If you would like to expand this, Recog is available under an open source license and should be suitable for converting these matches into a NSE script: https://github.com/rapid7/recog/blob/master/xml/ssh_banners.xml

@hdm I am just starting to look at this again. Out of curiosity were the majority of Debian/FreeBSD/Ubuntu banners in the Recog repo pulled from my repo? It would save me some time verifying the same OS versions, consequently only updating banners I do not have from Recog. Thank you.

Hi @richlamdev! The Recog SSH banners have been around for a long time and we try to update them every few months or so (or as new things come up that aren't detected). I don't think any were pulled directly from your repository, but I did skim it a few times while doing updates to make sure we didn't miss anything. The ambiguous banners tend to be the hard part and we compare against various public data (our scans, sonar stuff previously, any public banner listings, etc) to figure out what the best single match assertion should be. You can find a full history on the SSH work at: https://github.com/rapid7/recog/commits/master/xml/ssh_banners.xml

EDIT: Looks I ran across your repo when working on this changeset and used it as a TODO list (but not limited to your work) in rapid7/recog#245.

A good starting point for diffing could be pulling the <example> elements out of the recog side and building a list of those that don't match your dataset. I'm happy to help with any scripting to figure out the gap too.

Hi @hdm! Sorry for the slow reply. I've already begun some light work on bringing in the recog banners - at least the ones I do not already have. I found a few blunders in my script and fixed them. Latest is already pushed to my repo @ https://github.com/richlamdev/ssh-default-banners. Once I have all the banners in from the Recog project I'll re-submit them here for PR/merge. It'll take some time for me to get all the banners in, as I can only dedicate a bit of time toward this each day. Thank you for the offer of help, I may take you up on that if I get stuck and/or review some of my work later. I'm open to any feedback/improvements. Lua is not my forte. Cheers!

@hdm Would you be able to provide some information for the following? Please and thank you.

1. From lines 9-69 and 1597-2126 from https://github.com/rapid7/recog/blob/master/xml/ssh_banners.xml is it safe to assume those are non OpenSSH banners? (given the lack of ^OpenSSH regex)

2. Do the non OpenSSH banners have a prefix such as "SSH-2.0-" (or "SSH-1.99-")? This may be moot, but I think would be good to know, for knowledge sake. I do not have a lot of experience with non OpenSSH OS/SSH banners.

Cheers!

The Recog banners ignore the protocol version (SSH-XX-) from the prefix. For 1, those are definitely not OpenSSH banners, and would look like the following on the network: SSH-2.0-RomSShell_4.62 and SSH-1.99-Cisco-1.25.

@hdm Perhaps I could use a hand with entering some of these banners. Lua pattern matching is not ideal - at least compared to PCRE. I fiddled a bit with the Lpeg module, but didn't make it very far. Also, I'm not sure if you're aware of a better method than a huge if/then/elseif statement for all the misc banners.

Due to having a large number of the Debian/Ubuntu/Raspbian/FreeBSD banners I was able to take advantage that by using lookup tables instead of if/then/else.

The latest changes are on my own repo: https://github.com/richlamdev/ssh-default-banners

When you have a chance, let me know what you think. Thanks!

My lua isn't very good, but it might be easier to maintain this as a large dictionary mapping of match patterns and match outcomes, then cycle through these instead of doing the if/then/else sequence.

Ah, got it! I don't know enough to have a good recommendation then. Maybe one of the devs can chime in?

Latest updates pushed today, without the misc banners. Any devs have a chance to review/comment? Would love to have any feedback for improvement. Thank you.

1