HASSH – Profiling Method for SSH Clients and Servers

HASSH is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.

HASSH - Profiling Method for SSH Clients and Servers
HASSH – Profiling Method for SSH Clients and Servers

Some of the features with this tool are:

  • Use in highly controlled, well understood environments, where any fingerprints outside of a known good set are alertable.
  • It is possible to detect, control and investigate brute force or Cred Stuffing password attempts at a higher level of granularity than IP Source - which may be impacted by NAT or botnet-like behaviour.
  • Detect covert exfiltration of data within the components of the Client algorithm sets. In this case, a specially coded SSH Client can send data outbound from a trusted to a less trusted environment within a series of SSH_MSG_KEXINIT packets.
  • Use in conjunction with other contextual indicators, for example detect Network discovery and Lateral movement attempts by unusual hassh such as those used by Paramiko, Powershell, Ruby, Meterpreter, Empire.
  • Share malicious hassh as Indicators of Compromise.
  • Create an additional level of Client application control, for example one could block all Clients from connecting to an SSH server that are outside of an approved known set of hassh values.
  • Contribute to Non Repudiation in a Forensic context – at a higher level of abstraction than IPSource – which may be impacted by NAT, or where multiple IP Sources are used.
  • Detect Deceptive Applications. Eg a hasshServer value known to belong to the Cowry / Kippo SSH honeypot server installation, which is purporting to be a common OpenSSH server in the Server String.
  • Detect devices having a hassh known to belong to IOT embedded systems. Examples may include cameras, mics, keyloggers, wiretaps that could be easily be hidden from view and communicating quietly over encrypted channels back to a control server.

This tool will be useful in case you plan to blacklist certain attacking hashes and it may also allow user to lock the system and prevent non authorized users from logging to the server. User should test the program to understand how it will be integrated with your environment. You can read more and download this tool over here: https://github.com/salesforce/hassh