Active and Passive Collection of SSH key material for cyber threat intelligence

by   Alexandre Dulaunoy, et al.

This paper describes a system for storing historical forensic artefacts collected from SSH connections. This system exposes a REST API in a similar fashion as passive DNS databases, malware hash registries, and SSL notaries with the goal of supporting incident investigations and monitoring of infrastructure.



page 2


MALOnt: An Ontology for Malware Threat Intelligence

Malware threat intelligence uncovers deep information about malware, thr...

Passive ans Active Observation: Experimetal Design Issues in Big Data

Data can be collected in scientific studies via a controlled experiment ...

Passive ans Active Observation: Experimental Design Issues in Big Data

Data can be collected in scientific studies via a controlled experiment ...

Passive and Active Observation: Experimental Design Issues in Big Data

Data can be collected in scientific studies via a controlled experiment ...

Passive Haptic Rehearsal for Accelerated Piano Skill Acquisition

Passive haptic learning (PHL) uses vibrotactile stimulation to train pia...

Hint Orchestration Using ACL2's Simplifier

This paper describes a strategy for providing hints during an ACL2 proof...

Finding Cryptocurrency Attack Indicators Using Temporal Logic and Darkweb Data

With the recent prevalence of darkweb/deepweb (D2web) sites specializing...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

CSIRTs operate passive DNS (draft-dulaunoy-dnsop-passive-dns-cof-07, ) and passive SSL (dulaunoy_alexandre_passive_2015, ) databases to support incident response. These historical data foster infrastructure attribution and threat intelligence at large. In this field note, we describe a passive SSH (pssh, ) the we developed and discuss how it constitutes a worthy addition to the CSIRTS’ toolbox.

SSH, and especially OpenSSH implementation, is the main tool for remote management as it offers secure channels for accessing servers’ shell, moving data, and tunneling other protocols. As OpenSSH is present on a lot of servers, MacOS and recent Windows computer, as well as IoT devices it makes it very appealing for attackers as vector of attack and means of command and control (see FriztFrog

(fritzfrog, ) for instance).

2. Fingerprinting SSH protocol

The SSH protocol(rfc4253, ) provides a significant number of fingerprints to track similar infrastructures as it uses public-key cryptography to authenticate clients and server. In the frame of infrastructure fingerprinting, the host-key, that is the key used to authenticate a server to clients is a first data point one can collect. The common use-case is that servers provide a host-key to the clients that is persistent between client connections. This ceremony follows a Trust On First Sight model: the server presents the host-key to the client that, on the first connection, is prompted to decided whether to trust the key or not. Once trusted, host-keys are stored in a cache on the client side against which presented host-keys will be checked on subsequent connections. Server host-keys are therefore persistent, they are usually generated when setting up ssh and left untouched afterwards.

Whereas SSH1 only provides algorithm negotiation between the client and the server for bulk encryption, SSH2 introduces the negotiation for the host-key, message authentication, hash function, session key exchange and data compression. These are others data point usable for fingerprinting SSH endpoints.

Salesforce also created HASSH, a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations (see (hasshblog, ) and (hasshcode, )).

Fingerprinting SSH servers requires to initiate a TCP three-way handshake with the server and read the first SSH protocol message (see Figure  1111This image is a modified version of one found at and will be replaced with original content for the final version).

Figure 1. Fingerprinting SSH first packets

3. Passive SSH Design and Implementation

We developed a tool to fingerprint SSH servers on the Internet222Available here The tool is developed in python and uses paramiko333 which is an implementation of SSH2 in python to interact with SSH servers.

The data points collected for fingerprinting each servers are the following:

  • the remote server’s banner that consists of:

    • server version / idstring,

    • supported key exchange algorithms,

    • supported encryption algorithms,

    • supported mac algorithms,

    • supported compression algorithms,

    • server language.

  • the remote server keys MD5 fingerprint, base64 representation, and name;

  • the remote server IP;

  • eventually we compute the remote server’s hassh.

In order to store these SSH servers fingerprints, we developed the tool that is the main focus of this paper: Passive SSH444Available at

. The tool is written in python 3 (released as open source project), persistence is achieve using a redis-compatible back-end

555Redis is a key/value in-memory back-end that allows for high read/write throughputs, see Redis is used to allow fast-lookup from numerous applications which require low-latency response.. Passive SSH provides a REST API to push data into the datastore and to retrieve signatures.

4. Statistics

CIRCL operates a passive SSH instance accessible to FIRST, TF-CSIRT, CNW members, and vetted researchers. This instance includes an internet-wide scan of SSH available on IPv4 and TCP port 22.

Banners 99.474
IPv4 addresses 10.301.105
Tor Onion addresses 92
Table 1. IPv4 addresses with SSH enabled
ssh-ed25519 5.271.642
ssh-rsa 7.291.675
ssh-dss 1.530.867
ecdsa-sha2-nistp256 5.078.182
ecdsa-sha2-nistp521 42.679
ecdsa-sha2-nistp384 5.843
Table 2. SSH key types seen on SSH enabled IPv4 addresses

5. Use-Cases

SSH banners are still very uniform over a large number of scanned IP hosts. This provides a nifty way to cluster groups of hosts depending of their SSH implementation installed especially the outliers.

5.1. Tracking attackers’ infrastructure

A Passive SSH service allows to readily answer valuable questions:

  • Is this host key new to my environment?

  • What server presented this key before?

  • Did this server already presented this key?

  • When was the last time a specific host key was seen in use?

  • How many host key were presented by a single IPv4 address?

To make the most of passive SSH, we are currently working on a module for MISP(wagner2016misp, ) that will allow to automatically enrich MISP events with these new data points. Discovering attack infrastructure, as described in Attribution of Advanced Persistent Treats(steffens2020advanced, ), can be performed by using the fingerprints and hassh in Passive SSH. In addition, key renewal in SSH is less frequent than TLS which then allows to keep pivoting information for a longer period.

5.2. Finding vulnerable equipments

In the same manner as Gasser et al. (gasser_deeper_2014, ), a passive SSH database can be used to identify equipments accessible on the Internet running vulnerable software or using weak cryptographic material. The former is readily accessible by interrogating Passive SSH’s banner endpoint for vulnerable banners but the latter requires more efforts as some computations may be required to identify weak cryptographic material and leak keys. For this purpose, we plan on interfacing another project of ours, snake-oil-crypto 666 to discover weak key materials.

5.3. Uncloacking tor

Deanonymizing tor hidden services through SSH server fingerprinting is a strategy that has two main limitations: (1) each hidden service is usually kept on separate onion addresses. This separation of concern prevent leaking the ties between services, and (2) if a SSH service is also running to administer the machine from the Internet, its access may be controlled by other layers that prevents it to be directly accessible (e.g. the use of a Bastion host, foreign ports, or port-knocking strategies).

We scanned SSH service on port 22 and 2222 on 8194 onion addresses known to be alive in our AIL framework (mokaddem2018ail, ) onion list and found 92 SSH service. Crossing onion SSH servers with publicly available SSH service on the Internet, we found 9 of those 92 onions have a corresponding SSH fingerprint in our passive SSH database.

6. Future work

Our passive SSH implementation shows a significant source of network fingerprints to discover vulnerable infrastructure, adversary network infrastructure or weak cryptographic materials. We could improve scanning strategies such as BGP networks announces (IPv6 network addresses) or certificate transparency logs(laurie2014certificate, )

to come across recently exposed network and IoT devices with ephemeral SSH access. SSH banners include various information which could increase the granularity of the fingerprints. Improving high-speed SSH handshake identification by using the Passive SSH database to train a neural network model.

7. Acknowledgments

We would like to thank the anonymous reviewers for their useful comments and suggestions.


  • [1] CIRCL team. Passive SSH, 12 2020.
  • [2] Alexandre Dulaunoy, Aaron Kaplan, Paul A. Vixie, and Henry Stern. Passive DNS - Common Output Format. Internet-Draft draft-dulaunoy-dnsop-passive-dns-cof-07, Internet Engineering Task Force, June 2020. Work in Progress.
  • [3] Alexandre Dulaunoy and Eireann Leverett. Passive ssl passive - Detection and Reconnaissance Techniques, to Find, Track, and Attribute Vulnerable Devices.
  • [4] Oliver Gasser, Ralph Holz, and Georg Carle. A deeper understanding of SSH: Results from internet-wide scans. In 2014 IEEE Network Operations and Management Symposium (NOMS), pages 1–9. IEEE.
  • [5] Guardicore. Fritzfrog: A new generation of peer-to-peer botnets, 08 2020.
  • [6] Ben Laurie. Certificate transparency. Communications of the ACM, 57(10):40–46, 2014.
  • [7] Sami Mokaddem, Gérard Wagener, and Alexandre Dulaunoy. Ail-the design and implementation of an analysis information leak framework. In 2018 IEEE International Conference on Big Data (Big Data), pages 5049–5057. IEEE, 2018.
  • [8] Ben Reardon. Open sourcing hassh a profiling method for ssh clients and servers, 09 2018.
  • [9] Salesforce. ”hassh” - a profiling method for ssh clients and servers.
  • [10] Timo Steffens. Advanced persistent threats. In Attribution of Advanced Persistent Threats, pages 3–21. Springer, 2020.
  • [11] Cynthia Wagner, Alexandre Dulaunoy, Gérard Wagener, and Andras Iklody. Misp: The design and implementation of a collaborative threat intelligence sharing platform. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, pages 49–56. ACM, 2016.
  • [12] T. Ylonen and Ed. C. Lonvick. The secure shell (ssh) transport layer protocol. RFC 4253, RFC Editor, 10 2006.