百度360必应搜狗淘宝本站头条
mqtt服务器xftp6mybatiscollectionkeyerrorc#var
当前位置:网站首页 > 热门文章 > 正文

CVE-2024-6387 漏洞检查工具(cve-2020-15778漏洞如何解决)

bigegpt 2025-05-05 14:12 4 浏览

工具说明
CVE-2024-6387_Check 是一款轻量高效的检测工具,专为识别存在 regreSSHion漏洞(CVE-2024-6387) 的OpenSSH服务器而设计。该脚本支持快速扫描IP地址、域名及CIDR网段,帮助用户发现潜在漏洞,确保基础设施安全。

功能特性

  • 快速扫描:支持批量检测IP、域名及CIDR网段的CVE-2024-6387漏洞
  • 横幅抓取:无需认证即可高效获取SSH服务标识信息
  • GraceTime检测:可选检测服务器是否通过LoginGraceTime设置缓解漏洞
  • IPv6支持:完整支持IPv6地址的直接扫描和域名解析扫描
  • 多线程加速:通过并发检查大幅缩短扫描时间
  • 详细报告:提供带表情符号标识的清晰扫描结果摘要
  • 端口检测:自动识别关闭端口并汇总无响应主机
  • 补丁版本过滤:自动排除已知已修复版本,避免误报
  • DNS解析:支持IP地址反向解析为域名显示
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import socket
import argparse
import ipaddress
import threading
import time
from queue import Queue
from concurrent.futures import ThreadPoolExecutor

VERSION = "0.8"

BLUE = "\033[94m"
GREEN = "\033[92m"
RED = "\033[91m"
ORANGE = "\033[33m"
ENDC = "\033[0m"

progress_lock = threading.Lock()
progress_counter = 0
total_hosts = 0

def display_banner():
    banner = rf"""
{BLUE}
                                      _________ _________ ___ ___ .__
_______   ____   ___________   ____  /   _____//   _____//   |   \|__| ____   ____
\_  __ \_/ __ \ / ___\_  __ \_/ __ \ \_____  \ \_____  \/    ~    \  |/  _ \ /    \
 |  | \/\  ___// /_/  >  | \/\  ___/ /        \/        \    Y    /  (  <_> )   |  \
 |__|    \___  >___  /|__|    \___  >_______  /_______  /\___|_  /|__|\____/|___|  /
             \/_____/             \/        \/        \/       \/                \/
    CVE-2024-6387 Vulnerability Checker
    v{VERSION} / Alex Hagenah / @xaitax / ah@primepage.de
{ENDC}
"""
    print(banner)

def resolve_hostname(hostname):
    try:
        addr_info = socket.getaddrinfo(hostname, None)
        addresses = [addr[4][0] for addr in addr_info]
        return addresses
    except socket.gaierror:
        print(f" [-] Could not resolve hostname: {hostname}")
        return []

def create_socket(ip, port, timeout):
    try:
        family = socket.AF_INET6 if ':' in ip else socket.AF_INET
        sock = socket.socket(family, socket.SOCK_STREAM)
        sock.settimeout(timeout)
        sock.connect((ip, port))
        return sock
    except Exception:
        return None

def get_ssh_banner(sock, use_help_request):
    try:
        banner = sock.recv(1024).decode(errors='ignore').strip()
        if banner or not use_help_request:
            return banner
        help_string = "HELP\n"
        sock.sendall(help_string.encode())
        banner = sock.recv(1024).decode(errors='ignore').strip()
        return banner
    except Exception as e:
        return str(e)
    finally:
        sock.close()

def check_vulnerability(ip, port, timeout, grace_time_check, use_help_request, dns_resolve, result_queue):
    global progress_counter

    sshsock = create_socket(ip, port, timeout)
    if not sshsock:
        result_queue.put((ip, port, 'closed', "Port closed", ip))
        with progress_lock:
            progress_counter += 1
        return

    banner = get_ssh_banner(sshsock, use_help_request)
    if "SSH-2.0" not in banner:
        result_queue.put(
            (ip, port, 'failed', f"Failed to retrieve SSH banner: {banner}", ip))
        with progress_lock:
            progress_counter += 1
        return

    if "SSH-2.0-OpenSSH" not in banner:
        result_queue.put((ip, port, 'unknown', f"(banner: {banner})", ip))
        with progress_lock:
            progress_counter += 1
        return

    hostname = resolve_ip(ip) if dns_resolve else None

    vulnerable_versions = [
        'SSH-2.0-OpenSSH_1',
        'SSH-2.0-OpenSSH_2',
        'SSH-2.0-OpenSSH_3',
        'SSH-2.0-OpenSSH_4.0',
        'SSH-2.0-OpenSSH_4.1',
        'SSH-2.0-OpenSSH_4.2',
        'SSH-2.0-OpenSSH_4.3',
        'SSH-2.0-OpenSSH_4.4',
        'SSH-2.0-OpenSSH_8.5',
        'SSH-2.0-OpenSSH_8.6',
        'SSH-2.0-OpenSSH_8.7',
        'SSH-2.0-OpenSSH_8.8',
        'SSH-2.0-OpenSSH_8.9',
        'SSH-2.0-OpenSSH_9.0',
        'SSH-2.0-OpenSSH_9.1',
        'SSH-2.0-OpenSSH_9.2',
        'SSH-2.0-OpenSSH_9.3',
        'SSH-2.0-OpenSSH_9.4',
        'SSH-2.0-OpenSSH_9.5',
        'SSH-2.0-OpenSSH_9.6',
        'SSH-2.0-OpenSSH_9.7'
    ]

    patched_versions = [
        'SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10',
        'SSH-2.0-OpenSSH_9.3p1 Ubuntu-3ubuntu3.6',
        'SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3',
        'SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.4',
        'SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5',
        'SSH-2.0-OpenSSH_9.3p1 Ubuntu-1ubuntu3.6',
        'SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3',
        'SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3',
        'SSH-2.0-OpenSSH_9.7p1 Debian-7',
        'SSH-2.0-OpenSSH_9.6 FreeBSD-20240701',
        'SSH-2.0-OpenSSH_9.7 FreeBSD-20240701'
    ]

    if any(version in banner for version in vulnerable_versions) and banner not in patched_versions:
        if grace_time_check:
            sshsock = create_socket(ip, port, timeout)
            starttime = time.time()
            banner_throw_away = sshsock.recv(1024).decode(errors='ignore').strip()
            sshsock.settimeout(grace_time_check - (time.time() - starttime) + 4)
            socket_timed_out = 0
            try:
                msg = sshsock.recv(1024).decode(errors='ignore').strip()
            except socket.timeout:
                socket_timed_out = 1
            time_elapsed = time.time() - starttime
            if sshsock:
                if socket_timed_out == 0:
                    result_queue.put((ip, port, 'vulnerable', f"(running {banner}) vulnerable and LoginGraceTime remediation not done (Session was closed by server at {time_elapsed:.1f} seconds)", hostname))
                else:
                    result_queue.put((ip, port, 'likely_not_vulnerable', f"(running {banner} False negative possible depending on LoginGraceTime)", hostname))
                sshsock.close()
            else:
                result_queue.put((ip, port, 'vulnerable', f"(running {banner})", hostname))
        else:
            result_queue.put((ip, port, 'vulnerable', f"(running {banner})", hostname))
    else:
        result_queue.put((ip, port, 'not_vulnerable', f"(running {banner})", hostname))

    with progress_lock:
        progress_counter += 1

def process_ip_list(ip_list_file):
    ips = []

    try:
        with open(ip_list_file, 'r') as file:
            for target in file:
                if '/' in target:
                    try:
                        network = ipaddress.ip_network(target.strip(), strict=False)
                        ips.extend([str(ip) for ip in network.hosts()])
                    except ValueError as e:
                        print(f" [-] Invalid CIDR notation {target} {e}")
                else:
                    ips.append(target)
    except IOError:
        print(f" [-] Could not read file: {ip_list_file}")
    return [ip.strip() for ip in ips]

def resolve_ip(ip):
    try:
        hostname = socket.gethostbyaddr(ip)
        return hostname[0]
    except (socket.herror, socket.gaierror):
        return None

def main():
    global total_hosts
    display_banner()

    parser = argparse.ArgumentParser(
        description="Check if servers are running a vulnerable version of OpenSSH (CVE-2024-6387).")
    parser.add_argument(
        "targets", nargs='*', help="IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.")
    parser.add_argument("-p", "--ports", type=str, default="22",
                        help="Comma-separated list of port numbers to check (default: 22).")
    parser.add_argument("-t", "--timeout", type=float, default=1.0,
                        help="Connection timeout in seconds (default: 1 second).")
    parser.add_argument("-l", "--list", help="File containing a list of IP addresses to check.")
    parser.add_argument("-g", "--grace-time-check", nargs='?', const=120, type=int,
                        help="Time in seconds to wait after identifying the version to check for LoginGraceTime mitigation (default: 120 seconds).")
    parser.add_argument("-d", "--dns-resolve", action='store_true',
                    help="Resolve and display hostnames for IP addresses.")
    parser.add_argument("-u", "--use-help-request", action='store_true',
                        help="Enable sending a HELP request if the initial SSH banner retrieval fails.")

    args = parser.parse_args()
    targets = args.targets
    ports = [int(p) for p in args.ports.split(',')]
    timeout = args.timeout
    grace_time_check = args.grace_time_check
    use_help_request = args.use_help_request

    ips = set()

    if args.list:
        ips.update(process_ip_list(args.list))

    for target in targets:
        try:
            with open(target, 'r') as file:
                ips.update(file.readlines())
        except IOError:
            if '/' in target:
                try:
                    network = ipaddress.ip_network(target.strip(), strict=False)
                    ips.update([str(ip) for ip in network.hosts()])
                except ValueError:
                    print(f" [-] Invalid CIDR notation: {target}")
            else:
                resolved_ips = resolve_hostname(target)
                if resolved_ips:
                    ips.update(resolved_ips)
                else:
                    ips.add(target.strip())

    result_queue = Queue()

    ips = list(ips)
    total_hosts = len(ips)

    max_workers = 100

    with ThreadPoolExecutor(max_workers=max_workers) as executor:
        futures = [executor.submit(check_vulnerability, ip.strip(), port, timeout, grace_time_check, use_help_request, args.dns_resolve, result_queue)
                for ip in ips for port in ports]

        while any(future.running() for future in futures):
            with progress_lock:
                print(f"\rProgress: {progress_counter}/{total_hosts * len(ports)} checks performed", end="")
            time.sleep(1)

    for future in futures:
        future.result()

    print(f"\rProgress: {progress_counter}/{total_hosts * len(ports)} checks performed")

    closed_ports = 0
    unknown = []
    not_vulnerable = []
    likely_not_vulnerable = []
    vulnerable = []

    while not result_queue.empty():
        ip, port, status, message, hostname = result_queue.get()
        display_ip = f"{ip} ({hostname})" if hostname else ip
        if status == 'closed':
            closed_ports += 1
        elif status == 'unknown':
            unknown.append((display_ip, port, message))
        elif status == 'vulnerable':
            vulnerable.append((display_ip, port, message))
        elif status == 'not_vulnerable':
            not_vulnerable.append((display_ip, port, message))
        elif status == 'likely_not_vulnerable':
            likely_not_vulnerable.append((display_ip, port, message))
        else:
            print(f" [!] Server at {display_ip} is {message}")

    print(f"\n Servers not vulnerable: {len(not_vulnerable)}")
    for ip, port, msg in not_vulnerable:
        print(f"   [+] Server at {GREEN}{ip}{ENDC} {msg}")
    if grace_time_check:
        print(f"\n Servers likely not vulnerable (possible LoginGraceTime remediation): {len(likely_not_vulnerable)}")
        for ip, port, msg in likely_not_vulnerable:
            print(f"   [+] Server at {GREEN}{ip}{ENDC} {msg}")
    print(f"\n Servers likely vulnerable: {len(vulnerable)}")
    for ip, port, msg in vulnerable:
        print(f"   [+] Server at {RED}{ip}{ENDC} {msg}")
    print(f"\n Servers with unknown SSH version: {len(unknown)}")
    for ip, port, msg in unknown:
        print(f"   [+] Server at {ORANGE}{ip}{ENDC} {msg}")
    print(f"\n Servers with port(s) closed: {closed_ports}")
    print(f"\n Total scanned hosts: {total_hosts}")
    print(f" Total port checks performed: {progress_counter}")

if __name__ == "__main__":
    main()

使用指南

python CVE-2024-6387_Check.py <目标> [--ports 端口] [--timeout 超时] [--list 文件] [--grace-time-check [秒数]] [--dns-resolve] [--use-help-request]

参数说明

  • <目标>:IP地址/域名/含IP列表的文件路径/CIDR网段
  • --timeout 超时:设置连接超时秒数(默认:1秒)
  • --list 文件:指定待检测IP地址列表文件
  • --ports 端口:指定检测端口列表(默认:22)
  • --use-help-request:当SSH横幅获取失败时启用HELP请求
  • --grace-time-check [秒数]:版本识别后检测LoginGraceTime缓解措施的等待时间(默认120秒)
  • --dns-resolve:启用IP地址反向域名解析

命令行参数

  • <targets>:IP 地址、域名、包含 IP 地址的文件路径或 CIDR 网络范围。
  • --timeout TIMEOUT:设置连接超时时间(秒)(默认值:1 秒)。
  • --list FILE:包含要检查的 IP 地址列表的文件。
  • --ports PORTS:指定要检查的端口号的逗号分隔列表(默认值:22)。
  • --use-help-request:如果初始 SSH 横幅检索失败,则启用发送 HELP 请求。
  • --grace-time-check [SECONDS]:确定版本后检查缓解措施的等待时间(秒LoginGraceTime)(默认值:120 秒)。
  • --dns-resolve:解析并显示 IP 地址的主机名。

示例

单一IP

python CVE-2024-6387_Check.py 192.168.1.1

来自文件的 IP

python CVE-2024-6387_Check.py -l ip_list.txt

多个 IP 和域名

python CVE-2024-6387_Check.py 192.168.1.1 example.com 192.168.1.2

CIDR 范围

python CVE-2024-6387_Check.py 192.168.1.0/24

具有多个端口

python CVE-2024-6387_Check.py 192.168.1.1 example.com --ports 22,2222

检查 LoginGraceTime 缓解措施

python CVE-2024-6387_Check.py 192.168.1.1 --grace-time-check

使用自定义时间检查 LoginGraceTime 缓解措施

python CVE-2024-6387_Check.py 192.168.1.1 --grace-time-check 150

启用帮助请求

python CVE-2024-6387_Check.py 192.168.1.1 --use-help-request

启用 DNS/主机名解析

python CVE-2024-6387_Check.py 192.168.1.1 --dns-resolve

相关推荐

得物可观测平台架构升级:基于GreptimeDB的全新监控体系实践

一、摘要在前端可观测分析场景中,需要实时观测并处理多地、多环境的运行情况,以保障Web应用和移动端的可用性与性能。传统方案往往依赖代理Agent→消息队列→流计算引擎→OLAP存储...

warm-flow新春版:网关直连和流程图重构

本期主要解决了网关直连和流程图重构,可以自此之后可支持各种复杂的网关混合、多网关直连使用。-新增Ruoyi-Vue-Plus优秀开源集成案例更新日志[feat]导入、导出和保存等新增json格式支持...

扣子空间体验报告

在数字化时代,智能工具的应用正不断拓展到我们工作和生活的各个角落。从任务规划到项目执行,再到任务管理,作者深入探讨了这款工具在不同场景下的表现和潜力。通过具体的应用实例,文章展示了扣子空间如何帮助用户...

spider-flow:开源的可视化方式定义爬虫方案

spider-flow简介spider-flow是一个爬虫平台,以可视化推拽方式定义爬取流程,无需代码即可实现一个爬虫服务。spider-flow特性支持css选择器、正则提取支持JSON/XML格式...

solon-flow 你好世界!

solon-flow是一个基础级的流处理引擎(可用于业务规则、决策处理、计算编排、流程审批等......)。提供有“开放式”驱动定制支持,像jdbc有mysql或pgsql等驱动,可...

新一代开源爬虫平台:SpiderFlow

SpiderFlow:新一代爬虫平台,以图形化方式定义爬虫流程,不写代码即可完成爬虫。-精选真开源,释放新价值。概览Spider-Flow是一个开源的、面向所有用户的Web端爬虫构建平台,它使用Ja...

通过 SQL 训练机器学习模型的引擎

关注薪资待遇的同学应该知道,机器学习相关的岗位工资普遍偏高啊。同时随着各种通用机器学习框架的出现,机器学习的门槛也在逐渐降低,训练一个简单的机器学习模型变得不那么难。但是不得不承认对于一些数据相关的工...

鼠须管输入法rime for Mac

鼠须管输入法forMac是一款十分新颖的跨平台输入法软件,全名是中州韵输入法引擎,鼠须管输入法mac版不仅仅是一个输入法,而是一个输入法算法框架。Rime的基础架构十分精良,一套算法支持了拼音、...

Go语言 1.20 版本正式发布:新版详细介绍

Go1.20简介最新的Go版本1.20在Go1.19发布六个月后发布。它的大部分更改都在工具链、运行时和库的实现中。一如既往,该版本保持了Go1的兼容性承诺。我们期望几乎所...

iOS 10平台SpriteKit新特性之Tile Maps(上)

简介苹果公司在WWDC2016大会上向人们展示了一大批新的好东西。其中之一就是SpriteKitTileEditor。这款工具易于上手,而且看起来速度特别快。在本教程中,你将了解关于TileE...

程序员简历例句—范例Java、Python、C++模板

个人简介通用简介:有良好的代码风格,通过添加注释提高代码可读性,注重代码质量,研读过XXX,XXX等多个开源项目源码从而学习增强代码的健壮性与扩展性。具备良好的代码编程习惯及文档编写能力,参与多个高...

Telerik UI for iOS Q3 2015正式发布

近日,TelerikUIforiOS正式发布了Q32015。新版本新增对XCode7、Swift2.0和iOS9的支持,同时还新增了对数轴、不连续的日期时间轴等;改进TKDataPoin...

ios使用ijkplayer+nginx进行视频直播

上两节,我们讲到使用nginx和ngixn的rtmp模块搭建直播的服务器,接着我们讲解了在Android使用ijkplayer来作为我们的视频直播播放器,整个过程中,需要注意的就是ijlplayer编...

IOS技术分享|iOS快速生成开发文档(一)

前言对于开发人员而言,文档的作用不言而喻。文档不仅可以提高软件开发效率,还能便于以后的软件开发、使用和维护。本文主要讲述Objective-C快速生成开发文档工具appledoc。简介apple...

macOS下配置VS Code C++开发环境

本文介绍在苹果macOS操作系统下,配置VisualStudioCode的C/C++开发环境的过程,本环境使用Clang/LLVM编译器和调试器。一、前置条件本文默认前置条件是,您的开发设备已...

一周热门
最近发表
标签列表