4

I just did a scan with nmap and it found a ssh service running (nothing wrong here). The problem is it identifies the service as OpenSSH 12.1, but when I looked on the website of OpenSSH they say the last release is 7.3

Here the command, if it may help:

nmap -sS -A -p 22 xxx.xxx.xxx.xxx

Here is the output:

Starting Nmap 7.12SVN ( https://nmap.org ) at 2016-08-15 15:29 EDT
Nmap scan report for xx.xx.xx.xx
Host is up (0.00026s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 12.1 (protocol 2.0)
| ssh-hostkey:
|   1024 xx (DSA)
|_  2048 xx (RSA)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32, Linux 2.6.32 - 2.6.35

Any idea?

Improve this question
0

2 Answers 2

Reset to default
5

Someone is being deliberately deceptive. Nmap's service fingerprints are written as regular expressions that match and capture portions of the banner. Here's an example for OpenSSH:

match ssh m|^SSH-([\d.]+)-OpenSSH[_-]([\w.]+)\r?\n|i p/OpenSSH/ v/$2/ i/protocol $1/ cpe:/a:openbsd:openssh:$2/

So if someone created an SSH service that returned a banner like this:

SSH-2.0-OpenSSH-12.1

Then it would produce the output you see. OpenSSH itself does not allow this banner to be configured at runtime, so the person in question either changed the code before compiling or is running some other SSH daemon.

Improve this answer
3
  • It's also possible he has a custom (poisoned?) version of nmap-service-probes in his installation. He could compare his copy to svn.nmap.org/nmap/nmap-service-probes to make sure.
    – John Deters
    Commented Aug 15, 2016 at 20:07
  • @bonsaiviking Ok thanks, I will to look further into it. It could make sense, because Nexpose is giving me info that the scan is on a Palo Alto Networks PA Firewall ... For my personnal knowledge, were did you get this information? :)
    – RandomSecGuy
    Commented Aug 15, 2016 at 20:09
  • I confirm the banner. Using telnet xx.xx.xx.xx 22 give me the banner with the OpenSSH-12.1
    – RandomSecGuy
    Commented Aug 15, 2016 at 20:24
1

I'm pretty sure Palo Alto is doing this intentionally. Every instance of OpenSSH 12.1 that I have seen were Palo Alto PA firewalls. I think they're doing this so that a scanning tool will not show vulnerabilities in their SSH.

Some of those firewalls were atleast 4 or 5 years old and if they are actually running OpenSSH and haven't been patched, those have to vulnerable. These firewalls may run in networks without their packages updated for years. So they could have chosen this version number so that it would remain latest for decades to come.

I'd suggest trying all the PoCs for OpenSSH in the last one decade to see how it holds up then.

Improve this answer
2
  • In comments above, the OP confirms that the target is a Palo Alto Networks PA Firewall. But your speculation for why the version number is different needs support, else this is a pretty serious accusation. They might simply have their own version.
    – schroeder
    Commented May 13, 2020 at 13:32
  • @schroeder - While they could indeed have their own version of SSH , it would not be OpenSSH. That would be a contradiction in definition.
    – user10216038
    Commented May 13, 2020 at 21:44

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .