SSH Secure Shell 3.0.0 Vulnerability Scanner

The following tool will scan the network for hosts using the vulnerable SSH version 3.0 that allows attackers to login to accounts without prompting for a user when their password is shorter than two characters.

For more information about this vulnerability, please see our previous post:
SSH Secure Shell 3.0.0 Allows Passwordless Logons

Tool:
#!/usr/bin/perl
#
# A local SSH 3.0.0 vulnerability scanner for the
# SSH Short Password Login Vulnerability
#
# Note: You must have superuser access on the system to scan it.
#
# usage: ./ssh3.pl
# Optional: -e turn off error
# -h specify a different /etc/shadow file
# (Options must come before host name)
#
# Written by hypoclear [email protected] - http://hypoclear.cjb.net
#
# This and all of my programs fall under my disclaimer, which
# can be found at: http://hypoclear.cjb.net/hypodisclaim.txt

use IO::Socket; use Getopt::Std;
getopts('h:e');

die "nusage: $0 ntOptional: -e turn off errorntt -h specify a different /etc/shadow filenn" unless @ARGV > 0;
if (!defined $opt_h)
{ $opt_h = "/etc/shadow";
}

$out = &bannerGrab($ARGV[0],22);
sysread $out, $message,100;
close $out;

if (($message =~ /3.0.0/) || (defined $opt_e))
{ print "Running SSH 3.0.0, checking for vulnerabilities...nn";
open(SHADOW, "<$opt_h") || die "Cannot open $opt_h!nNote: You must have superuser access to run this script.nn";
while( )
{ $name = $_;
$name =~ s/:.*$//;
$_ =~ s/^.*?://;
$_ =~ s/:.*$//;
$name =~ s/s//g; $_=~s/s//g;
push(@name,$name);
push(@hash,$_);
push(@lnnum,$cnt++); $cnt++;
}
close(SHADOW);

foreach $hash (@hash)
{ @chars = split(//,$hash);
foreach $char (@chars)
{ $count++;
}
if ($count <= 2)
{ print "$name[$line]t(line $lnnum[$line]) may be vulnerable!n";
$vulnFlag = 1;
}
$count=0; $line++;
}
if ($vulnFlag != 1)
{ print "No accounts appear to be vulnerable.n";
}
}
else
{ if (!defined $opt_e)
{ print "You are not running SSH 3.0.0.n";
die "If you feel that this is an error run with the -e option.n";
}
}
print "n";

sub bannerGrab
{ $host = gethostbyname($_[0]) || warn "cannot connect to $ARGV[0]n";
$port = getservbyport($_[1], 'tcp');
$haddr = sockaddr_in($_[1], $host);
socket(OUT, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || warn "$!n";
connect(OUT, $haddr) ;
return OUT;
}