Hassh - A Network Fingerprinting Measure Which Tin Locomote Used To Grade Specific Customer As Well As Server Ssh Implementations

"HASSH" is a network fingerprinting criterion which tin live on used to position specific Client too Server SSH implementations. The fingerprints tin live on easily stored, searched too shared inwards the shape of an MD5 fingerprint.

What tin HASSH tending with:
  • Use inwards highly controlled, good understood environments, where whatever fingerprints exterior of a known adept laid upward are alertable.
  • It is possible to detect, command too investigate brute force or Cred Stuffing password attempts at a higher degree of granularity than IP Source - which may live on impacted past times NAT or botnet-like behaviour. The hassh volition live on a characteristic of the specific Client software implementation beingness used, fifty-fifty if the IP is NATed such that it is shared past times many other SSH clients.
  • Detect covert exfiltration of information inside the components of the Client algorithm sets. In this case, a particularly coded SSH Client tin ship information outbound from a trusted to a less trusted environs inside a serial of SSH_MSG_KEXINIT packets. In a scenario similar to the to a greater extent than known exfiltration via DNS, information could live on sent equally a serial of attempted, but incomplete too unlogged connections to an SSH server controlled past times bad actors who tin too hence record, decode too reconstitute these pieces of information into their master copy form. Until forthwith such attempts - much less the contents of the clear text packets - are non logged fifty-fifty past times mature bundle analyzers or on halt betoken systems. Detection of this mode of exfiltration tin forthwith live on performed easily past times using anomaly detection or alerting on SSH Clients amongst multiple unlike hassh
  • Use inwards conjunction amongst other contextual indicators, for representative honor Network uncovering too Lateral effort attempts past times odd hassh such equally those used past times Paramiko, Powershell, Ruby, Meterpreter, Empire.
  • Share malicious hassh equally Indicators of Compromise.
  • Create an additional degree of Client application control, for representative ane could block all Clients from connecting to an SSH server that are exterior of an approved known laid upward of hassh values.
  • Contribute to Non Repudiation inwards a Forensic context - at a higher degree of abstraction than IPSource - which may live on impacted past times NAT, or where multiple IP Sources are used.
  • Detect Deceptive Applications. Eg a hasshServer value known to belong to the Cowry/Kippo SSH honeypot server installation, which is purporting to live on a mutual OpenSSH server inwards the Server String.
  • Detect devices having a hassh known to belong to IOT embedded systems. Examples may include cameras, mics, keyloggers, wiretaps that could live on easily live on hidden from persuasion too communicating quietly over encrypted channels dorsum to a command server.

How does HASSH work:
"hassh" too "hasshServer" are MD5 hashes constructed from a specific laid upward of algorithms that are supported past times diverse SSH Client too Server Applications. These algorithms are exchanged later the initial TCP three-way handshake equally clear-text packets known equally "SSH_MSG_KEXINIT" messages, too are an integral business office of the setup of the terminal encrypted SSH channel. The existence too ordering of these algorithms is unique plenty such that it tin live on used equally a fingerprint to tending position the underlying Client too Server application or unique implementation, regardless of higher degree ostensible identifiers such equally "Client" or "Server" strings.


References:

Credits:
hassh too hasshServer were conceived too developed past times Ben Reardon (@benreardon) inside the Detection Cloud Team at Salesforce, amongst inspiration too contributions from Adel Karimi (@0x4d31) too the JA3 crew crew:John B. Althouse , Jeff Atkinson too Josh Atkins