenSSH.
- π‘οΈ Not Vulnerable: Servers running a non-vulnerable version of OpenSSH.
β οΈ Unknown: Servers running an unknown version of SSH- π Closed Ports: Count of servers with port 22 (or specified port) closed.
- π Total Scanned: Total number of targets scanned.
π‘οΈ Servers not vulnerable: 2
[+] Server at somedomain.cloudapp.azure.com (running SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11)
[+] Server at regresshion_test.cc (running SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3)
π¨ Servers likely vulnerable: 1
[+] Server at 4.231.170.122 (abc.com) (running SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2)
[+] Server at 4.231.170.121 (running SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2) vulnerable and LoginGraceTime remediation not done (Session was closed by server at 120.1 seconds)
β οΈ Servers with unknown SSH version: 1
[+] Server at 103.97.85.85 (xxx.com) (banner: SSH-2.0-ROSSSH)
π Servers with port 22 closed: 254
π Total scanned targets: 257
- [Added] Included patched versions for FreeBSD 13.3, 14.x and 15
- [Added] Hostname resolution via
-d
or--dns-resolve
- [Fixed] LoginGraceTime detection @agibson2
- [Added] Introduced an option to use a "HELP" request to retrieve the SSH banner if the initial attempt fails. This feature can be enabled using the
--use-help-request
argument. This helps to bypass certain SSH configurations that do not immediately return the banner, improving compatibility with more restrictive SSH services. - [Added] #30 Allow multiple ports to be scanned.
- [Added] Introduced LoginGraceTime detection.
- [Fixed] Resolved issue where hosts with only an IPv6 address could not be tested by hostname.