Over the past couples weeks, I've been working on enhancingthe operating system detection logic in the TrustKeeper Scan Engine.
Having the capability to detect a target's operating systemcan be very useful. Whether you're performing a simple asset identificationscan or doing an in depth review, this information helps you make more informed decisions.
In this blog post, I'll be talking about a technique thatthat you can use to fingerprint a server operating system version using just itsOpenSSH banner. Also, I'll share some analysis I did using this technique andleveraging some publicly available scan data from the Critical.IO project that wasreleased earlier this year.
Anatomy of an Ubuntu OpenSSHBanner
If you've ever been so curious to connect with netcat to anUbuntu system that is running SSH, you would have seen something like this:
~ $ nc 192.168.101.139 22
Now lets take a look to at the individual components that make up the banner:
Each element has a specific meaning and tells us more aboutthe server:
- ProtoVersion – The SSH protocol version that should be used when connecting tothis server. These days, 2.0 is prettystandard.
- OpenSSHVersion – This indicates what version of OpenSSH is installed on thisserver. These are typically rev'd anytime a new major operating system version is released to coincide with the most stable version of OpenSSH at the time.
- PortableVersion – OpenSSH produces two variants; a "clean" version (minimal) and a"portable" version (more compatible). The portable version indicates which revision of the portable releasethe server has installed.
- SSHComment – This is not called out above, but is the equivalent to the combinationof the build version and patch version shown above. Basically anything after the space in theOpenSSH version is the optional SSH comment. This will vary significantlybetween operating system type and packaging provider and is usually the most useful place forgetting OS hints.
- BuildVersion – This is the build version that is specific to Debian ("deb")-stylepackaging. This style of build versionis seen in both Debian and Ubuntu operating systems. It's common to see a major operating system release use 1-3of these build versions over it's life span.
- PatchVersion – This is the patch version of the deb package that is specific toonly Ubuntu-based systems. It describesthe iterative package revisions involved in making small tweaks to the package andis commonly done to address bugs and security issues. There could be many of these revisions withinboth major and minor releases of the operating system.
Translate BannerElements to Ubuntu Versions
If you were to attempt totranslate the above banner to a specific Ubuntu version at a glance, itwould be very difficult because the versions we're seeing in the banner do notappear to have any correlation to the Ubuntu version. In the above example, my target is runningUbuntu 12.04, but none of the banner elements tell us this explicitly.
However, with some very basic researchwe can find the following Launchpadentry, which describes that this specific OpenSSH version, build versionand patch version were built specifically for Ubuntu 12.04 (PrecisePangolin). These three elementseffectively make a unique key that we can use to determine an Ubuntu version.
This technique wasdescribed in a July2010 blog post by Worawit (sleepya), which includes examples that go beyondjust Ubuntu. Today, we're going to talk aboutjust Ubuntu, but it's important to note that a similar process could beperformed for other operating systems that provide consistent SSH comments intheir package releases.
Analyzing a big listof OpenSSH Banners
The next step was to find a big list of OpenSSH banners and getstarted on translating SSH banners to Ubuntu versions.
Luckily, I came across HD Moore's Critical.IO project, whichhad nearly a million SSH banners from Internet-wide scans performed back inMarch. You can download the latest port22 dataset from this location.
The format of this data is in JSON, which makes it very easyto parse. I used Ruby's JSON library toparse each entry, extract its related banner and produce a histogram of whichbanners were the most common. I excludedany banners that did not contain the string SSH, assuming they were not runninga stock banner or they were not running SSH at all.
Of the 936,727 SSH banners in the resulting list, Iidentified 136,918 (15 percent) that appeared to be Ubuntu related. Within that subset, there were 118 unique UbuntuSSH banners.
I took these 118 unique banners and performed thetranslation technique above to produce mapping logic that can turn an Ubuntu SSHbanner into its respective OS version. Becausethe scan data that I used was from an Internet-wide scan, this gave me a strongsense that we've got really good sample of Ubuntu SSH banners to provide solid coveragethe next time we need to translate an arbitrary banner to it's respective Ubuntu version.
Ubuntu Systems w/ SSHRunning on the Internet
Lastly, I took my mapping logic and put it to work so Icould see what versions of Ubuntu were being used on the Internet during thistime period.
What's important to remember about end-of-life software isthat it no longer receives security updates, which is why updating software is an importanttenant of PCI DSS. The results of my analysis shows that alittle over one third of all Ubuntu systems running publicly available SSH servicesare potentially vulnerable to any vulnerability released after the end-of-life date of their installed software.
If you're ever curious whether an Ubuntu version is end oflife, you can check the Ubuntureleases page.
So as you can see this process is relatively easy to do, andit helps us understand more about a given target, which is always good.
You can perform this process ad-hoc on a penetration testand get a real sense for what operating system is installed on the target,which affects the subset of software that could be installed on it. In particular, this process gives us clues to whether the operating system has available patches for specific vulnerabilities.
During the process of performing this research, I did reachout to the erratasec team, who performeda more recent Internet scan of SSH systems back in mid September. I'm still awaiting their reply, but I hope toupdate this post with their data set if and when I can get my hands on it.
Additionally, I recently added this updated translationlogic into the operating system fingerprinting code within the TrustKeeper scan engine. We're still tuning and tweaking a couplethings, but I expect that these updates will go live within the next coupleweeks.