Knowledge Base

Ask A Question



Locating libssh to triage CVE-2018-10933

Looking through Nexpose for libssh server banners I haven't seen the banners being fingerprinted. I've done initial triage with SQL reports Via SSH banners but I was curious if anyone else has already written a solid libssh fingerprint that I can borrow to write a basic vulnerability check? My Initial libssh banner report: ``` WITH asset_ips AS ( SELECT asset_id, ip_address, type FROM dim_asset_ip_address dips ), asset_addresses AS ( SELECT da.asset_id, (SELECT array_to_string(array_agg(ip_address), ',') FROM asset_ips WHERE asset_id = da.asset_id AND type = 'IPv4') AS ipv4s, (SELECT array_to_string(array_agg(ip_address), ',') FROM asset_ips WHERE asset_id = da.asset_id AND type = 'IPv6') AS ipv6s, (SELECT array_to_string(array_agg(mac_address), ',') FROM dim_asset_mac_address WHERE asset_id = da.asset_id) AS macs FROM dim_asset da JOIN asset_ips USING (asset_id) ), asset_names AS ( SELECT asset_id, array_to_string(array_agg(host_name), ',') AS names FROM dim_asset_host_name GROUP BY asset_id ), banners AS ( SELECT da.asset_id AS asset_id, dasc.port AS port, AS ds_name, ' [' || || ': ' || array_to_string(array_agg(dasc.value),', ')::text || ']' AS banner_info FROM dim_asset da JOIN dim_asset_service_configuration dasc USING (asset_id) JOIN dim_service ds USING (service_id) GROUP BY da.asset_id, da.ip_address, dasc.port,, ) SELECT da.ip_address AS "Asset IP Address", an.names AS "Asset Names", csv( AS "Sites", banners.port, banners.ds_name, csv(banners.banner_info) AS "Banner Info" FROM dim_asset da LEFT OUTER JOIN asset_addresses aa USING (asset_id) LEFT OUTER JOIN asset_names an USING (asset_id) JOIN banners using (asset_id) JOIN dim_site_asset using (asset_id) JOIN dim_site ds USING (site_id) WHERE banners.banner_info ilike '%libssh%' GROUP BY da.ip_address, da.ip_address,, banners.port, banners.ds_name, an.names, ORDER BY da.ip_address, banners.port ```

Posted by BrianWGray 4 months ago