|
5 | 5 |
|
6 | 6 | require 'msf/core' |
7 | 7 |
|
8 | | - |
9 | 8 | class Metasploit3 < Msf::Auxiliary |
10 | | - |
11 | 9 | include Msf::Exploit::Remote::Tcp |
12 | 10 | include Msf::Auxiliary::Scanner |
13 | 11 | include Msf::Auxiliary::Report |
14 | 12 |
|
| 13 | + # the default timeout (in seconds) to wait, in total, for both a successful |
| 14 | + # connection to a given endpoint and for the initial protocol response |
| 15 | + # from the supposed SSH endpoint to be returned |
| 16 | + DEFAULT_TIMEOUT = 30 |
| 17 | + |
15 | 18 | def initialize |
16 | 19 | super( |
17 | 20 | 'Name' => 'SSH Version Scanner', |
18 | 21 | 'Description' => 'Detect SSH Version.', |
19 | 22 | 'References' => |
20 | 23 | [ |
21 | | - [ 'URL', 'http://en.wikipedia.org/wiki/SecureShell' ], |
| 24 | + [ 'URL', 'http://en.wikipedia.org/wiki/SecureShell' ] |
22 | 25 | ], |
23 | 26 | 'Author' => [ 'Daniel van Eeden <metasploit[at]myname.nl>' ], |
24 | 27 | 'License' => MSF_LICENSE |
25 | 28 | ) |
26 | 29 |
|
27 | 30 | register_options( |
28 | | - [ |
29 | | - Opt::RPORT(22), |
30 | | - OptInt.new('TIMEOUT', [true, 'Timeout for the SSH probe', 30]) |
31 | | - ], self.class) |
| 31 | + [ |
| 32 | + Opt::RPORT(22), |
| 33 | + OptInt.new('TIMEOUT', [true, 'Timeout for the SSH probe', DEFAULT_TIMEOUT]) |
| 34 | + ], |
| 35 | + self.class |
| 36 | + ) |
32 | 37 | end |
33 | 38 |
|
34 | | - def to |
35 | | - return 30 if datastore['TIMEOUT'].to_i.zero? |
36 | | - datastore['TIMEOUT'].to_i |
| 39 | + def timeout |
| 40 | + datastore['TIMEOUT'] <= 0 ? DEFAULT_TIMEOUT : datastore['TIMEOUT'] |
37 | 41 | end |
38 | 42 |
|
39 | 43 | def run_host(target_host) |
40 | 44 | begin |
41 | | - ::Timeout.timeout(to) do |
42 | | - |
| 45 | + ::Timeout.timeout(timeout) do |
43 | 46 | connect |
44 | 47 |
|
45 | | - resp = sock.get_once(-1, 5) |
| 48 | + resp = sock.get_once(-1, timeout) |
46 | 49 |
|
47 | | - if (resp and resp =~ /SSH/) |
48 | | - ver,msg = (resp.split(/[\r\n]+/)) |
49 | | - # Check to see if this is Kippo, which sends a premature |
50 | | - # key init exchange right on top of the SSH version without |
51 | | - # waiting for the required client identification string. |
52 | | - if msg and msg.size >= 5 |
53 | | - extra = msg.unpack("NCCA*") # sz, pad_sz, code, data |
54 | | - if (extra.last.size+2 == extra[0]) and extra[2] == 20 |
55 | | - ver << " (Kippo Honeypot)" |
| 50 | + if resp |
| 51 | + if resp =~ /^SSH/ |
| 52 | + ver, msg = resp.split(/[\r\n]+/) |
| 53 | + # Check to see if this is Kippo, which sends a premature |
| 54 | + # key init exchange right on top of the SSH version without |
| 55 | + # waiting for the required client identification string. |
| 56 | + if msg && msg.size >= 5 |
| 57 | + extra = msg.unpack("NCCA*") # sz, pad_sz, code, data |
| 58 | + if (extra.last.size + 2 == extra[0]) && extra[2] == 20 |
| 59 | + ver << " (Kippo Honeypot)" |
| 60 | + end |
56 | 61 | end |
| 62 | + print_status("#{target_host}:#{rport}, SSH server version: #{ver}") |
| 63 | + report_service(host: rhost, port: rport, name: 'ssh', proto: 'tcp', info: ver) |
| 64 | + else |
| 65 | + vprint_warning("#{target_host}:#{rport} was not SSH --" \ |
| 66 | + " #{resp.size} bytes beginning with #{resp[0, 12]}") |
57 | 67 | end |
58 | | - print_status("#{target_host}:#{rport}, SSH server version: #{ver}") |
59 | | - report_service(:host => rhost, :port => rport, :name => "ssh", :proto => "tcp", :info => ver) |
60 | 68 | else |
61 | | - print_error("#{target_host}:#{rport}, SSH server version detection failed!") |
| 69 | + vprint_warning("#{target_host}:#{rport} no response") |
62 | 70 | end |
63 | | - |
64 | | - disconnect |
65 | 71 | end |
66 | | - |
67 | 72 | rescue Timeout::Error |
68 | | - print_error("#{target_host}:#{rport}, Server timed out after #{to} seconds. Skipping.") |
| 73 | + vprint_warning("#{target_host}:#{rport} timed out after #{timeout} seconds. Skipping.") |
| 74 | + ensure |
| 75 | + disconnect |
69 | 76 | end |
70 | 77 | end |
71 | 78 | end |
0 commit comments