#ssh #fingerprinting #security

hassh

A SSH fingerprinting library written in Rust

1 unstable release

0.1.0 Jan 5, 2021

#12 in #fingerprinting

BSD-3-Clause and LGPL-2.1-or-later

34KB
623 lines

hassh - A SSH fingerprinting library written in Rust

License: BSD 3-Clause License crates.io Build Status Documentation

This crate enables a consumer to fingerprint the Key Exchange portion of a SSH handshake. It can hash SSH handshakes over IPv4 and IPv6. It heavily depends on the ssh-parser project from Rusticata.

"HASSH" is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.

See the original HASSH project for more information.

Example

Example of fingerprinting a packet capture file:

use hassh::pcap;

for hassh in pcap::open("test.pcap")? {
    println!("{:x}", hassh.client_hash());
}

Example of fingerprinting a live capture:

use hassh::live;

for hassh in live::capture("en0")? {
    println!("{:x}", hassh.server_hash());
}

See the hassh example for more information.

$ cargo run --example hassh -- -i en0

[+] Client SSH_MSG_KEXINIT detected
    [ 192.168.1.8:57278 -> 192.168.1.31:22 ]
        [-] Identification String: SSH-2.0-OpenSSH_8.1
        [-] hassh: ec7378c1a92f5a8dde7e8b7a1ddf33d1
        [-] hassh Algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com,zlib

[+] Server SSH_MSG_KEXINIT detected
    [ 192.168.1.31:22 -> 192.168.1.8:57278 ]
        [-] Identification String: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
        [-] hasshServer: 3ccd1778a76049721c71ad7d2bf62bbc
        [-] hasshServer Algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com

C API binding

This crate C API binding, you could to specify the capi feature at compile time to generate the header file.

cargo build --features capi

Reference

Credits:

hassh and hasshServer were conceived and developed by Ben Reardon (@benreardon) within the Detection Cloud Team at Salesforce, with inspiration and contributions from Adel Karimi (@0x4d31) and the JA3 crew crew:John B. Althouse , Jeff Atkinson and Josh Atkins

Dependencies

~2.8–5.5MB
~101K SLoC