Over the past couples weeks, I've been working on enhancingthe operating system detection logic in the TrustKeeper Scan Engine.
Having the capability to detect a target's operating systemcan be very useful. Whether you're performing a simple asset identificationscan or doing an in depth review, this information helps you make more informed decisions.
In this blog post, I'll be talking about a technique thatthat you can use to fingerprint a server operating system version using just itsOpenSSH banner. Also, I'll share some analysis I did using this technique andleveraging some publicly available scan data from the Critical.IO project that wasreleased earlier this year.
Anatomy of an Ubuntu OpenSSHBanner
If you've ever been so curious to connect with netcat to anUbuntu system that is running SSH, you would have seen something like this:
~ $ nc 192.168.101.139 22
SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
Now lets take a look to at the individual components that make up the banner:
Each element has a specific meaning and tells us more aboutthe server:
Translate BannerElements to Ubuntu Versions
If you were to attempt totranslate the above banner to a specific Ubuntu version at a glance, itwould be very difficult because the versions we're seeing in the banner do notappear to have any correlation to the Ubuntu version. In the above example, my target is runningUbuntu 12.04, but none of the banner elements tell us this explicitly.
However, with some very basic researchwe can find the following Launchpadentry, which describes that this specific OpenSSH version, build versionand patch version were built specifically for Ubuntu 12.04 (PrecisePangolin). These three elementseffectively make a unique key that we can use to determine an Ubuntu version.
This technique wasdescribed in a July2010 blog post by Worawit (sleepya), which includes examples that go beyondjust Ubuntu. Today, we're going to talk aboutjust Ubuntu, but it's important to note that a similar process could beperformed for other operating systems that provide consistent SSH comments intheir package releases.
Analyzing a big listof OpenSSH Banners
The next step was to find a big list of OpenSSH banners and getstarted on translating SSH banners to Ubuntu versions.
Luckily, I came across HD Moore's Critical.IO project, whichhad nearly a million SSH banners from Internet-wide scans performed back inMarch. You can download the latest port22 dataset from this location.
The format of this data is in JSON, which makes it very easyto parse. I used Ruby's JSON library toparse each entry, extract its related banner and produce a histogram of whichbanners were the most common. I excludedany banners that did not contain the string SSH, assuming they were not runninga stock banner or they were not running SSH at all.
Of the 936,727 SSH banners in the resulting list, Iidentified 136,918 (15 percent) that appeared to be Ubuntu related. Within that subset, there were 118 unique UbuntuSSH banners.
I took these 118 unique banners and performed thetranslation technique above to produce mapping logic that can turn an Ubuntu SSHbanner into its respective OS version. Becausethe scan data that I used was from an Internet-wide scan, this gave me a strongsense that we've got really good sample of Ubuntu SSH banners to provide solid coveragethe next time we need to translate an arbitrary banner to it's respective Ubuntu version.
Ubuntu Systems w/ SSHRunning on the Internet
Lastly, I took my mapping logic and put it to work so Icould see what versions of Ubuntu were being used on the Internet during thistime period.
One of the things I noticed about the translated data setwas that 34 percent of all the fingerprinted versions were end-of-life versions ofUbuntu.
What's important to remember about end-of-life software isthat it no longer receives security updates, which is why updating software is an importanttenant of PCI DSS. The results of my analysis shows that alittle over one third of all Ubuntu systems running publicly available SSH servicesare potentially vulnerable to any vulnerability released after the end-of-life date of their installed software.
If you're ever curious whether an Ubuntu version is end oflife, you can check the Ubuntureleases page.
Wrapping Up
So as you can see this process is relatively easy to do, andit helps us understand more about a given target, which is always good.
You can perform this process ad-hoc on a penetration testand get a real sense for what operating system is installed on the target,which affects the subset of software that could be installed on it. In particular, this process gives us clues to whether the operating system has available patches for specific vulnerabilities.
During the process of performing this research, I did reachout to the erratasec team, who performeda more recent Internet scan of SSH systems back in mid September. I'm still awaiting their reply, but I hope toupdate this post with their data set if and when I can get my hands on it.
Additionally, I recently added this updated translationlogic into the operating system fingerprinting code within the TrustKeeper scan engine. We're still tuning and tweaking a couplethings, but I expect that these updates will go live within the next coupleweeks.