Awesome
Passive SSH
Passive SSH is an open source framework composed of a scanner and server to store and lookup the SSH keys and fingerprints per host (IPv4/IPv6/onion).
The key materials along fingerprints and hosts are stored in a fast-lookup database. The system provides an historical view of SSH keys seen but also common key materials reused on different IP addresses.
Related paper for this work: Active and Passive Collection of SSH Key Material for Cyber Threat Intelligence.
Features
- A simple SSH scanner
- A server storing key materials in a Redis database
- A simple ReST API to lookup by SSH fingerprints (including hassh or host (IPv4, IPv6 or onion addresses)
- Statistics of SSH banners and SSH fingerprints
Server Requirements
- Python >= 3.6
- Redis >5.0
- tornado
Scanner Requirements
- Python >= 3.6
- D4 paramiko
- pysocks (required to scan Tor hidden services)
Install
./install.sh
- Install Redis and all pythons requirements.
- All Python 3 code will be installed in a virtualenv (PSSHENV).
Tor proxy
The ssh scanner can be used with a Tor proxy to scan a host or an hidden service.
Don't forget to install the Tor proxy if you want to scan Tor hidden services: sudo apt-get install tor -y
Running
Launch the redis and the tornado server:
./LAUNCH -l
Manual scan
A SSH scanner is included to scan small networks or internal infrastructure.
. ./PSSHENV/bin/activate
cd bin/
# Scan a host
./ssh_scan.py -t <host: 10.0.0.12>
# Scan a network range
./ssh_scan.py -r <network range: 10.0.0.0/8>
API
An API is available to query the Passive SSH server.
By default, the tornado server for Passive SSH is running on port 8500.
curl http://localhost:8500/banners
Endpoints
/stats
Return server staticstics:
- number of SSH banners
- number of scanned hosts:
- ip
- onion
- number of fingerprints by type
/banners
Return all banners ordered by scores
/banner/hosts/<banner>
Get hosts by banner:
- banner
- list of hosts
/keys/types
Return the list of all keys types
/host/ssh/<host>
Return host SSH metadata:
- first seen
- last seen
- ports
- list of banners
- list of fingerprints
/host/history/<host>
Return the SSH history of an host
/fingerprints
Return all fingerprints ordered by scores
/fingerprint/all/<fingerprint>
Get hosts by fingerprint:
- first seen
- last seen
- key type
- key base64
- fingerprint
- list of hosts
/fingerprint/type/<key_type>/<fingerprint>
Get hosts by type of key and fingerprint:
- first seen
- last seen
- key type
- key base64
- fingerprint
- list of hosts
/hasshs
Return all hasshs ordered by scores
/hassh/hosts/<hassh>
Get hosts by hassh:
- hassh
- list of hosts
- kexinit
Existing Passive SSH database
- CIRCL Passive SSH - access can be requested if you are a CSIRT member of FIRST.org, TF-CSIRT, CNW network or vetted security researchers.
License
The software is free software/open source released under the GNU Affero General Public License version 3.
Citation
If you want to cite this work, you can cite it as follows: Active and Passive Collection of SSH Key Material for Cyber Threat Intelligence
@article{dulaunoy2022active,
title={Active and Passive Collection of SSH key material for cyber threat intelligence},
author={Dulaunoy, Alexandre and Huynen, Jean-Louis and Thirion, Aurelien},
journal={Digital Threats: Research and Practice (DTRAP)},
volume={3},
number={3},
pages={1--5},
year={2022},
publisher={ACM New York, NY}
}