Finding CVE-2018-10933 affected hosts with masscan

Libssh 0.6.0 and above have been affected by CVE-2018-10933. While mitigating this threat with patched versions that libssh team has published is easy, finding affected hosts is probably not, if you’ve not done good job at documenting your servers or if you simply don’t manage them.

Some people have relied in Shodan search engine to discover these hosts, and some have written Python scripts that do some banner grabbing.

All these methods are good, but there are some cons, like Shodan maybe doesn’t cover all the hosts your’re interested in and of course Shodan shouldn’t have access to your internal network, and some scripts are just time consuming, which makes them ineffective.

My choice and solution is to use masscan which has tons of good configuration options. Masscan is a very fast port scanner, which also happens to have an ability to grab banners of SSH servers (and other services of course), which is necessary for reporting the affected hosts.

In below I’ve attached my configuration file, which you can run with e.g. ./masscan -c config.conf.

In the config I assume of course that you’re running your SSH server in port 22.

To define the range you wish to scan you can either use blocks of IP or range of IP addresses. If you are an internet service provider you must have lots of blocks, so you can separate them with comma.

If you wish to scan everything in your AS number you could e.g. know the ranges necessary for scanning or query a whois server about that number and grep out the ranges you seek.

Rest of the scan should be quite fast even with a huge number of addresses and you can grep the result with affected libssh banners.

When you’ve the list you should know which hosts need actions if you didn’t know before. If the masscan doesn’t work with those options then you’re probably having a too old version of masscan in your repos and you should compile it from the source.

#SCAN
banners = true
rate =  250
output-format = grepable
output-filename = scan.csv
output-status = all
ports = 22
range = 
#comment out source-port or delete
#if you don't understand why I used source-port
#read masscan documentation/manpage
source-port = 61000
connection-timeout = 60
retries = 5

Leave a Reply

Your email address will not be published. Required fields are marked *