关联漏洞
标题:
OpenSSH 竞争条件问题漏洞
(CVE-2018-15473)
描述:OpenSSH(OpenBSD Secure Shell)是OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 7.7及之前版本中存在竞争条件问题漏洞。该漏洞源于网络系统或产品在运行过程中,并发代码需要互斥地访问共享资源时,对于并发访问的处理不当。
描述
Advanced network penetration testing toolkit with SSH vulnerability assessment, CVE-2018-15473 exploitation, stealth brute force capabilities, and fail2ban evasion techniques. Professional-grade security testing framework for authorized penetration testing engagements.
介绍
<div align="center">
```
███╗ ██╗███████╗████████╗██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗ ██████╗ ██████╗ ███████╗██████╗
████╗ ██║██╔════╝╚══██╔══╝██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝ ██╔══██╗██╔══██╗██╔════╝██╔══██╗
██╔██╗ ██║█████╗ ██║ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██████╔╝██████╔╝█████╗ ██║ ██║
██║╚██╗██║██╔══╝ ██║ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ██╔═══╝ ██╔══██╗██╔══╝ ██║ ██║
██║ ╚████║███████╗ ██║ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗ ██║ ██║ ██║███████╗██████╔╝
╚═╝ ╚═══╝╚══════╝ ╚═╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝╚═════╝
```
# 🛡️ Advanced Network Penetration Testing Toolkit
[](https://python.org)
[](LICENSE)
[](https://github.com/floriankostov/network_scanner)
[](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15473)
[](#)
**Professional-grade network reconnaissance and SSH penetration testing framework with advanced evasion capabilities**
[🚀 Quick Start](#-installation) • [📖 Documentation](#-features) • [🎯 Exploitation](#-ssh-exploitation-capabilities) • [🛡️ Defense](#-defense-and-remediation) • [⚖️ Legal](#%EF%B8%8F-legal-disclaimer)
</div>
---
## ⚠️ **LEGAL DISCLAIMER**
**🔴 FOR AUTHORIZED TESTING ONLY**
This tool is designed for **educational purposes** and **authorized penetration testing** only. Unauthorized access to computer systems is **illegal** and may result in **criminal charges**.
**✅ Authorized Use:**
- Your own systems and networks
- Systems with explicit written permission
- Educational lab environments
- Professional penetration testing engagements
**❌ Unauthorized Use:**
- Any system you don't own
- Public networks or infrastructure
- Corporate systems without permission
- Any malicious or harmful intent
**By using this tool, you agree to take full responsibility for your actions and comply with all applicable laws.**
---
## 🚀 Features
### 🌐 Network Reconnaissance & Discovery
- **🔍 Advanced Network Discovery**: Intelligent ping sweeps with customizable timing
- **🔎 Multi-Protocol Port Scanning**: TCP connect scanning with service fingerprinting
- **🎨 Banner Grabbing & Versioning**: Automated service identification and version detection
- **⚡ Multi-Threading**: High-performance concurrent scanning across multiple hosts
- **📊 Progress Tracking**: Real-time scanning progress with ETA estimates
### 🔐 SSH Security Assessment Framework
- **🔍 Deep SSH Fingerprinting**: Comprehensive SSH server analysis and version detection
- **🛡️ Configuration Auditing**: Automated detection of SSH misconfigurations
- **📝 Vulnerability Database**: CVE mapping and exploit availability checking
- **📈 Risk Assessment**: Automated security scoring and prioritization
- **📄 Detailed Reporting**: Professional-grade vulnerability assessment reports
### 🎯 Advanced SSH Exploitation Engine
#### 💬 User Enumeration
- **CVE-2018-15473**: Timing-based username enumeration exploit
- **Stealth Mode**: Randomized delays and connection pacing to evade detection
- **Custom Wordlists**: Configurable username dictionaries
- **Smart Analysis**: Statistical timing analysis for accurate results
#### 🔑 Credential Attack Framework
- **Dictionary Attacks**: High-performance brute force with custom wordlists
- **Smart Brute Force**: Intelligent credential combinations and common patterns
- **Stealth Brute Force**: Advanced evasion with randomized delays and IP rotation
- **Session Management**: Persistent attack sessions with resume capabilities
- **Fail2ban Evasion**: Adaptive timing to bypass intrusion detection systems
#### 🛡️ Evasion & Anti-Detection
- **Connection Rate Limiting**: Configurable delays between attempts
- **Randomized Timing**: Variable delays to mimic human behavior
- **Connection Pooling**: Distributed attacks across multiple connections
- **Error Handling**: Graceful handling of defensive countermeasures
### ⚙️ Advanced Configuration System
- **📝 YAML Configuration**: Flexible parameter management through `config.yaml`
- **🎯 Custom Port Lists**: Configurable scanning profiles for different scenarios
- **⏱️ Timing Controls**: Fine-grained timeout and delay customization
- **🗺️ Network Profiles**: Pre-configured settings for different network types
- **📊 Performance Tuning**: Thread pool and connection optimization
---
## 📦 Installation
### Prerequisites
```bash
# Ensure Python 3.6+ is installed
python3 --version
# Install required dependencies
pip3 install paramiko pyyaml colorama
```
### Quick Install
```bash
# Clone the repository
git clone https://github.com/floriankostov/network_scanner.git
cd network_scanner
# Make executable (Unix/Linux/macOS)
chmod +x scanner.py
# Run the scanner
python3 scanner.py
```
### Docker Installation (Optional)
```bash
# Build Docker image
docker build -t network-scanner .
# Run in container
docker run -it --network host network-scanner
```
---
## 🔧 Usage Guide
### 🚀 Quick Start
```bash
python3 scanner.py
```
The scanner provides an intuitive menu system:
```
╔══════════════════════════════════════════════════════════════════╗
║ NETWORK SCANNER TOOLKIT ║
║ Professional Penetration Testing ║
╠══════════════════════════════════════════════════════════════════╣
║ 1. 📡 Extended Port Scan - Comprehensive port discovery ║
║ 2. ⚡ Basic Port Scan - Quick essential port check ║
║ 3. 🔐 SSH Security Testing - Advanced SSH vulnerability scan ║
║ 4. 🎯 Custom Target Scan - Manual IP/range specification ║
║ 5. ❌ Exit - Quit the application ║
╚══════════════════════════════════════════════════════════════════╝
```
### 🔍 Network Discovery
```bash
# Automatic network detection
[+] Network: 192.168.1.0/24 (254 hosts)
[+] Gateway: 192.168.1.1
[+] Local IP: 192.168.1.100
# Custom network specification
python3 scanner.py --network 10.0.0.0/16
```
### 🎯 SSH Exploitation Capabilities
#### 💬 Username Enumeration (CVE-2018-15473)
```bash
# Standard enumeration
[EXPLOIT] CVE-2018-15473 Username Enumeration
[+] Target: 192.168.1.50:22 (OpenSSH 7.4)
[+] Testing 100 common usernames...
[✓] Valid users found: admin, user, test
# Stealth enumeration with evasion
[STEALTH] Enabling anti-detection measures
[+] Random delays: 0.5-2.0 seconds
[+] Connection variation: randomized
[✓] Valid users found: admin (confirmed)
```
#### 🔑 Advanced Brute Force Attacks
```bash
# Smart brute force
[EXPLOIT] Smart SSH Brute Force
[+] Target: 192.168.1.50:22
[+] Valid users: admin, user
[+] Wordlist: 500 common passwords
[✓] Credentials found: admin:password123
# Stealth brute force with fail2ban evasion
[STEALTH] Advanced evasion enabled
[+] Adaptive delays: 3-8 seconds
[+] Connection resets: every 5 attempts
[+] IP rotation: enabled
[!] Intrusion detection bypass: active
```
#### 🛡️ Defense Bypass Features
- **Timing Randomization**: Variable delays between 0.1-10 seconds
- **Connection Management**: Automatic connection cycling to avoid detection
- **Error Analysis**: Smart handling of fail2ban and IDS responses
- **Rate Limiting**: Adaptive speed adjustment based on target responses
---
## 🔧 Advanced Configuration
### 📝 Configuration File (`config.yaml`)
```yaml
# Network scanning settings
network:
ping_timeout: 1.0
port_timeout: 3.0
thread_count: 50
max_hosts: 254
# SSH exploitation settings
ssh:
timeout: 10.0
retry_count: 3
stealth_mode: true
delay_min: 0.5
delay_max: 2.0
# Exploitation parameters
exploits:
user_enumeration:
max_users: 100
timing_threshold: 0.05
brute_force:
max_attempts: 50
wordlist_size: 500
fail2ban_detection: true
```
### 🎯 Custom Port Lists
```yaml
port_lists:
basic: [22, 80, 443, 8080]
extended: [21, 22, 23, 25, 53, 80, 110, 143, 443, 993, 995, 8080]
comprehensive: [1-1000, 3389, 5432, 5900, 8080-8090]
```
---
## 🛡️ Defense and Remediation
### 🔒 SSH Hardening Recommendations
#### Immediate Actions
```bash
# Disable root login
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
# Require key-based authentication
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
# Change default port
echo "Port 2222" >> /etc/ssh/sshd_config
# Restart SSH service
systemctl restart sshd
```
#### Long-term Security Measures
1. **Intrusion Detection**: Install and configure fail2ban
2. **Network Segmentation**: Isolate SSH access with firewall rules
3. **Monitoring**: Implement SSH connection logging and alerting
4. **Regular Updates**: Keep SSH software updated with security patches
5. **Access Control**: Use SSH certificates and centralized key management
### 🚨 Detection Signatures
#### Log Patterns to Monitor
```bash
# Username enumeration attempts
grep "Invalid user" /var/log/auth.log
# Brute force detection
grep "Failed password" /var/log/auth.log | head -10
# Connection frequency analysis
awk '{print $1, $2, $3, $11}' /var/log/auth.log | grep "sshd" | sort | uniq -c
```
#### Fail2ban Configuration
```ini
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600
```
---
## 🔬 Technical Deep Dive
### 🎯 CVE-2018-15473 Exploitation Technical Details
#### Vulnerability Overview
- **CVE ID**: CVE-2018-15473
- **Affected Versions**: OpenSSH < 7.7, Cisco IOS, and others
- **Impact**: Username enumeration via timing attack
- **CVSS Score**: 5.3 (Medium)
#### Exploitation Methodology
1. **Timing Analysis**: Measure response times for valid vs invalid usernames
2. **Statistical Validation**: Use multiple samples to confirm timing differences
3. **Evasion Techniques**: Randomize delays to avoid detection
4. **Result Validation**: Cross-reference with common username patterns
```python
# Simplified timing attack pseudocode
def enumerate_users(target, usernames):
timings = {}
for user in usernames:
start = time.time()
try_authentication(target, user, "invalid_password")
end = time.time()
timings[user] = end - start
# Analyze timing patterns
return analyze_timing_anomalies(timings)
```
### 🔍 Anti-Detection Mechanisms
#### Stealth Mode Features
- **Jitter Introduction**: Random delays between 0.1-10 seconds
- **Connection Cycling**: Establish new connections periodically
- **Request Spacing**: Adaptive timing based on target responses
- **Error Handling**: Graceful handling of defensive measures
---
## 📊 Example Scan Results
### Network Discovery Output
```
╔══════════════════════════════════════════════════════════════════╗
║ NETWORK SCAN RESULTS ║
╠══════════════════════════════════════════════════════════════════╣
║ Network: 192.168.1.0/24 ║
║ Active Hosts: 12/254 ║
║ Scan Duration: 45.3 seconds ║
╚══════════════════════════════════════════════════════════════════╝
📡 DISCOVERED HOSTS:
┌─────────────────┬──────────────────┬─────────────────────────────┐
│ IP Address │ Hostname │ Response Time │
├─────────────────┼──────────────────┼─────────────────────────────┤
│ 192.168.1.1 │ gateway.local │ 1.2ms │
│ 192.168.1.50 │ server.local │ 2.1ms │
│ 192.168.1.100 │ workstation.local│ 0.8ms │
└─────────────────┴──────────────────┴─────────────────────────────┘
```
### SSH Vulnerability Report
```
╔══════════════════════════════════════════════════════════════════╗
║ SSH VULNERABILITY REPORT ║
║ Target: 192.168.1.50:22 ║
╠══════════════════════════════════════════════════════════════════╣
║ SSH Version: OpenSSH 7.4 ║
║ Risk Level: HIGH ║
║ Vulnerabilities: 3 Critical, 2 High, 1 Medium ║
╚══════════════════════════════════════════════════════════════════╝
🔴 CRITICAL VULNERABILITIES:
┌─────────────────┬────────────────────────────────────────────────┐
│ CVE-2018-15473 │ Username Enumeration via Timing Attack │
│ Status │ ✅ EXPLOITABLE - 3 valid users discovered │
│ Impact │ Information Disclosure, Attack Preparation │
│ Users Found │ admin, user, test │
└─────────────────┴────────────────────────────────────────────────┘
┌─────────────────┬────────────────────────────────────────────────┐
│ Brute Force │ Weak Authentication Configuration │
│ Status │ ✅ EXPLOITABLE - Password auth enabled │
│ Impact │ Unauthorized Access, Credential Compromise │
│ Attempts │ 45/50 tested, 1 credential found │
└─────────────────┴────────────────────────────────────────────────┘
💥 EXPLOITATION RESULTS:
╔══════════════════════════════════════════════════════════════════╗
║ ✅ Successfully compromised SSH service ║
║ 🔑 Credential: admin:password123 ║
║ 🎯 Access Level: Administrative ║
║ ⚠️ Recommend immediate credential change and hardening ║
╚══════════════════════════════════════════════════════════════════╝
```
---
## 🤝 Contributing
We welcome contributions from the security community! Please follow these guidelines:
### 🔄 Development Workflow
1. Fork the repository
2. Create a feature branch: `git checkout -b feature/new-exploit`
3. Commit changes: `git commit -am 'Add new SSH exploit'`
4. Push to branch: `git push origin feature/new-exploit`
5. Create a Pull Request
### 📝 Contribution Guidelines
- **Ethical Focus**: All contributions must be for educational/defensive purposes
- **Code Quality**: Follow Python PEP 8 standards
- **Documentation**: Include comprehensive documentation for new features
- **Testing**: Add unit tests for new exploitation modules
- **Security**: Include appropriate warnings and safeguards
### 🐛 Bug Reports
Please include:
- Python version and OS
- Complete error messages
- Steps to reproduce
- Expected vs actual behavior
---
## 📚 Resources and References
### 🔗 Security Resources
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)
- [CVE Database](https://cve.mitre.org/)
- [SSH Security Best Practices](https://infosec.mozilla.org/guidelines/openssh)
### 📖 Related Projects
- [Nmap](https://nmap.org/) - Network discovery and security auditing
- [Hydra](https://github.com/vanhauser-thc/thc-hydra) - Password cracking tool
- [SSH-Audit](https://github.com/jtesta/ssh-audit) - SSH configuration auditing
### 🎓 Educational Content
- [Penetration Testing Methodology](https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies)
- [SSH Protocol Deep Dive](https://tools.ietf.org/html/rfc4253)
- [Network Security Fundamentals](https://www.sans.org/white-papers/)
---
## ⚖️ License
This project is licensed under the **Educational Use License** - see the [LICENSE](LICENSE) file for details.
**Educational Use Only**: This software is intended solely for educational purposes and authorized security testing. Any malicious use is strictly prohibited and may result in criminal prosecution.
---
## 🙏 Acknowledgments
- **OpenSSH Team** for maintaining secure SSH implementations
- **Security Research Community** for responsible vulnerability disclosure
- **OWASP** for security testing methodologies
- **Python Community** for excellent networking libraries
---
<div align="center">
**⚠️ Remember: With great power comes great responsibility**
Use this tool ethically, legally, and responsibly.
[Report Issues](https://github.com/floriankostov/network_scanner/issues) • [Request Features](https://github.com/floriankostov/network_scanner/discussions) • [Security Contact](mailto:security@example.com)
</div>
文件快照
[4.0K] /data/pocs/4e955af1b8b9160e2431cc6fda8afc7299122acb
├── [2.9K] config.py
├── [2.6K] LICENSE
├── [ 20K] README.md
├── [ 75] requirements.txt
└── [ 89K] scanner.py
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。