Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 31st December 2009
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,371
Thanked 182 Times in 149 Posts
Default Discovering SSH versions of compromised hosts with nc(1)

On the
FreeBSD stable mailing list a posting about a compromised FreeBSD box, led to an interesting discussion about boxes being hammered with SSH probes.

One of the participants posted a list of about 40 hosts which probed his box for weak passwords using SSH.

Several years, when my wife was in another country, I enabled SSH access so she could use fetchmail and pine to read her mail.
Opening port 22 on my firewall of course triggered the same SSH probes. To some of these hosts I could telnet and some after displaying their RedHat login banner prompted me for a login name.

Reading the freebsd-stable discussion I wondered what kind of boxes are initiating these annoying login attempts.

The OpenBSD 'nc' man page shows a simple way to get a box to display the login banner.
     It may be useful to know which ports are open and running services on a
     target machine.  The -z flag can be used to tell nc to report open ports,
     rather than initiate a connection.  For example:

           $ nc -z host.example.com 20-30
           Connection to host.example.com 22 port [tcp/ssh] succeeded!
           Connection to host.example.com 25 port [tcp/smtp] succeeded!

     The port range was specified to limit the search to ports 20 - 30.

     Alternatively, it might be useful to know which server software is run-
     ning, and which versions.  This information is often contained within the
     greeting banners.  In order to retrieve these, it is necessary to first
     make a connection, and then break the connection when the banner has been
     retrieved.  This can be accomplished by specifying a small timeout with
     the -w flag, or perhaps by issuing a "QUIT" command to the server:

           $ echo "QUIT" | nc host.example.com 20-30
           Protocol mismatch.
           220 host.example.com IMS SMTP Receiver Version 0.84 Ready
A simple shell script to probe these hosts


for MACHINE in ${hosts} ; do
   printf "%s %s " $(date "+%Y-%m-%d %H:%M:%S") " host $MACHINE "
   result=$(echo QUIT | nc ${MACHINE} $PORT)
   printf "%s\n" "$result"
Because we will redirect the output to logfile we can use tail to follow the progress. In another xterm before running the script:
$ tail -f logfile
tail: logfile: No such file or directory
$ touch logfile
$ tail -f logfile 
2009-12-31 00:49:31  host   SSH-2.0-OpenSSH_5.1p1 Debian-5
Protocol mismatch.
2009-12-31 00:49:31  host   SSH-1.99-OpenSSH_4.3p2
Protocol mismatch.
2009-12-31 00:49:32  host   SSH-1.99-OpenSSH_3.9p1
After starting the script with sh scan-ssh-versions >logfile 2>&1 the 'tailed' logfile showed the first results.

Actually using tee is a simpler approach.
$ sh scan-ssh-versions 2>&1 | tee logfile
After seeing som progress for some time, a connection seemed to be stuck.
$ netstat -an -f inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp        0      0      FIN_WAIT_2
tcp        0      0  *.587                  *.*                    LISTEN
tcp        0      0  *.25                   *.*                    LISTEN
tcp        0      0  *.6000                 *.*                    LISTEN
tcp        0      0  *.22                   *.*                    LISTEN
tcp        0      0  *.515                  *.*                    LISTEN
A simple $ pkill -TERM nc took care of that

Filtering the SSH version answers
$ grep SSH logfile
2009-12-31 00:49:31  host   SSH-2.0-OpenSSH_5.1p1 Debian-5
2009-12-31 00:49:31  host   SSH-1.99-OpenSSH_4.3p2
2009-12-31 00:49:32  host   SSH-1.99-OpenSSH_3.9p1
2009-12-31 00:49:33  host   SSH-1.99-OpenSSH_3.9p1
2009-12-31 00:49:37  host   SSH-2.0-OpenSSH_4.0
2009-12-31 00:49:58  host   SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
2009-12-31 00:49:59  host   SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
2009-12-31 00:49:59  host   SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
2009-12-31 00:49:59  host   SSH-2.0-OpenSSH_4.3p2 Debian-9etch3
2009-12-31 00:50:00  host   SSH-2.0-OpenSSH_5.1p1 Debian-5
2009-12-31 00:50:00  host   SSH-2.0-SSH-2.0-OpenSSH_4.3
2009-12-31 00:50:00  host   SSH-2.0-OpenSSH_4.3p2 Debian-9etch3
2009-12-31 00:51:15  host   SSH-1.99-OpenSSH_4.3
2009-12-31 00:51:16  host   SSH-1.99-OpenSSH_4.7p1
2009-12-31 00:51:19  host   SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.5
2009-12-31 00:51:20  host   SSH-2.0-OpenSSH_4.3
2009-12-31 00:51:21  host   SSH-2.0-OpenSSH_4.3
2009-12-31 00:51:24  host   SSH-1.99-OpenSSH_3.9p1
2009-12-31 00:52:46  host   SSH-2.0-OpenSSH_4.3
2009-12-31 00:52:46  host   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
2009-12-31 00:54:02  host   SSH-2.0-OpenSSH_4.3
2009-12-31 00:54:02  host   SSH-2.0-OpenSSH_4.3
2009-12-31 00:55:18  host   SSH-2.0-OpenSSH_3.4p1
2009-12-31 00:57:48  host   SSH-2.0-OpenSSH_4.3
2009-12-31 02:10:29  host   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
2009-12-31 02:13:00  host   SSH-2.0-OpenSSH_4.3
We queried 39 hosts
$ grep -c host logfile
Out of these 39, 26 hosts displayed the SSH version.
$ grep SSH logfile | wc -l
10 out of 26 were Debian based
$ grep -i Debian logfile | wc -l 
Remember any box, Windows, Linux or BSD, exposed to the internet, only is as secure as the monkey who administrates it.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Red Hat servers compromised tanked Other BSD and UNIX/UNIX-like 10 25th August 2008 04:41 PM
Both versions installing in same location, & can't delete jaymax FreeBSD General 5 9th June 2008 06:25 PM

All times are GMT. The time now is 02:10 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick