CVE-2024-6387 漏洞检查工具(cve-2016-2183漏洞验证)
yuyutoo 2025-06-15 20:17 1 浏览 0 评论
工具说明
CVE-2024-6387_Check 是一款轻量高效的检测工具,专为识别存在 regreSSHion漏洞(CVE-2024-6387) 的OpenSSH服务器而设计。该脚本支持快速扫描IP地址、域名及CIDR网段,帮助用户发现潜在漏洞,确保基础设施安全。
功能特性
- 快速扫描:支持批量检测IP、域名及CIDR网段的CVE-2024-6387漏洞
- 横幅抓取:无需认证即可高效获取SSH服务标识信息
- GraceTime检测:可选检测服务器是否通过LoginGraceTime设置缓解漏洞
- IPv6支持:完整支持IPv6地址的直接扫描和域名解析扫描
- 多线程加速:通过并发检查大幅缩短扫描时间
- 详细报告:提供带表情符号标识的清晰扫描结果摘要
- 端口检测:自动识别关闭端口并汇总无响应主机
- 补丁版本过滤:自动排除已知已修复版本,避免误报
- DNS解析:支持IP地址反向解析为域名显示
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import socket
import argparse
import ipaddress
import threading
import time
from queue import Queue
from concurrent.futures import ThreadPoolExecutor
VERSION = "0.8"
BLUE = "\033[94m"
GREEN = "\033[92m"
RED = "\033[91m"
ORANGE = "\033[33m"
ENDC = "\033[0m"
progress_lock = threading.Lock()
progress_counter = 0
total_hosts = 0
def display_banner():
banner = rf"""
{BLUE}
_________ _________ ___ ___ .__
_______ ____ ___________ ____ / _____// _____// | \|__| ____ ____
\_ __ \_/ __ \ / ___\_ __ \_/ __ \ \_____ \ \_____ \/ ~ \ |/ _ \ / \
| | \/\ ___// /_/ > | \/\ ___/ / \/ \ Y / ( <_> ) | \
|__| \___ >___ /|__| \___ >_______ /_______ /\___|_ /|__|\____/|___| /
\/_____/ \/ \/ \/ \/ \/
CVE-2024-6387 Vulnerability Checker
v{VERSION} / Alex Hagenah / @xaitax / ah@primepage.de
{ENDC}
"""
print(banner)
def resolve_hostname(hostname):
try:
addr_info = socket.getaddrinfo(hostname, None)
addresses = [addr[4][0] for addr in addr_info]
return addresses
except socket.gaierror:
print(f" [-] Could not resolve hostname: {hostname}")
return []
def create_socket(ip, port, timeout):
try:
family = socket.AF_INET6 if ':' in ip else socket.AF_INET
sock = socket.socket(family, socket.SOCK_STREAM)
sock.settimeout(timeout)
sock.connect((ip, port))
return sock
except Exception:
return None
def get_ssh_banner(sock, use_help_request):
try:
banner = sock.recv(1024).decode(errors='ignore').strip()
if banner or not use_help_request:
return banner
help_string = "HELP\n"
sock.sendall(help_string.encode())
banner = sock.recv(1024).decode(errors='ignore').strip()
return banner
except Exception as e:
return str(e)
finally:
sock.close()
def check_vulnerability(ip, port, timeout, grace_time_check, use_help_request, dns_resolve, result_queue):
global progress_counter
sshsock = create_socket(ip, port, timeout)
if not sshsock:
result_queue.put((ip, port, 'closed', "Port closed", ip))
with progress_lock:
progress_counter += 1
return
banner = get_ssh_banner(sshsock, use_help_request)
if "SSH-2.0" not in banner:
result_queue.put(
(ip, port, 'failed', f"Failed to retrieve SSH banner: {banner}", ip))
with progress_lock:
progress_counter += 1
return
if "SSH-2.0-OpenSSH" not in banner:
result_queue.put((ip, port, 'unknown', f"(banner: {banner})", ip))
with progress_lock:
progress_counter += 1
return
hostname = resolve_ip(ip) if dns_resolve else None
vulnerable_versions = [
'SSH-2.0-OpenSSH_1',
'SSH-2.0-OpenSSH_2',
'SSH-2.0-OpenSSH_3',
'SSH-2.0-OpenSSH_4.0',
'SSH-2.0-OpenSSH_4.1',
'SSH-2.0-OpenSSH_4.2',
'SSH-2.0-OpenSSH_4.3',
'SSH-2.0-OpenSSH_4.4',
'SSH-2.0-OpenSSH_8.5',
'SSH-2.0-OpenSSH_8.6',
'SSH-2.0-OpenSSH_8.7',
'SSH-2.0-OpenSSH_8.8',
'SSH-2.0-OpenSSH_8.9',
'SSH-2.0-OpenSSH_9.0',
'SSH-2.0-OpenSSH_9.1',
'SSH-2.0-OpenSSH_9.2',
'SSH-2.0-OpenSSH_9.3',
'SSH-2.0-OpenSSH_9.4',
'SSH-2.0-OpenSSH_9.5',
'SSH-2.0-OpenSSH_9.6',
'SSH-2.0-OpenSSH_9.7'
]
patched_versions = [
'SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10',
'SSH-2.0-OpenSSH_9.3p1 Ubuntu-3ubuntu3.6',
'SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3',
'SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.4',
'SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5',
'SSH-2.0-OpenSSH_9.3p1 Ubuntu-1ubuntu3.6',
'SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3',
'SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3',
'SSH-2.0-OpenSSH_9.7p1 Debian-7',
'SSH-2.0-OpenSSH_9.6 FreeBSD-20240701',
'SSH-2.0-OpenSSH_9.7 FreeBSD-20240701'
]
if any(version in banner for version in vulnerable_versions) and banner not in patched_versions:
if grace_time_check:
sshsock = create_socket(ip, port, timeout)
starttime = time.time()
banner_throw_away = sshsock.recv(1024).decode(errors='ignore').strip()
sshsock.settimeout(grace_time_check - (time.time() - starttime) + 4)
socket_timed_out = 0
try:
msg = sshsock.recv(1024).decode(errors='ignore').strip()
except socket.timeout:
socket_timed_out = 1
time_elapsed = time.time() - starttime
if sshsock:
if socket_timed_out == 0:
result_queue.put((ip, port, 'vulnerable', f"(running {banner}) vulnerable and LoginGraceTime remediation not done (Session was closed by server at {time_elapsed:.1f} seconds)", hostname))
else:
result_queue.put((ip, port, 'likely_not_vulnerable', f"(running {banner} False negative possible depending on LoginGraceTime)", hostname))
sshsock.close()
else:
result_queue.put((ip, port, 'vulnerable', f"(running {banner})", hostname))
else:
result_queue.put((ip, port, 'vulnerable', f"(running {banner})", hostname))
else:
result_queue.put((ip, port, 'not_vulnerable', f"(running {banner})", hostname))
with progress_lock:
progress_counter += 1
def process_ip_list(ip_list_file):
ips = []
try:
with open(ip_list_file, 'r') as file:
for target in file:
if '/' in target:
try:
network = ipaddress.ip_network(target.strip(), strict=False)
ips.extend([str(ip) for ip in network.hosts()])
except ValueError as e:
print(f" [-] Invalid CIDR notation {target} {e}")
else:
ips.append(target)
except IOError:
print(f" [-] Could not read file: {ip_list_file}")
return [ip.strip() for ip in ips]
def resolve_ip(ip):
try:
hostname = socket.gethostbyaddr(ip)
return hostname[0]
except (socket.herror, socket.gaierror):
return None
def main():
global total_hosts
display_banner()
parser = argparse.ArgumentParser(
description="Check if servers are running a vulnerable version of OpenSSH (CVE-2024-6387).")
parser.add_argument(
"targets", nargs='*', help="IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.")
parser.add_argument("-p", "--ports", type=str, default="22",
help="Comma-separated list of port numbers to check (default: 22).")
parser.add_argument("-t", "--timeout", type=float, default=1.0,
help="Connection timeout in seconds (default: 1 second).")
parser.add_argument("-l", "--list", help="File containing a list of IP addresses to check.")
parser.add_argument("-g", "--grace-time-check", nargs='?', const=120, type=int,
help="Time in seconds to wait after identifying the version to check for LoginGraceTime mitigation (default: 120 seconds).")
parser.add_argument("-d", "--dns-resolve", action='store_true',
help="Resolve and display hostnames for IP addresses.")
parser.add_argument("-u", "--use-help-request", action='store_true',
help="Enable sending a HELP request if the initial SSH banner retrieval fails.")
args = parser.parse_args()
targets = args.targets
ports = [int(p) for p in args.ports.split(',')]
timeout = args.timeout
grace_time_check = args.grace_time_check
use_help_request = args.use_help_request
ips = set()
if args.list:
ips.update(process_ip_list(args.list))
for target in targets:
try:
with open(target, 'r') as file:
ips.update(file.readlines())
except IOError:
if '/' in target:
try:
network = ipaddress.ip_network(target.strip(), strict=False)
ips.update([str(ip) for ip in network.hosts()])
except ValueError:
print(f" [-] Invalid CIDR notation: {target}")
else:
resolved_ips = resolve_hostname(target)
if resolved_ips:
ips.update(resolved_ips)
else:
ips.add(target.strip())
result_queue = Queue()
ips = list(ips)
total_hosts = len(ips)
max_workers = 100
with ThreadPoolExecutor(max_workers=max_workers) as executor:
futures = [executor.submit(check_vulnerability, ip.strip(), port, timeout, grace_time_check, use_help_request, args.dns_resolve, result_queue)
for ip in ips for port in ports]
while any(future.running() for future in futures):
with progress_lock:
print(f"\rProgress: {progress_counter}/{total_hosts * len(ports)} checks performed", end="")
time.sleep(1)
for future in futures:
future.result()
print(f"\rProgress: {progress_counter}/{total_hosts * len(ports)} checks performed")
closed_ports = 0
unknown = []
not_vulnerable = []
likely_not_vulnerable = []
vulnerable = []
while not result_queue.empty():
ip, port, status, message, hostname = result_queue.get()
display_ip = f"{ip} ({hostname})" if hostname else ip
if status == 'closed':
closed_ports += 1
elif status == 'unknown':
unknown.append((display_ip, port, message))
elif status == 'vulnerable':
vulnerable.append((display_ip, port, message))
elif status == 'not_vulnerable':
not_vulnerable.append((display_ip, port, message))
elif status == 'likely_not_vulnerable':
likely_not_vulnerable.append((display_ip, port, message))
else:
print(f" [!] Server at {display_ip} is {message}")
print(f"\n Servers not vulnerable: {len(not_vulnerable)}")
for ip, port, msg in not_vulnerable:
print(f" [+] Server at {GREEN}{ip}{ENDC} {msg}")
if grace_time_check:
print(f"\n Servers likely not vulnerable (possible LoginGraceTime remediation): {len(likely_not_vulnerable)}")
for ip, port, msg in likely_not_vulnerable:
print(f" [+] Server at {GREEN}{ip}{ENDC} {msg}")
print(f"\n Servers likely vulnerable: {len(vulnerable)}")
for ip, port, msg in vulnerable:
print(f" [+] Server at {RED}{ip}{ENDC} {msg}")
print(f"\n Servers with unknown SSH version: {len(unknown)}")
for ip, port, msg in unknown:
print(f" [+] Server at {ORANGE}{ip}{ENDC} {msg}")
print(f"\n Servers with port(s) closed: {closed_ports}")
print(f"\n Total scanned hosts: {total_hosts}")
print(f" Total port checks performed: {progress_counter}")
if __name__ == "__main__":
main()使用指南
python CVE-2024-6387_Check.py <目标> [--ports 端口] [--timeout 超时] [--list 文件] [--grace-time-check [秒数]] [--dns-resolve] [--use-help-request]参数说明
- <目标>:IP地址/域名/含IP列表的文件路径/CIDR网段
- --timeout 超时:设置连接超时秒数(默认:1秒)
- --list 文件:指定待检测IP地址列表文件
- --ports 端口:指定检测端口列表(默认:22)
- --use-help-request:当SSH横幅获取失败时启用HELP请求
- --grace-time-check [秒数]:版本识别后检测LoginGraceTime缓解措施的等待时间(默认120秒)
- --dns-resolve:启用IP地址反向域名解析
命令行参数
- <targets>:IP 地址、域名、包含 IP 地址的文件路径或 CIDR 网络范围。
- --timeout TIMEOUT:设置连接超时时间(秒)(默认值:1 秒)。
- --list FILE:包含要检查的 IP 地址列表的文件。
- --ports PORTS:指定要检查的端口号的逗号分隔列表(默认值:22)。
- --use-help-request:如果初始 SSH 横幅检索失败,则启用发送 HELP 请求。
- --grace-time-check [SECONDS]:确定版本后检查缓解措施的等待时间(秒LoginGraceTime)(默认值:120 秒)。
- --dns-resolve:解析并显示 IP 地址的主机名。
示例
单一IP
python CVE-2024-6387_Check.py 192.168.1.1来自文件的 IP
python CVE-2024-6387_Check.py -l ip_list.txt多个 IP 和域名
python CVE-2024-6387_Check.py 192.168.1.1 example.com 192.168.1.2CIDR 范围
python CVE-2024-6387_Check.py 192.168.1.0/24具有多个端口
python CVE-2024-6387_Check.py 192.168.1.1 example.com --ports 22,2222检查 LoginGraceTime 缓解措施
python CVE-2024-6387_Check.py 192.168.1.1 --grace-time-check使用自定义时间检查 LoginGraceTime 缓解措施
python CVE-2024-6387_Check.py 192.168.1.1 --grace-time-check 150启用帮助请求
python CVE-2024-6387_Check.py 192.168.1.1 --use-help-request启用 DNS/主机名解析
python CVE-2024-6387_Check.py 192.168.1.1 --dns-resolve相关推荐
- Python操作Word文档神器:python-docx库从入门到精通
-
Python操作Word文档神器:python-docx库从入门到精通动动小手,点击关注...
- Python 函数调用从入门到精通:超详细定义解析与实战指南 附案例
-
一、函数基础:定义与调用的核心逻辑定义:函数是将重复或相关的代码块封装成可复用的单元,通过函数名和参数实现特定功能。它是Python模块化编程的基础,能提高代码复用性和可读性。定义语法:...
- 等这么长时间Python背记手册终于来了,入门到精通(视频400集)
-
本文毫无套路!真诚分享!前言:无论是学习任何一门语言,基础知识一定要扎实,基础功非常的重要,找一个有丰富编程经验的老师或者师兄带着你会少走很多弯路,你的进步速度也会快很多,无论我们学习的目的是什么,...
- 图解Python编程:从入门到精通系列教程(附全套速查表)
-
引言本系列教程展开讲解Python编程语言,Python是一门开源免费、通用型的脚本编程语言,它上手简单,功能强大,它也是互联网最热门的编程语言之一。Python生态丰富,库(模块)极其丰富,这使...
- Python入门教程(非常详细)从零基础入门到精通,看完这一篇就够
-
本书是Python经典实例解析,采用基于实例的方法编写,每个实例都会解决具体的问题和难题。主要内容有:数字、字符串和元组,语句与语法,函数定义,列表、集、字典,用户输入和输出等内置数据结构,类和对象,...
- Python函数全解析:从入门到精通,一文搞定!
-
1.为什么要用函数?函数的作用:封装代码,提高复用性,减少重复,提高可读性。...
- Python中的单例模式:从入门到精通
-
Python中的单例模式:从入门到精通引言单例模式是一种常用的软件设计模式,它保证了一个类只有一个实例,并提供一个全局访问点。这种模式通常用于那些需要频繁创建和销毁的对象,比如日志对象、线程池、缓存等...
- 【Python王者归来】手把手教你,Python从入门到精通!
-
用800个程序实例、5万行代码手把手教你,Python从入门到精通!...
- Python从零基础入门到精通:一个月就够了
-
如果想从零基础到入门,能够全职学习(自学),那么一个月足够了。...
- Python 从入门到精通:一个月就够了
-
要知道,一个月是一段很长的时间。如果每天坚持用6-7小时来做一件事,你会有意想不到的收获。作为初学者,第一个月的月目标应该是这样的:熟悉基本概念(变量,条件,列表,循环,函数)练习超过30个编...
- Python零基础到精通,这8个入门技巧让你少走弯路,7天速通编程!
-
Python学习就像玩积木,从最基础的块开始,一步步搭建出复杂的作品。我记得刚开始学Python时也是一头雾水,走了不少弯路。现在回头看,其实掌握几个核心概念,就能快速入门这门编程语言。来聊聊怎么用最...
- 神仙级python入门教程(非常详细),从0到精通,从看这篇开始!
-
python入门虽然简单,很多新手依然卡在基础安装阶段,大部分教程对一些基础内容都是一带而过,好多新手朋友,对一些基础知识常常一知半解,需要在网上查询很久。...
- Python类从入门到精通,一篇就够!
-
一、Python类是什么?大家在生活中应该都见过汽车吧,每一辆真实存在、能在路上跑的汽车,都可以看作是一个“对象”。那这些汽车是怎么生产出来的呢?其实,在生产之前,汽车公司都会先设计一个详细的蓝图...
- 学习Python从入门到精通:30天足够了,这才是python基础的天花板
-
当年2w买的全套python教程用不着了,现在送给有缘人,不要钱,一个月教你从入门到精通1、本套视频共487集,本套视频共分4季...
- 30天Python 入门到精通(3天学会python)
-
以下是一个为期30天的Python入门到精通学习课程,专为零基础新手设计。课程从基础语法开始,逐步深入到面向对象编程、数据处理,最后实现运行简单的大语言模型(如基于HuggingFace...
欢迎 你 发表评论:
- 一周热门
- 最近发表
- 标签列表
-
- mybatis plus (70)
- scheduledtask (71)
- css滚动条 (60)
- java学生成绩管理系统 (59)
- 结构体数组 (69)
- databasemetadata (64)
- javastatic (68)
- jsp实用教程 (53)
- fontawesome (57)
- widget开发 (57)
- vb net教程 (62)
- hibernate 教程 (63)
- case语句 (57)
- svn连接 (74)
- directoryindex (69)
- session timeout (58)
- textbox换行 (67)
- extension_dir (64)
- linearlayout (58)
- vba高级教程 (75)
- iframe用法 (58)
- sqlparameter (59)
- trim函数 (59)
- flex布局 (63)
- contextloaderlistener (56)