Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

SSH Known Hosts

By kannthu

Low
Vidoc logoVidoc Module
#config#exposure#ssh
Description

What is the "SSH Known Hosts?" module?

The "SSH Known Hosts" module is designed to detect misconfigurations related to the SSH known_hosts file. It targets systems that use SSH for remote access and checks for potential vulnerabilities or exposure.

This module has a low severity level, indicating that the detected issues may not pose a significant threat but should still be addressed to ensure the security of the SSH configuration.

This module was authored by geeknik.

Impact

If misconfigurations or vulnerabilities are found in the SSH known_hosts file, it could potentially lead to unauthorized access or man-in-the-middle attacks. Attackers may be able to intercept SSH connections or impersonate legitimate hosts, compromising the confidentiality and integrity of the communication.

How does the module work?

The "SSH Known Hosts" module performs HTTP requests to specific paths, namely "/.ssh/known_hosts" and "/.ssh/known_hosts.old". It then applies matching conditions to determine if any misconfigurations or vulnerabilities exist.

The module uses two types of matchers:

- Word Matcher: It checks if the known_hosts file contains specific SSH key types, such as "ssh-dss", "ssh-ed25519", "ssh-rsa", or "ecdsa-sha2-nistp256". If any of these key types are found, it indicates the presence of potential vulnerabilities. - Status Matcher: It verifies if the HTTP response status is 200, indicating a successful request. This condition ensures that the known_hosts file is accessible and can be analyzed for potential issues.

By combining these matchers using the "and" condition, the module determines if the SSH known_hosts file is misconfigured or vulnerable.

It is important to note that this module is just one test case within the Vidoc platform, which utilizes multiple modules to perform comprehensive scanning and analysis.

For more information, you can refer to the SSH Known Hosts reference.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/.ssh/known_hosts/.ssh/known_hosts.ol...
Matching conditions
word: ssh-dss, ssh-ed25519, ssh-rsa, ecdsa-sha...and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability