Home

Awesome

Passive SSH

Passive SSH logo

Passive SSH is an open source framework composed of a scanner and server to store and lookup the SSH keys and fingerprints per host (IPv4/IPv6/onion).

The key materials along fingerprints and hosts are stored in a fast-lookup database. The system provides an historical view of SSH keys seen but also common key materials reused on different IP addresses.

Related paper for this work: Active and Passive Collection of SSH Key Material for Cyber Threat Intelligence.

Features

Server Requirements

Scanner Requirements

Install

./install.sh

Tor proxy

The ssh scanner can be used with a Tor proxy to scan a host or an hidden service.

Don't forget to install the Tor proxy if you want to scan Tor hidden services: sudo apt-get install tor -y

Running

Launch the redis and the tornado server:

./LAUNCH -l

Manual scan

A SSH scanner is included to scan small networks or internal infrastructure.

. ./PSSHENV/bin/activate
cd bin/

# Scan a host
./ssh_scan.py -t <host: 10.0.0.12>

# Scan a network range
./ssh_scan.py -r <network range: 10.0.0.0/8>

API

An API is available to query the Passive SSH server.

By default, the tornado server for Passive SSH is running on port 8500.

curl http://localhost:8500/banners

Endpoints

/stats

Return server staticstics:

/banners

Return all banners ordered by scores

/banner/hosts/<banner>

Get hosts by banner:

/keys/types

Return the list of all keys types

/host/ssh/<host>

Return host SSH metadata:

/host/history/<host>

Return the SSH history of an host

/fingerprints

Return all fingerprints ordered by scores

/fingerprint/all/<fingerprint>

Get hosts by fingerprint:

/fingerprint/type/<key_type>/<fingerprint>

Get hosts by type of key and fingerprint:

/hasshs

Return all hasshs ordered by scores

/hassh/hosts/<hassh>

Get hosts by hassh:

Existing Passive SSH database

License

The software is free software/open source released under the GNU Affero General Public License version 3.

Citation

If you want to cite this work, you can cite it as follows: Active and Passive Collection of SSH Key Material for Cyber Threat Intelligence

@article{dulaunoy2022active,
  title={Active and Passive Collection of SSH key material for cyber threat intelligence},
  author={Dulaunoy, Alexandre and Huynen, Jean-Louis and Thirion, Aurelien},
  journal={Digital Threats: Research and Practice (DTRAP)},
  volume={3},
  number={3},
  pages={1--5},
  year={2022},
  publisher={ACM New York, NY}
}