/passive-ssh

A Passive SSH back-end and scanner.

Primary LanguagePythonGNU Affero General Public License v3.0AGPL-3.0

Passive SSH

Passive SSH logo

Passive SSH is an open source framework composed of a scanner and server to store and lookup the SSH keys and fingerprints per host (IPv4/IPv6/onion).

The key materials along fingerprints and hosts are stored in a fast-lookup database. The system provides an historical view of SSH keys seen but also common key materials reused on different IP addresses.

Related paper for this work: Active and Passive Collection of SSH Key Material for Cyber Threat Intelligence.

Features

  • A simple SSH scanner
  • A server storing key materials in a Redis database
  • A simple ReST API to lookup by SSH fingerprints (including hassh or host (IPv4, IPv6 or onion addresses)
  • Statistics of SSH banners and SSH fingerprints

Server Requirements

  • Python >= 3.6
  • Redis >5.0
  • tornado

Scanner Requirements

  • Python >= 3.6
  • D4 paramiko
  • pysocks (required to scan Tor hidden services)

Install

./install.sh
  • Install Redis and all pythons requirements.
  • All Python 3 code will be installed in a virtualenv (PSSHENV).

Tor proxy

The ssh scanner can be used with a Tor proxy to scan a host or an hidden service.

Don't forget to install the Tor proxy if you want to scan Tor hidden services: sudo apt-get install tor -y

Running

Launch the redis and the tornado server:

./LAUNCH -l

Manual scan

A SSH scanner is included to scan small networks or internal infrastructure.

. ./PSSHENV/bin/activate
cd bin/

# Scan a host
./ssh_scan.py -t <host: 10.0.0.12>

# Scan a network range
./ssh_scan.py -r <network range: 10.0.0.0/8>

API

An API is available to query the Passive SSH server.

By default, the tornado server for Passive SSH is running on port 8500.

curl http://localhost:8500/banners

Endpoints

/stats

Return server staticstics:

  • number of SSH banners
  • number of scanned hosts:
    • ip
    • onion
  • number of fingerprints by type

/banners

Return all banners ordered by scores

/banner/hosts/<banner>

Get hosts by banner:

  • banner
  • list of hosts

/keys/types

Return the list of all keys types

/host/ssh/<host>

Return host SSH metadata:

  • first seen
  • last seen
  • ports
  • list of banners
  • list of fingerprints

/host/history/<host>

Return the SSH history of an host

/fingerprints

Return all fingerprints ordered by scores

/fingerprint/all/<fingerprint>

Get hosts by fingerprint:

  • first seen
  • last seen
  • key type
  • key base64
  • fingerprint
  • list of hosts

/fingerprint/type/<key_type>/<fingerprint>

Get hosts by type of key and fingerprint:

  • first seen
  • last seen
  • key type
  • key base64
  • fingerprint
  • list of hosts

/hasshs

Return all hasshs ordered by scores

/hassh/hosts/<hassh>

Get hosts by hassh:

  • hassh
  • list of hosts
  • kexinit

Existing Passive SSH database

License

The software is free software/open source released under the GNU Affero General Public License version 3.

Citation

If you want to cite this work, you can cite it as follows: Active and Passive Collection of SSH Key Material for Cyber Threat Intelligence

@article{dulaunoy2022active,
  title={Active and Passive Collection of SSH key material for cyber threat intelligence},
  author={Dulaunoy, Alexandre and Huynen, Jean-Louis and Thirion, Aurelien},
  journal={Digital Threats: Research and Practice (DTRAP)},
  volume={3},
  number={3},
  pages={1--5},
  year={2022},
  publisher={ACM New York, NY}
}