SSH Survey Results

[doug () hcsw org]

Hi nmap-dev!

One of the projects I elected to take on for this Google Summer
of Code is a large SSH scan against random hosts on the internet in
order to refine and update Nmap's SSH version detection.

SSH is becoming more and more common of a protocol and is rarely
filtered to the extent many services are (SMB, telnet, etc) so
performing version detection (-sV) on remote SSH ports is often
the fastest and most reliable remote device profiling method.

I know when I'm doing a quick survey of my internal network
(what IP is that box using again?) I usually look at the
MAC OUI vendor if I'm on the same ethernet or the SSH version
otherwise. The SSH protocol is short and simple but don't let that
sway you: the information from it can be quite useful!

So, ladies and gentlemen, I'm pleased to announce the results
of the SoC 2006 SSH scan!

Nearly 8000 open port 22s were discovered. Of them, about 98.7%
had running SSH daemons. The fact that 1.3% of the open ports
were not in fact SSH daemons, to me, underscores the importance
of performing Nmap's version detection. When you assume an open
port 22 is SSH you may be wrong more than once every hundred
times!

Without further ado, here are the results of the scan broken
down into categories:

(("OpenSSH" 4936)
 ("Debian/OpenSSH" 808)
 ("FreeBSD/OpenSSH" 545)
 ("Cisco" 284)
 ("SCS SSH" 258)
 ("SCS SSH (non-commercial)" 150)
 ("dropbear" 98)
 ("Ubuntu/OpenSSH" 58)
 ("SunSSH/OpenSSH" 58)
 ("RomCliSecure" 50)
 ("HUAWEI-VRP" 35)
 ("Akamai" 30)
 ("xxxxxxx Fortinet VPN/firewall sshd" 28)
 ("NetScreen" 26)
 ("libssh" 19)
 ("VRP" 19)
 ("lancom" 19)
 ("Mikrotik/OpenSSH" 18)
 ("NetBSD/OpenSSH" 17)
 ("Rad SFTP" 12)
 ("RemotelyAnywhere/OpenSSH" 10)
 ("FortiSSH" 9)
 ("WinSSHD/libssh" 7)
 ("X Cisco VPN Concentrator SSHd" 5)
 ("Mocana SSH" 5)
 ("F-Secure" 4)
 ("Dlink SSH" 3)
 ("mpSSH" 3)
 ("F-Secure winNT" 3)
 ("VShell win32/unix" 3)
 ("WeOnlyDo" 2)
 ("GlobalScape/libssh" 2)
 ("lshd" 2)
 ("Radware" 2)
 ("FreSSH" 2)
 ("IPSSH" 2)
 ("cryptlib" 2)
 ("miniBSD/OpenSSH" 1)
 ("WeOnlyDo" 1)
 ("AOS SSH" 1)
 ("RedlineNetworks/OpenSSH" 1)
 ("F-Secure dss-only" 1)
 ("SSH Compatible Server" 1)
 ("Neteyes" 1)
 ("DigiSSH" 1)
 ("Tru64 SSH" 1)
 ("Tasman router sshd" 1))

As was previously expected, OpenSSH is *by far* the most popular SSH
server currently in use on the internet. How about a breakdown of its
versions?

(("3.9p1" 897)
 ("3.6.1p2" 844)
 ("3.8.1p1 Debian-8.sarge.4" 484)
 ("3.7.1p2" 358)
 ("3.5p1" 355)
 ("3.1p1" 349)
 ("4.2" 303)
 ("4.1" 273)
 ("3.5p1 FreeBSD-20030924" 224)
 ("4.3" 209)
 ("3.4p1" 204)
 ("3.8.1p1" 193)
 ("4.0" 174)
 ("3.6p1" 150)
 ("3.8.1p1 FreeBSD-20040419" 135)
 ("3.7.1p2 Debian 1:3.7.1p2-1.2" 113)
 ("3.4p1 Debian 1:3.4p1-1.woody.3" 88)
 ("4.2p1 FreeBSD-20050903" 81)
 ("3.7.1p1" 78)
 ("3.8p1" 76)
 ("3.6.1p1+CAN-2004-0175" 61)
 ("2.9p2" 44)
 ("3.6.1" 40)
 ("4.2p1 Debian-8" 33)
 ("3.0.2p1" 32)
 ("2.3.0p1" 29)
 ("4.1p1 Debian-7ubuntu4.1" 25)
 ("3.8.1p1 FreeBSD-20060123" 25)
 ("2.5.2p2" 24)
 ("3.6.1p1 FreeBSD-20030924" 23)
 ("2.9.9p2" 22)
 ("4.2p1 Debian-5" 22)
 ("3.4p1 FreeBSD-20020702" 19)
 ("1.2" 19)
 ("2.3.0_Mikrotik_v2.9" 18)
 ("3.9.0p1" 17)
 ("3.5p1 FreeBSD-20030201" 16)
 ("3.8" 13)
 ("3.4" 13)
 ("3.2.3p1" 13)
 ("4.2p1 Debian-7ubuntu3" 12)
 ("3.5" 12)
 ("3.4p1+CAN-2004-0175" 11)
 ("3.7p1" 10)
 ("4.2p1 Debian-7" 10))


And finally, what about the protocol versions in use?

(("1.99" 4262)
 ("2.0" 2912)
 ("1.5" 382))


After processing this data as carefuly as possible, I proceeded to
use the data to enhance the SSH match lines in the nmap-service-probes
file. I added 29 new SSH match lines bringing us up to 76 as well
as refining and updating numerous others.

Probably the most useful modification is the refined OpenSSH match
lines. We now should get more detailed and accurate service-detection
operating system and device type guesses based on SSH.

Also, numerous new match lines have been added, giving Nmap's
version detection the capability of recognising SSH daemons such
as, to name a few,

 * HUAWEI VRP routers
 * Fortinet VPN/firewalls
 * FreSSH
 * DLink routers sshd
 * RemotelyAnywhere
 * etc

Finally, I took the time to reorganise and refine some of the match
lines. For instance, it might not be obvious to everybody that
mpSSH is, in fact, Hewlett Packard's Integrated Lights Out SSH
daemon.

I'm attaching a patch to Nmap 4.10's nmap-service-probes file.

Enjoy!

Doug

Attachment: nmap-service-probes.ssh-survey.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev