Fingerprinting tooling used for SSH compromisation attempts

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

9 Citations (Scopus)
31 Downloads (Pure)


In SSH brute forcing attacks, adversaries try a lot of different username and password combinations in order to compromise a system. As such activities are easily recognizable in log files, sophisticated adversaries distribute brute forcing attacks over a large number of origins. Effectively finding such distributed campaigns proves however to be a difficult problem. In practice, when adversaries would spread out brute-forcing over multiple sources, they would likely reuse the same kind of software across all of these origins to simplify their operation and reduce cost. This means if we are able to identify the tooling used in these attempts, we could cluster similar tool usage into likely collaborating hosts and thus campaigns. In this paper, we demonstrate that it is possible to utilize cipher suites and SSH version strings to generate a unique fingerprint for a brute-forcing tool used by the attacker. Based on a study using a large honeynet with over 4,500 hosts, which received approximately 35 million compromisation attempts over the period of one month, we are able to identify 49 tools from the collected data, which correspond to off-the-shelf tools, as well as custom implementations. The method is also able to fingerprint individual versions of tools, and by revealing mismatches between advertised and actually implemented features detect hosts that spoof identifying information. Based on the generated fingerprints, we are able to correlate login credentials to distinguish distributed campaigns. We uncovered specific adversarial behaviors, tactics and procedures, frequently exhibiting clear timing patterns and tight coordination.

Original languageEnglish
Title of host publicationRAID 2019 Proceedings
Subtitle of host publication22nd International Symposium on Research in Attacks, Intrusions and Defenses
PublisherUSENIX Association
Number of pages11
ISBN (Electronic)978-193913307-6
Publication statusPublished - 2019
Event22nd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2019 - Beijing, China
Duration: 23 Sep 201925 Sep 2019


Conference22nd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2019

Cite this