Share
## https://sploitus.com/exploit?id=FD2E0EBA-ED84-5304-8862-84BCDEB2F288
# SSH Terrapin Attack Vulnerability Scanner (CVE-2023-48795)

A comprehensive, educational tool for detecting SSH servers vulnerable to the Terrapin attack (CVE-2023-48795). This scanner accurately identifies vulnerable configurations by analyzing cipher suites, SSH versions, and strict key exchange (strict KEX) support.

## ๐Ÿ“‹ Table of Contents

- [Overview](#overview)
- [What is the Terrapin Attack?](#what-is-the-terrapin-attack)
- [Features](#features)
- [Installation](#installation)
- [Usage](#usage)
- [Examples](#examples)
- [Understanding Results](#understanding-results)
- [Mitigation](#mitigation)
- [Technical Details](#technical-details)
- [Disclaimer](#disclaimer)
- [References](#references)

## Overview

The Terrapin attack (CVE-2023-48795) is a vulnerability in the SSH protocol that allows attackers to downgrade the security of the connection by manipulating sequence numbers during the handshake process. This scanner helps administrators identify vulnerable SSH servers and take appropriate action.

**โš ๏ธ IMPORTANT**: This tool is for educational purposes and authorized testing only. Only scan systems you own or have explicit permission to test.

## What is the Terrapin Attack?

The Terrapin attack exploits the SSH handshake process by:
- Manipulating sequence numbers during the key exchange
- Truncating the negotiation phase
- Forcing the use of weaker cryptographic algorithms (like ChaCha20-Poly1305)
- Potentially bypassing security controls

### Affected Versions
- OpenSSH versions before 9.6
- Other SSH implementations without strict KEX patches

## Features

โœ… **Accurate Detection**: Identifies true vulnerability based on cipher support AND strict KEX status  
โœ… **No False Positives**: Differentiates between banner acceptance (normal) and actual vulnerability  
โœ… **Version Detection**: Extracts SSH version to determine strict KEX support  
โœ… **Detailed Analysis**: Shows which ciphers and MAC algorithms are present  
โœ… **Clear Recommendations**: Provides actionable mitigation steps  
โœ… **Multiple Input Formats**: Accepts IPs, hostnames, URLs, and custom ports  
โœ… **Educational Mode**: Banner behavior testing for learning purposes  

## Installation

### Prerequisites
- Python 3.6 or higher
- No additional dependencies required (uses only standard library)

### Download
```bash
# Clone or download the script
wget https://your-repo/terrapin_scanner.py
chmod +x terrapin_scanner.py
```
Usage
Basic Syntax
```bash
python terrapin_scanner.py -u  [options]
```
Command Line Arguments
Argument	Description	Required
-u, --url	Target URL, IP, or hostname	Yes
-p, --port	SSH port (default: 22)	No
--test-banner	Test banner acceptance behavior	No
-v, --verbose	Enable verbose output	No
--timeout	Connection timeout in seconds (default: 5)	No
Input Formats
The scanner accepts multiple formats for specifying targets:

```bash
# IP address
python terrapin_scanner.py -u 192.168.1.100

# Hostname
python terrapin_scanner.py -u localhost

# With port in URL
python terrapin_scanner.py -u 192.168.1.100:2222

# URL format
python terrapin_scanner.py -u ssh://192.168.1.100

# Separate port parameter
python terrapin_scanner.py -u 192.168.1.100 -p 2222
```
Examples
Basic Scan
```bash
$ python terrapin_scanner.py -u 192.168.0.102

โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘     SSH Terrapin Attack Vulnerability Scanner (CVE-2023-48795)   โ•‘
โ•‘     Accurate detection | Educational & authorized testing only  โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

[*] Target URL: 192.168.0.102
[*] Resolved to: 192.168.0.102:22
[*] Testing SSH server: 192.168.0.102:22
[+] Server banner: SSH-2.0-OpenSSH_8.4p1 Debian-5

======================================================================
 TERRAPIN VULNERABILITY SCAN RESULTS (CVE-2023-48795)
======================================================================

๐Ÿ“ Target: 192.168.0.102:22
๐Ÿ–ฅ๏ธ  Server Software: OpenSSH_8.4p1 Debian-5
๐Ÿ“ฆ SSH Version: 8.4

๐Ÿ” Vulnerability Analysis:
   โœ… No ChaCha20-Poly1305 cipher detected - Terrapin attack not possible

๐Ÿ“Š Detailed Analysis:
   โ€ข ChaCha20-Poly1305: โœ— Not present
   โ€ข CBC Mode Ciphers: โœ— Not present
   โ€ข Weak MAC Algorithms: โœ— Not present
   โ€ข Strict KEX: โœ— Not detected

๐Ÿ”’ Vulnerability Status:
   โœ…โœ…โœ… NOT vulnerable to Terrapin attack โœ…โœ…โœ…

๐Ÿ’ก Recommendations:
   1. โœ… Server appears secure against Terrapin attack
   2. โœ“ Continue regular security updates and monitoring

======================================================================

โœ… Server is secure against Terrapin attack
Scan with Banner Test (Educational)
bash
python terrapin_scanner.py -u localhost --test-banner
Scan Specific Port
bash
python terrapin_scanner.py -u 192.168.1.100 -p 2222
Verbose Output
bash
python terrapin_scanner.py -u localhost -v
Understanding Results
Vulnerability Status Indicators
Status	Meaning
โœ…โœ…โœ… NOT vulnerable	Server is secure against Terrapin attack
โŒโŒโŒ VULNERABLE	Server is vulnerable - update immediately
๐ŸŸก Partially protected	Has vulnerable ciphers but strict KEX provides protection
Analysis Components
ChaCha20-Poly1305: Primary cipher used in Terrapin attacks

CBC Mode Ciphers: Can be used in downgrade attacks

Weak MAC Algorithms: Indicate outdated configuration

Strict KEX: Modern protection against sequence number manipulation

What Results Mean
NOT Vulnerable
No ChaCha20-Poly1305 cipher detected, OR

ChaCha20-Poly1305 present but strict KEX protects

VULNERABLE
ChaCha20-Poly1305 cipher present AND

No strict KEX protection (OpenSSH < 9.6 or unpatched)
```
Mitigation
If your server is found vulnerable:

1. Update OpenSSH
```bash
# Ubuntu/Debian
sudo apt update
sudo apt upgrade openssh-server
```
```bash
# RHEL/CentOS
sudo yum update openssh-server

# Check version after update
ssh -V
2. Apply Patches
bash
# For OpenSSH 9.6+ (strict KEX included)
# Check if patches are available for your distribution
3. Configuration Hardening
Edit /etc/ssh/sshd_config:

bash
# Enable strict key exchange
StrictModes yes
# Or for newer versions
StrictKEX yes

# Disable vulnerable ciphers (temporary workaround)
Ciphers -chacha20-poly1305@openssh.com

# Restart SSH service
sudo systemctl restart sshd
```
4. Verify Mitigation
```bash
# Rescan after applying fixes
python terrapin_scanner.py -u localhost
```
Technical Details
How Detection Works
Banner Exchange: Connects to SSH server and retrieves version banner

Cipher Analysis: Scans for vulnerable cipher suites (ChaCha20-Poly1305, CBC modes)

Version Detection: Extracts OpenSSH version to determine strict KEX support

Vulnerability Assessment: Combines findings to determine actual risk

Vulnerability Criteria
A server is considered vulnerable if:

Supports chacha20-poly1305@openssh.com cipher AND

Lacks strict key exchange protection (OpenSSH < 9.6 or unpatched)

Why Not Just Banner Acceptance?
Banner acceptance is normal SSH behavior:

SSH servers accept any client version string

The real attack manipulates sequence numbers, not banners

Testing banner acceptance alone would cause false positives

Disclaimer
โš ๏ธ IMPORTANT LEGAL NOTICE

This tool is provided for educational and security testing purposes only. By using this software, you agree to:

Only scan systems you own or have explicit written permission to test

Not use this tool for malicious purposes or unauthorized access

Comply with all applicable laws and regulations

Accept full responsibility for your actions

The authors are not responsible for any misuse or damage caused by this tool.

References
Terrapin Attack Official Website

CVE-2023-48795 Details

OpenSSH Security Advisory

RFC 4253 - SSH Transport Layer Protocol

License
This project is for educational purposes. Use responsibly.