Nmap Development mailing list archives
SSH Survey Results
From: doug () hcsw org
Date: Thu, 15 Jun 2006 04:03:49 -0700
Hi nmap-dev! One of the projects I elected to take on for this Google Summer of Code is a large SSH scan against random hosts on the internet in order to refine and update Nmap's SSH version detection. SSH is becoming more and more common of a protocol and is rarely filtered to the extent many services are (SMB, telnet, etc) so performing version detection (-sV) on remote SSH ports is often the fastest and most reliable remote device profiling method. I know when I'm doing a quick survey of my internal network (what IP is that box using again?) I usually look at the MAC OUI vendor if I'm on the same ethernet or the SSH version otherwise. The SSH protocol is short and simple but don't let that sway you: the information from it can be quite useful! So, ladies and gentlemen, I'm pleased to announce the results of the SoC 2006 SSH scan! Nearly 8000 open port 22s were discovered. Of them, about 98.7% had running SSH daemons. The fact that 1.3% of the open ports were not in fact SSH daemons, to me, underscores the importance of performing Nmap's version detection. When you assume an open port 22 is SSH you may be wrong more than once every hundred times! Without further ado, here are the results of the scan broken down into categories: (("OpenSSH" 4936) ("Debian/OpenSSH" 808) ("FreeBSD/OpenSSH" 545) ("Cisco" 284) ("SCS SSH" 258) ("SCS SSH (non-commercial)" 150) ("dropbear" 98) ("Ubuntu/OpenSSH" 58) ("SunSSH/OpenSSH" 58) ("RomCliSecure" 50) ("HUAWEI-VRP" 35) ("Akamai" 30) ("xxxxxxx Fortinet VPN/firewall sshd" 28) ("NetScreen" 26) ("libssh" 19) ("VRP" 19) ("lancom" 19) ("Mikrotik/OpenSSH" 18) ("NetBSD/OpenSSH" 17) ("Rad SFTP" 12) ("RemotelyAnywhere/OpenSSH" 10) ("FortiSSH" 9) ("WinSSHD/libssh" 7) ("X Cisco VPN Concentrator SSHd" 5) ("Mocana SSH" 5) ("F-Secure" 4) ("Dlink SSH" 3) ("mpSSH" 3) ("F-Secure winNT" 3) ("VShell win32/unix" 3) ("WeOnlyDo" 2) ("GlobalScape/libssh" 2) ("lshd" 2) ("Radware" 2) ("FreSSH" 2) ("IPSSH" 2) ("cryptlib" 2) ("miniBSD/OpenSSH" 1) ("WeOnlyDo" 1) ("AOS SSH" 1) ("RedlineNetworks/OpenSSH" 1) ("F-Secure dss-only" 1) ("SSH Compatible Server" 1) ("Neteyes" 1) ("DigiSSH" 1) ("Tru64 SSH" 1) ("Tasman router sshd" 1)) As was previously expected, OpenSSH is *by far* the most popular SSH server currently in use on the internet. How about a breakdown of its versions? (("3.9p1" 897) ("3.6.1p2" 844) ("3.8.1p1 Debian-8.sarge.4" 484) ("3.7.1p2" 358) ("3.5p1" 355) ("3.1p1" 349) ("4.2" 303) ("4.1" 273) ("3.5p1 FreeBSD-20030924" 224) ("4.3" 209) ("3.4p1" 204) ("3.8.1p1" 193) ("4.0" 174) ("3.6p1" 150) ("3.8.1p1 FreeBSD-20040419" 135) ("3.7.1p2 Debian 1:3.7.1p2-1.2" 113) ("3.4p1 Debian 1:3.4p1-1.woody.3" 88) ("4.2p1 FreeBSD-20050903" 81) ("3.7.1p1" 78) ("3.8p1" 76) ("3.6.1p1+CAN-2004-0175" 61) ("2.9p2" 44) ("3.6.1" 40) ("4.2p1 Debian-8" 33) ("3.0.2p1" 32) ("2.3.0p1" 29) ("4.1p1 Debian-7ubuntu4.1" 25) ("3.8.1p1 FreeBSD-20060123" 25) ("2.5.2p2" 24) ("3.6.1p1 FreeBSD-20030924" 23) ("2.9.9p2" 22) ("4.2p1 Debian-5" 22) ("3.4p1 FreeBSD-20020702" 19) ("1.2" 19) ("2.3.0_Mikrotik_v2.9" 18) ("3.9.0p1" 17) ("3.5p1 FreeBSD-20030201" 16) ("3.8" 13) ("3.4" 13) ("3.2.3p1" 13) ("4.2p1 Debian-7ubuntu3" 12) ("3.5" 12) ("3.4p1+CAN-2004-0175" 11) ("3.7p1" 10) ("4.2p1 Debian-7" 10)) And finally, what about the protocol versions in use? (("1.99" 4262) ("2.0" 2912) ("1.5" 382)) After processing this data as carefuly as possible, I proceeded to use the data to enhance the SSH match lines in the nmap-service-probes file. I added 29 new SSH match lines bringing us up to 76 as well as refining and updating numerous others. Probably the most useful modification is the refined OpenSSH match lines. We now should get more detailed and accurate service-detection operating system and device type guesses based on SSH. Also, numerous new match lines have been added, giving Nmap's version detection the capability of recognising SSH daemons such as, to name a few, * HUAWEI VRP routers * Fortinet VPN/firewalls * FreSSH * DLink routers sshd * RemotelyAnywhere * etc Finally, I took the time to reorganise and refine some of the match lines. For instance, it might not be obvious to everybody that mpSSH is, in fact, Hewlett Packard's Integrated Lights Out SSH daemon. I'm attaching a patch to Nmap 4.10's nmap-service-probes file. Enjoy! Doug
Attachment:
nmap-service-probes.ssh-survey.patch
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- SSH Survey Results doug (Jun 15)
- Re: SSH Survey Results Joshua D. Abraham (Jun 15)
- Re: SSH Survey Results Fyodor (Jun 23)