1. Introduction
CSIRTs operate passive DNS (draft-dulaunoy-dnsop-passive-dns-cof-07, ) and passive SSL (dulaunoy_alexandre_passive_2015, ) databases to support incident response. These historical data foster infrastructure attribution and threat intelligence at large. In this field note, we describe a passive SSH (pssh, ) the we developed and discuss how it constitutes a worthy addition to the CSIRTS’ toolbox.
SSH, and especially OpenSSH implementation, is the main tool for remote management as it offers secure channels for accessing servers’ shell, moving data, and tunneling other protocols. As OpenSSH is present on a lot of servers, MacOS and recent Windows computer, as well as IoT devices it makes it very appealing for attackers as vector of attack and means of command and control (see FriztFrog
(fritzfrog, ) for instance).2. Fingerprinting SSH protocol
The SSH protocol(rfc4253, ) provides a significant number of fingerprints to track similar infrastructures as it uses public-key cryptography to authenticate clients and server. In the frame of infrastructure fingerprinting, the host-key, that is the key used to authenticate a server to clients is a first data point one can collect. The common use-case is that servers provide a host-key to the clients that is persistent between client connections. This ceremony follows a Trust On First Sight model: the server presents the host-key to the client that, on the first connection, is prompted to decided whether to trust the key or not. Once trusted, host-keys are stored in a cache on the client side against which presented host-keys will be checked on subsequent connections. Server host-keys are therefore persistent, they are usually generated when setting up ssh and left untouched afterwards.
Whereas SSH1 only provides algorithm negotiation between the client and the server for bulk encryption, SSH2 introduces the negotiation for the host-key, message authentication, hash function, session key exchange and data compression. These are others data point usable for fingerprinting SSH endpoints.
Salesforce also created HASSH, a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations (see (hasshblog, ) and (hasshcode, )).
Fingerprinting SSH servers requires to initiate a TCP three-way handshake with the server and read the first SSH protocol message (see Figure 1111This image is a modified version of one found at https://github.com/salesforce/hassh and will be replaced with original content for the final version).

3. Passive SSH Design and Implementation
We developed a tool to fingerprint SSH servers on the Internet222Available here https://github.com/D4-project/passive-ssh/blob/main/bin/ssh_scan.py. The tool is developed in python and uses paramiko333https://www.paramiko.org/ which is an implementation of SSH2 in python to interact with SSH servers.
The data points collected for fingerprinting each servers are the following:
-
the remote server’s banner that consists of:
-
server version / idstring,
-
supported key exchange algorithms,
-
supported encryption algorithms,
-
supported mac algorithms,
-
supported compression algorithms,
-
server language.
-
-
the remote server keys MD5 fingerprint, base64 representation, and name;
-
the remote server IP;
-
eventually we compute the remote server’s hassh.
In order to store these SSH servers fingerprints, we developed the tool that is the main focus of this paper: Passive SSH444Available athttps://github.com/D4-project/passive-ssh
. The tool is written in python 3 (released as open source project), persistence is achieve using a redis-compatible back-end
555Redis is a key/value in-memory back-end that allows for high read/write throughputs, see https://redis.io/. Redis is used to allow fast-lookup from numerous applications which require low-latency response.. Passive SSH provides a REST API to push data into the datastore and to retrieve signatures.4. Statistics
CIRCL operates a passive SSH instance accessible to FIRST, TF-CSIRT, CNW members, and vetted researchers. This instance includes an internet-wide scan of SSH available on IPv4 and TCP port 22.
Banners | 99.474 |
---|---|
IPv4 addresses | 10.301.105 |
Tor Onion addresses | 92 |
ssh-ed25519 | 5.271.642 |
ssh-rsa | 7.291.675 |
ssh-dss | 1.530.867 |
ecdsa-sha2-nistp256 | 5.078.182 |
ecdsa-sha2-nistp521 | 42.679 |
ecdsa-sha2-nistp384 | 5.843 |
5. Use-Cases
SSH banners are still very uniform over a large number of scanned IP hosts. This provides a nifty way to cluster groups of hosts depending of their SSH implementation installed especially the outliers.
5.1. Tracking attackers’ infrastructure
A Passive SSH service allows to readily answer valuable questions:
-
Is this host key new to my environment?
-
What server presented this key before?
-
Did this server already presented this key?
-
When was the last time a specific host key was seen in use?
-
How many host key were presented by a single IPv4 address?
To make the most of passive SSH, we are currently working on a module for MISP(wagner2016misp, ) that will allow to automatically enrich MISP events with these new data points. Discovering attack infrastructure, as described in Attribution of Advanced Persistent Treats(steffens2020advanced, ), can be performed by using the fingerprints and hassh in Passive SSH. In addition, key renewal in SSH is less frequent than TLS which then allows to keep pivoting information for a longer period.
5.2. Finding vulnerable equipments
In the same manner as Gasser et al. (gasser_deeper_2014, ), a passive SSH database can be used to identify equipments accessible on the Internet running vulnerable software or using weak cryptographic material. The former is readily accessible by interrogating Passive SSH’s banner endpoint for vulnerable banners but the latter requires more efforts as some computations may be required to identify weak cryptographic material and leak keys. For this purpose, we plan on interfacing another project of ours, snake-oil-crypto 666https://github.com/D4-project/snake-oil-crypto to discover weak key materials.
5.3. Uncloacking tor
Deanonymizing tor hidden services through SSH server fingerprinting is a strategy that has two main limitations: (1) each hidden service is usually kept on separate onion addresses. This separation of concern prevent leaking the ties between services, and (2) if a SSH service is also running to administer the machine from the Internet, its access may be controlled by other layers that prevents it to be directly accessible (e.g. the use of a Bastion host, foreign ports, or port-knocking strategies).
We scanned SSH service on port 22 and 2222 on 8194 onion addresses known to be alive in our AIL framework (mokaddem2018ail, ) onion list and found 92 SSH service. Crossing onion SSH servers with publicly available SSH service on the Internet, we found 9 of those 92 onions have a corresponding SSH fingerprint in our passive SSH database.
6. Future work
Our passive SSH implementation shows a significant source of network fingerprints to discover vulnerable infrastructure, adversary network infrastructure or weak cryptographic materials. We could improve scanning strategies such as BGP networks announces (IPv6 network addresses) or certificate transparency logs(laurie2014certificate, )
to come across recently exposed network and IoT devices with ephemeral SSH access. SSH banners include various information which could increase the granularity of the fingerprints. Improving high-speed SSH handshake identification by using the Passive SSH database to train a neural network model.
7. Acknowledgments
We would like to thank the anonymous reviewers for their useful comments and
suggestions.

References
- [1] CIRCL team. Passive SSH, 12 2020.
- [2] Alexandre Dulaunoy, Aaron Kaplan, Paul A. Vixie, and Henry Stern. Passive DNS - Common Output Format. Internet-Draft draft-dulaunoy-dnsop-passive-dns-cof-07, Internet Engineering Task Force, June 2020. Work in Progress.
- [3] Alexandre Dulaunoy and Eireann Leverett. Passive ssl passive - Detection and Reconnaissance Techniques, to Find, Track, and Attribute Vulnerable Devices.
- [4] Oliver Gasser, Ralph Holz, and Georg Carle. A deeper understanding of SSH: Results from internet-wide scans. In 2014 IEEE Network Operations and Management Symposium (NOMS), pages 1–9. IEEE.
- [5] Guardicore. Fritzfrog: A new generation of peer-to-peer botnets, 08 2020.
- [6] Ben Laurie. Certificate transparency. Communications of the ACM, 57(10):40–46, 2014.
- [7] Sami Mokaddem, Gérard Wagener, and Alexandre Dulaunoy. Ail-the design and implementation of an analysis information leak framework. In 2018 IEEE International Conference on Big Data (Big Data), pages 5049–5057. IEEE, 2018.
- [8] Ben Reardon. Open sourcing hassh a profiling method for ssh clients and servers, 09 2018.
- [9] Salesforce. ”hassh” - a profiling method for ssh clients and servers.
- [10] Timo Steffens. Advanced persistent threats. In Attribution of Advanced Persistent Threats, pages 3–21. Springer, 2020.
- [11] Cynthia Wagner, Alexandre Dulaunoy, Gérard Wagener, and Andras Iklody. Misp: The design and implementation of a collaborative threat intelligence sharing platform. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, pages 49–56. ACM, 2016.
- [12] T. Ylonen and Ed. C. Lonvick. The secure shell (ssh) transport layer protocol. RFC 4253, RFC Editor, 10 2006.