Cyber Synapse S.R.L.

It’s designed to dig into less-tested parts of the SSH protocol (pre-authentication, post-session states, unusual transitions) rather than just the “normal” things (password and key auth).

_________________________________________

Why it is useful:

* SSH is very widely used on every major OS, tons of appliances, embedded devices, cloud services etc.

* Because of its ubiquity, misconfigurations or subtle protocol implementation bugs can have large impact.

* The article points out that many devices use non-mainstream SSH implementations or older libraries (not only the popular OpenSSH), which may have weaker controls or untested behaviours.

* SSHamble can scan targets (ranges of IPs / hostnames) for SSH services and test them against a variety of checks: pre-auth state transitions, “half-auth” states, unusual channel or subsystem behaviours.

* Many devices (especially less common SSH server software in appliances) still have serious flaws:
e.g., authentication bypass, shells without proper login, etc.

* Even when major projects like OpenSSH had regressions (bugs) in Windows builds, meaning even “trusted” software can slip.

* Some SSH servers do not rate limit public key authentication attempts, allowing brute-force of keys.

* State transitions in SSH protocol (the way the server handles a client from “connected” → “authenticated” → “channel opened” etc) are complex and many implementations still do subtle mistakes. This opens weird attack surfaces.

* Post-session login:
Some devices allow a shell even after “authentication” phase in SSH is skipped or incorrectly handled. That’s dangerous.

* Audit all SSH-implementations:
not just OpenSSH, but embedded ones in network devices, IoT, routers, switches etc. They might have “weaker” implementations. E.g., Realtek routers, Panasonic ethernet switches, Ruckus access points.

* Ensure our SSH server is configured securely:
e.g., disable unnecessary features, enforce strict authentication, implement rate-limiting or lockouts for invalid auth attempts (including public key attempts).

_________________________________________

The research found things like:

- Authentication bypasses in SSH services.

- Information leakage (e.g., responses from servers that allow attackers to glean valid usernames or keys)

- “Post-session authentication” (where login by “shell” happens even after session-established, but authentication wasn’t done properly) among devices.

_________________________________________

It supports commands like:

- scan to enumerate SSH capabilities and exposures

- analyze to take results and categorize them

- “pubkey-hunt” mode:
test many public keys to see if the server reveals a valid key or accepts it partially.

- Raw interactive shell for a session in the “post-session but pre-execution” environment:
meaning after a shell is opened but before typical protections might apply. This lets us test forwarding, signal sending, etc.

_________________________________________

Project source code available on Github:

https://github.com/runZeroInc/sshamble

Project Official Website

https://www.runzero.com/sshamble/

Enjoy #linux

Well, that was exciting. See you in the next one!