Skip to content

ssh_version: Various improvements#21393

Open
g0tmi1k wants to merge 5 commits intorapid7:masterfrom
g0tmi1k:ssh_version
Open

ssh_version: Various improvements#21393
g0tmi1k wants to merge 5 commits intorapid7:masterfrom
g0tmi1k:ssh_version

Conversation

@g0tmi1k
Copy link
Copy Markdown
Contributor

@g0tmi1k g0tmi1k commented Apr 29, 2026
edited
Loading

This PR aims todo:

  • Fix a bug with report_vuln as they were merging/overwriting
  • Add report_host when host up, service down
  • Update module metadata

Before

$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0;'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10
LHOST => tap0
msf > use ssh_version

Matching Modules
================

   #  Name                                       Disclosure Date  Rank    Check  Description
   -  ----                                       ---------------  ----    -----  -----------
   0  auxiliary/fuzzers/ssh/ssh_version_15       .                normal  No     SSH 1.5 Version Fuzzer
   1  auxiliary/fuzzers/ssh/ssh_version_2        .                normal  No     SSH 2.0 Version Fuzzer
   2  auxiliary/fuzzers/ssh/ssh_version_corrupt  .                normal  No     SSH Version Corruption
   3  auxiliary/scanner/ssh/ssh_version          .                normal  No     SSH Version Scanner


Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/ssh/ssh_version

msf > use 3
msf auxiliary(scanner/ssh/ssh_version) > options

Module options (auxiliary/scanner/ssh/ssh_version):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   EXTENDED_CHECKS  true             yes       Check for cryptographic issues
   RHOSTS           10.0.0.10        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT            22               yes       The target port
   THREADS          1                yes       The number of concurrent threads (max one per host)
   TIMEOUT          30               yes       Timeout for the SSH probe


View the full module info with the info, or info -d command.
msf auxiliary(scanner/ssh/ssh_version) > run
[*] 10.0.0.10 - Key Fingerprint: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew==
[*] 10.0.0.10 - SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[+] 10.0.0.10 - Key Exchange (kex) diffie-hellman-group-exchange-sha1 is deprecated and should not be used.
[+] 10.0.0.10 - Key Exchange (kex) diffie-hellman-group1-sha1 is deprecated and should not be used.
[+] 10.0.0.10 - HMAC hmac-md5 is deprecated and should not be used.
[+] 10.0.0.10 - HMAC hmac-ripemd160 is deprecated and should not be used.
[+] 10.0.0.10 - HMAC hmac-sha1-96 is deprecated and should not be used.
[+] 10.0.0.10 - HMAC hmac-md5-96 is deprecated and should not be used.
[+] 10.0.0.10 - Encryption aes128-cbc is deprecated and should not be used.
[+] 10.0.0.10 - Encryption 3des-cbc is deprecated and should not be used.
[+] 10.0.0.10 - Encryption blowfish-cbc is deprecated and should not be used.
[+] 10.0.0.10 - Encryption cast128-cbc is deprecated and should not be used.
[+] 10.0.0.10 - Encryption arcfour128 is deprecated and should not be used.
[+] 10.0.0.10 - Encryption arcfour256 is deprecated and should not be used.
[+] 10.0.0.10 - Encryption arcfour is deprecated and should not be used.
[+] 10.0.0.10 - Encryption aes192-cbc is deprecated and should not be used.
[+] 10.0.0.10 - Encryption aes256-cbc is deprecated and should not be used.
[+] 10.0.0.10 - Encryption rijndael-cbc@lysator.liu.se is deprecated and should not be used.
[*] 10.0.0.10 - Server Information and Encryption
=================================

  Type                     Value                                 Note
  ----                     -----                                 ----
  encryption.compression   none
  encryption.compression   zlib@openssh.com
  encryption.encryption    aes128-cbc                            Deprecated
  encryption.encryption    3des-cbc                              Deprecated
  encryption.encryption    blowfish-cbc                          Deprecated
  encryption.encryption    cast128-cbc                           Deprecated
  encryption.encryption    arcfour128                            Deprecated
  encryption.encryption    arcfour256                            Deprecated
  encryption.encryption    arcfour                               Deprecated
  encryption.encryption    aes192-cbc                            Deprecated
  encryption.encryption    aes256-cbc                            Deprecated
  encryption.encryption    rijndael-cbc@lysator.liu.se           Deprecated
  encryption.encryption    aes128-ctr
  encryption.encryption    aes192-ctr
  encryption.encryption    aes256-ctr
  encryption.hmac          hmac-md5                              Deprecated
  encryption.hmac          hmac-sha1
  encryption.hmac          umac-64@openssh.com
  encryption.hmac          hmac-ripemd160                        Deprecated
  encryption.hmac          hmac-ripemd160@openssh.com
  encryption.hmac          hmac-sha1-96                          Deprecated
  encryption.hmac          hmac-md5-96                           Deprecated
  encryption.host_key      ssh-rsa
  encryption.host_key      ssh-dss
  encryption.key_exchange  diffie-hellman-group-exchange-sha256
  encryption.key_exchange  diffie-hellman-group-exchange-sha1    Deprecated
  encryption.key_exchange  diffie-hellman-group14-sha1
  encryption.key_exchange  diffie-hellman-group1-sha1            Deprecated
  fingerprint_db           ssh.banner
  openssh.comment          Debian-8ubuntu1
  os.cpe23                 cpe:/o:canonical:ubuntu_linux:8.04
  os.family                Linux
  os.product               Linux
  os.vendor                Ubuntu
  os.version               8.04
  service.cpe23            cpe:/a:openbsd:openssh:4.7p1
  service.family           OpenSSH
  service.product          OpenSSH
  service.protocol         ssh
  service.vendor           OpenBSD
  service.version          4.7p1

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_version) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         1      0      0      0

msf auxiliary(scanner/ssh/ssh_version) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Linux               8.04   server

msf auxiliary(scanner/ssh/ssh_version) > services
Services
========

host       port  proto  name  state  info                                   resource  parents
----       ----  -----  ----  -----  ----                                   --------  -------
10.0.0.10  22    tcp    ssh   open   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1  {}

msf auxiliary(scanner/ssh/ssh_version) > vulns

Vulnerabilities
===============

Timestamp                Host       Service       Resource  Name                 References
---------                ----       -------       --------  ----                 ----------
2026-04-29 14:37:25 UTC  10.0.0.10  ssh (22/tcp)  {}        SSH Version Scanner  https://datatracker.ietf.org/doc/html/draft-ietf-curdle-ssh-kex-sha2-20#page-16,https://github.com/net-ssh/net-ssh?tab=readme
                                                                                 -ov-file#message-authentication-code-algorithms,https://github.com/net-ssh/net-ssh?tab=readme-ov-file#encryption-algorithms-c
                                                                                 iphers,CVE-2008-5161,https://datatracker.ietf.org/doc/html/rfc8758#name-iana-considerations

msf auxiliary(scanner/ssh/ssh_version) >

After

msf auxiliary(scanner/ssh/ssh_version) > reload
[*] Reloading module...
msf auxiliary(scanner/ssh/ssh_version) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf auxiliary(scanner/ssh/ssh_version) > run
[*] 10.0.0.10 - Key Fingerprint: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew==
[*] 10.0.0.10 - SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[+] 10.0.0.10 - Key Exchange (kex) diffie-hellman-group-exchange-sha1 is deprecated and should not be used.
[+] 10.0.0.10 - Key Exchange (kex) diffie-hellman-group1-sha1 is deprecated and should not be used.
[+] 10.0.0.10 - HMAC hmac-md5 is deprecated and should not be used.
[+] 10.0.0.10 - HMAC hmac-ripemd160 is deprecated and should not be used.
[+] 10.0.0.10 - HMAC hmac-sha1-96 is deprecated and should not be used.
[+] 10.0.0.10 - HMAC hmac-md5-96 is deprecated and should not be used.
[+] 10.0.0.10 - Encryption aes128-cbc is deprecated and should not be used.
[+] 10.0.0.10 - Encryption 3des-cbc is deprecated and should not be used.
[+] 10.0.0.10 - Encryption blowfish-cbc is deprecated and should not be used.
[+] 10.0.0.10 - Encryption cast128-cbc is deprecated and should not be used.
[+] 10.0.0.10 - Encryption arcfour128 is deprecated and should not be used.
[+] 10.0.0.10 - Encryption arcfour256 is deprecated and should not be used.
[+] 10.0.0.10 - Encryption arcfour is deprecated and should not be used.
[+] 10.0.0.10 - Encryption aes192-cbc is deprecated and should not be used.
[+] 10.0.0.10 - Encryption aes256-cbc is deprecated and should not be used.
[+] 10.0.0.10 - Encryption rijndael-cbc@lysator.liu.se is deprecated and should not be used.
[*] 10.0.0.10 - Server Information and Encryption
=================================

  Type                     Value                                 Note
  ----                     -----                                 ----
  encryption.compression   none
  encryption.compression   zlib@openssh.com
  encryption.encryption    aes128-cbc                            Deprecated
  encryption.encryption    3des-cbc                              Deprecated
  encryption.encryption    blowfish-cbc                          Deprecated
  encryption.encryption    cast128-cbc                           Deprecated
  encryption.encryption    arcfour128                            Deprecated
  encryption.encryption    arcfour256                            Deprecated
  encryption.encryption    arcfour                               Deprecated
  encryption.encryption    aes192-cbc                            Deprecated
  encryption.encryption    aes256-cbc                            Deprecated
  encryption.encryption    rijndael-cbc@lysator.liu.se           Deprecated
  encryption.encryption    aes128-ctr
  encryption.encryption    aes192-ctr
  encryption.encryption    aes256-ctr
  encryption.hmac          hmac-md5                              Deprecated
  encryption.hmac          hmac-sha1
  encryption.hmac          umac-64@openssh.com
  encryption.hmac          hmac-ripemd160                        Deprecated
  encryption.hmac          hmac-ripemd160@openssh.com
  encryption.hmac          hmac-sha1-96                          Deprecated
  encryption.hmac          hmac-md5-96                           Deprecated
  encryption.host_key      ssh-rsa
  encryption.host_key      ssh-dss
  encryption.key_exchange  diffie-hellman-group-exchange-sha256
  encryption.key_exchange  diffie-hellman-group-exchange-sha1    Deprecated
  encryption.key_exchange  diffie-hellman-group14-sha1
  encryption.key_exchange  diffie-hellman-group1-sha1            Deprecated
  fingerprint_db           ssh.banner
  openssh.comment          Debian-8ubuntu1
  os.cpe23                 cpe:/o:canonical:ubuntu_linux:8.04
  os.family                Linux
  os.product               Linux
  os.vendor                Ubuntu
  os.version               8.04
  service.cpe23            cpe:/a:openbsd:openssh:4.7p1
  service.family           OpenSSH
  service.product          OpenSSH
  service.protocol         ssh
  service.vendor           OpenBSD
  service.version          4.7p1

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssh/ssh_version) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         3      0      0      0

msf auxiliary(scanner/ssh/ssh_version) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Linux    Ubuntu     8.04   server

msf auxiliary(scanner/ssh/ssh_version) > services
Services
========

host       port  proto  name  state  info                                   resource  parents
----       ----  -----  ----  -----  ----                                   --------  -------
10.0.0.10  22    tcp    ssh   open   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1  {}

msf auxiliary(scanner/ssh/ssh_version) > vulns

Vulnerabilities
===============

Timestamp                Host       Service       Resource  Name                                                                References
---------                ----       -------       --------  ----                                                                ----------
2026-04-29 14:38:38 UTC  10.0.0.10  ssh (22/tcp)  {}        SSH Version and Algorithm Scanner: SSH Weak HMAC Algorithm          https://github.com/net-ssh/net-ssh?tab=readme-ov-file#message-authentication-c
                                                                                                                                ode-algorithms
2026-04-29 14:38:38 UTC  10.0.0.10  ssh (22/tcp)  {}        SSH Version and Algorithm Scanner: SSH Weak Encryption Cipher       https://github.com/net-ssh/net-ssh?tab=readme-ov-file#encryption-algorithms-ci
                                                                                                                                phers,CVE-2008-5161,https://datatracker.ietf.org/doc/html/rfc8758#name-iana-co
                                                                                                                                nsiderations
2026-04-29 14:38:38 UTC  10.0.0.10  ssh (22/tcp)  {}        SSH Version and Algorithm Scanner: SSH Weak Key Exchange Algorithm  https://datatracker.ietf.org/doc/html/draft-ietf-curdle-ssh-kex-sha2-20#page-1
                                                                                                                                6

msf auxiliary(scanner/ssh/ssh_version) >

@g0tmi1k g0tmi1k changed the title ssh_version: ssh_version: Improve report_* Apr 29, 2026
@g0tmi1k g0tmi1k force-pushed the ssh_version branch 3 times, most recently from fca982e to e6e49a2 Compare April 30, 2026 11:57
@g0tmi1k g0tmi1k changed the title ssh_version: Improve report_* ssh_version: Various improvements May 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@g0tmi1k @smcintyre-r7