44##
55
66require 'msf/core'
7+ require 'recog'
78
89class Metasploit3 < Msf ::Auxiliary
910 include Msf ::Exploit ::Remote ::Tcp
@@ -36,10 +37,15 @@ def initialize
3637 )
3738 end
3839
40+ def peer
41+ "#{ rhost } #{ rport }
42+ end
43+
3944 def timeout
4045 datastore [ 'TIMEOUT' ] <= 0 ? DEFAULT_TIMEOUT : datastore [ 'TIMEOUT' ]
4146 end
4247
48+
4349 def run_host ( target_host )
4450 begin
4551 ::Timeout . timeout ( timeout ) do
@@ -48,19 +54,25 @@ def run_host(target_host)
4854 resp = sock . get_once ( -1 , timeout )
4955
5056 if resp
51- if resp =~ /^SSH/
52- ver , msg = resp . split ( /[\r \n ]+/ )
57+ ident , first_message = resp . split ( /[\r \n ]+/ )
58+ if /^SSH-\d +\. \d +-(?<banner>.*)$/ =~ ident
59+ if recog_match = Recog ::Nizer . match ( 'ssh.banner' , banner )
60+ info = recog_match . to_s
61+ else
62+ info = 'UNKNOWN'
63+ print_warning ( "#{ peer } #{ banner } )
64+ end
5365 # Check to see if this is Kippo, which sends a premature
5466 # key init exchange right on top of the SSH version without
5567 # waiting for the required client identification string.
56- if msg && msg . size >= 5
57- extra = msg . unpack ( "NCCA*" ) # sz, pad_sz, code, data
68+ if first_message && first_message . size >= 5
69+ extra = first_message . unpack ( "NCCA*" ) # sz, pad_sz, code, data
5870 if ( extra . last . size + 2 == extra [ 0 ] ) && extra [ 2 ] == 20
59- ver << " (Kippo Honeypot)"
71+ info << " (Kippo Honeypot)"
6072 end
6173 end
62- print_status ( "#{ target_host } #{ rport } #{ ver } )
63- report_service ( host : rhost , port : rport , name : 'ssh' , proto : 'tcp' , info : ver )
74+ print_status ( "#{ target_host } #{ rport } #{ ident } )
75+ report_service ( host : rhost , port : rport , name : 'ssh' , proto : 'tcp' , info : info )
6476 else
6577 vprint_warning ( "#{ target_host } #{ rport } \
6678 " #{ resp . size } #{ resp [ 0 , 12 ] } )
0 commit comments