Nmap script to detect Debian OpenSSL Random Number Generator Weakness
June 13th, 2010 by webstersprodigy
This relies on HD’s keys, found http://digitaloffense.net/tools/debian-openssl/
description = [[
Debian OpenSSH/OpenSSL Package Random Number Generator Weakness
]]
---
-- @output
-- 22/ssh open ssh
-- |_ ssh_debian_weak: The following keys are vulnerable: 2048 RSA 1024 RSA
-- SSH Weak Debian Key Script
-- rev 1.0 (2010-02-07)
-- rougly based on ssh_debian_weak.nasl by tennable
-- written by hand
author = "Rich Lundeen <mopey@webstersprodigy.net>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"websters", "nessus", "act_gather_info"}
dependencies = {"ssh-hostkey"}
require("shortport")
require("ssh1")
require("ssh2")
require("nessus/nessus_conf")
portrule = shortport.port_or_service({22}, {"ssh"})
action = function(host, port)
local keyval = nmap.registry.sshhostkey[host.ip]
if keyval == nil then
return
end
local output = ""
for i,line in ipairs(keyval) do
--TODO eventually binary search is nicer, but due to formats ready from HD
--or if wanted later perhaps add the hex version to registry
local linekey = string.gsub(ssh1.fingerprint_hex(line.fingerprint,
line.algorithm, line.bits), ":", "")
local crimp = pcre.new("^[^\\s]+[\\s]([^\\s]+)[\\s][^\\s]+", 0, "C")
local s, e, t = crimp:exec(linekey, 0, 0)
linekey = string.sub(linekey, t[1], t[2])
local fstring = (nessus_conf.nessus_conf["basedir"] ..
"nselib/nessus/data/debian_weak_ssl/" ..
line.algorithm:lower() .. "_" ..
tostring(line.bits))
local mfile = io.open(fstring, "r")
for vulnkey in mfile:lines() do
--TODO this could be made more efficient
if string.find(vulnkey, linekey, 0) then
output = output .. line.algorithm .. " " .. tostring(line.bits)
end
end
mfile:close()
end
if output ~= "" then
return output
end
end