## https://sploitus.com/exploit?id=FD2E0EBA-ED84-5304-8862-84BCDEB2F288
# SSH Terrapin Attack Vulnerability Scanner (CVE-2023-48795)
A comprehensive, educational tool for detecting SSH servers vulnerable to the Terrapin attack (CVE-2023-48795). This scanner accurately identifies vulnerable configurations by analyzing cipher suites, SSH versions, and strict key exchange (strict KEX) support.
## ๐ Table of Contents
- [Overview](#overview)
- [What is the Terrapin Attack?](#what-is-the-terrapin-attack)
- [Features](#features)
- [Installation](#installation)
- [Usage](#usage)
- [Examples](#examples)
- [Understanding Results](#understanding-results)
- [Mitigation](#mitigation)
- [Technical Details](#technical-details)
- [Disclaimer](#disclaimer)
- [References](#references)
## Overview
The Terrapin attack (CVE-2023-48795) is a vulnerability in the SSH protocol that allows attackers to downgrade the security of the connection by manipulating sequence numbers during the handshake process. This scanner helps administrators identify vulnerable SSH servers and take appropriate action.
**โ ๏ธ IMPORTANT**: This tool is for educational purposes and authorized testing only. Only scan systems you own or have explicit permission to test.
## What is the Terrapin Attack?
The Terrapin attack exploits the SSH handshake process by:
- Manipulating sequence numbers during the key exchange
- Truncating the negotiation phase
- Forcing the use of weaker cryptographic algorithms (like ChaCha20-Poly1305)
- Potentially bypassing security controls
### Affected Versions
- OpenSSH versions before 9.6
- Other SSH implementations without strict KEX patches
## Features
โ **Accurate Detection**: Identifies true vulnerability based on cipher support AND strict KEX status
โ **No False Positives**: Differentiates between banner acceptance (normal) and actual vulnerability
โ **Version Detection**: Extracts SSH version to determine strict KEX support
โ **Detailed Analysis**: Shows which ciphers and MAC algorithms are present
โ **Clear Recommendations**: Provides actionable mitigation steps
โ **Multiple Input Formats**: Accepts IPs, hostnames, URLs, and custom ports
โ **Educational Mode**: Banner behavior testing for learning purposes
## Installation
### Prerequisites
- Python 3.6 or higher
- No additional dependencies required (uses only standard library)
### Download
```bash
# Clone or download the script
wget https://your-repo/terrapin_scanner.py
chmod +x terrapin_scanner.py
```
Usage
Basic Syntax
```bash
python terrapin_scanner.py -u [options]
```
Command Line Arguments
Argument Description Required
-u, --url Target URL, IP, or hostname Yes
-p, --port SSH port (default: 22) No
--test-banner Test banner acceptance behavior No
-v, --verbose Enable verbose output No
--timeout Connection timeout in seconds (default: 5) No
Input Formats
The scanner accepts multiple formats for specifying targets:
```bash
# IP address
python terrapin_scanner.py -u 192.168.1.100
# Hostname
python terrapin_scanner.py -u localhost
# With port in URL
python terrapin_scanner.py -u 192.168.1.100:2222
# URL format
python terrapin_scanner.py -u ssh://192.168.1.100
# Separate port parameter
python terrapin_scanner.py -u 192.168.1.100 -p 2222
```
Examples
Basic Scan
```bash
$ python terrapin_scanner.py -u 192.168.0.102
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SSH Terrapin Attack Vulnerability Scanner (CVE-2023-48795) โ
โ Accurate detection | Educational & authorized testing only โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Target URL: 192.168.0.102
[*] Resolved to: 192.168.0.102:22
[*] Testing SSH server: 192.168.0.102:22
[+] Server banner: SSH-2.0-OpenSSH_8.4p1 Debian-5
======================================================================
TERRAPIN VULNERABILITY SCAN RESULTS (CVE-2023-48795)
======================================================================
๐ Target: 192.168.0.102:22
๐ฅ๏ธ Server Software: OpenSSH_8.4p1 Debian-5
๐ฆ SSH Version: 8.4
๐ Vulnerability Analysis:
โ No ChaCha20-Poly1305 cipher detected - Terrapin attack not possible
๐ Detailed Analysis:
โข ChaCha20-Poly1305: โ Not present
โข CBC Mode Ciphers: โ Not present
โข Weak MAC Algorithms: โ Not present
โข Strict KEX: โ Not detected
๐ Vulnerability Status:
โ โ โ NOT vulnerable to Terrapin attack โ โ โ
๐ก Recommendations:
1. โ Server appears secure against Terrapin attack
2. โ Continue regular security updates and monitoring
======================================================================
โ Server is secure against Terrapin attack
Scan with Banner Test (Educational)
bash
python terrapin_scanner.py -u localhost --test-banner
Scan Specific Port
bash
python terrapin_scanner.py -u 192.168.1.100 -p 2222
Verbose Output
bash
python terrapin_scanner.py -u localhost -v
Understanding Results
Vulnerability Status Indicators
Status Meaning
โ โ โ NOT vulnerable Server is secure against Terrapin attack
โโโ VULNERABLE Server is vulnerable - update immediately
๐ก Partially protected Has vulnerable ciphers but strict KEX provides protection
Analysis Components
ChaCha20-Poly1305: Primary cipher used in Terrapin attacks
CBC Mode Ciphers: Can be used in downgrade attacks
Weak MAC Algorithms: Indicate outdated configuration
Strict KEX: Modern protection against sequence number manipulation
What Results Mean
NOT Vulnerable
No ChaCha20-Poly1305 cipher detected, OR
ChaCha20-Poly1305 present but strict KEX protects
VULNERABLE
ChaCha20-Poly1305 cipher present AND
No strict KEX protection (OpenSSH < 9.6 or unpatched)
```
Mitigation
If your server is found vulnerable:
1. Update OpenSSH
```bash
# Ubuntu/Debian
sudo apt update
sudo apt upgrade openssh-server
```
```bash
# RHEL/CentOS
sudo yum update openssh-server
# Check version after update
ssh -V
2. Apply Patches
bash
# For OpenSSH 9.6+ (strict KEX included)
# Check if patches are available for your distribution
3. Configuration Hardening
Edit /etc/ssh/sshd_config:
bash
# Enable strict key exchange
StrictModes yes
# Or for newer versions
StrictKEX yes
# Disable vulnerable ciphers (temporary workaround)
Ciphers -chacha20-poly1305@openssh.com
# Restart SSH service
sudo systemctl restart sshd
```
4. Verify Mitigation
```bash
# Rescan after applying fixes
python terrapin_scanner.py -u localhost
```
Technical Details
How Detection Works
Banner Exchange: Connects to SSH server and retrieves version banner
Cipher Analysis: Scans for vulnerable cipher suites (ChaCha20-Poly1305, CBC modes)
Version Detection: Extracts OpenSSH version to determine strict KEX support
Vulnerability Assessment: Combines findings to determine actual risk
Vulnerability Criteria
A server is considered vulnerable if:
Supports chacha20-poly1305@openssh.com cipher AND
Lacks strict key exchange protection (OpenSSH < 9.6 or unpatched)
Why Not Just Banner Acceptance?
Banner acceptance is normal SSH behavior:
SSH servers accept any client version string
The real attack manipulates sequence numbers, not banners
Testing banner acceptance alone would cause false positives
Disclaimer
โ ๏ธ IMPORTANT LEGAL NOTICE
This tool is provided for educational and security testing purposes only. By using this software, you agree to:
Only scan systems you own or have explicit written permission to test
Not use this tool for malicious purposes or unauthorized access
Comply with all applicable laws and regulations
Accept full responsibility for your actions
The authors are not responsible for any misuse or damage caused by this tool.
References
Terrapin Attack Official Website
CVE-2023-48795 Details
OpenSSH Security Advisory
RFC 4253 - SSH Transport Layer Protocol
License
This project is for educational purposes. Use responsibly.