Skip to content
/ hassh-utils Public

hassh-utils: Nmap NSE Script and Docker image for HASSH - the SSH client/server fingerprinting method (https://github.com/salesforce/hassh)

License

BSD-3-Clause license
56 stars 14 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0x4D31/hassh-utils

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
hasshdb
hasshdb
 
 
ssh-hassh.nse
ssh-hassh.nse
 
 

Repository files navigation

hassh-utils

Docker

You can get the dockerized version of hassh.py from my Docker repository: https://hub.docker.com/r/0x4d31/hassh/

docker pull 0x4d31/hassh

Nmap NSE Script

ssh-hassh NSE script reports hasshServer (i.e. SSH Server Fingerprint) and hasshServerAlgorithms for the target SSH server. The resulting hassh is compared to a list of known hasshServer values to attempt to fingerprint it.

Basic usage:

nmap --script ssh-hassh.nse -p 22  192.168.10.136

Starting Nmap 7.60 ( https://nmap.org ) at 2019-09-30 20:45 PDT
Nmap scan report for mikrotik.planethacker.net (192.168.10.136)
Host is up (0.0063s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hassh:
|   Server Identification String: SSH-2.0-ROSSSH
|   hasshServer: 592ac2fb1645c3dc26ede0a59cd46957
|_  hasshServer Guess: SSH-2.0-ROSSSH (100%)

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

A database file can be specified. See Nmap Documentation for more info on how Nmap handles custom data files. Generally, placing databases in /usr/share/nmap/nselib/data/ will work:

nmap --script ssh-hassh.nse --script-args database=hasshd 192.168.10.136

Database lookups can be skipped using the skip_hasshdb script argument:

nmap --script ssh-hassh.nse --script-args skip_hasshdb 192.168.10.136

The client's identification string can also be specified if you want to use something besides the default value of SSH-2.0-Nmap-SSH-HASSH. Note: this must be formatted correctly; SSH-VERSION-STRING:

nmap --script ssh-hassh.nse --script-args client_string=SSH-2.0-asdf -p 22 192.168.10.136

Increasing the verbosity with -v by will display the algorithms:

nmap --script ssh-hassh.nse -p 22 --open -Pn 192.168.10.136 -oX test.xml -v

...snip...

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hassh:
|   Server Identification String: SSH-2.0-ROSSSH
|   hasshServer: 592ac2fb1645c3dc26ede0a59cd46957
|   hasshServer Guess: SSH-2.0-ROSSSH (100%)
|_  hasshServer Algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,3des-cbc;hmac-sha1,hmac-md5;none

...snip...

Increasing the verbosity higher with -vv will list the algorithms:

nmap --script ssh-hassh.nse -p 22 --open -Pn 192.168.10.136 -oX test.xml -vv

...snip...

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
| ssh-hassh:
|   Server Identification String: SSH-2.0-ROSSSH
|   hasshServer: 592ac2fb1645c3dc26ede0a59cd46957
|   hasshServer Guess: SSH-2.0-ROSSSH (100%)
|   kex_algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
|   encryption_algorithms: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,3des-cbc
|   mac_algorithms: hmac-sha1,hmac-md5
|   compression_algorithms: none
|_  server_host_key_algorithms: ssh-dss,ssh-rsa

...snip...

About

hassh-utils: Nmap NSE Script and Docker image for HASSH - the SSH client/server fingerprinting method (https://github.com/salesforce/hassh)

Topics

docker ssh nmap threat-hunting fingerprinting nmap-scripts hassh

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

56 stars

Watchers

5 watching

Forks

14 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages