SSHamble: Unexpected exposures in the Secure Shell

|
Updated

The Secure Shell (SSH) protocol has survived as an internet-facing management protocol for almost 30 years. Over the decades it has transformed from a single patented codebase to a multitude of implementations available on nearly every operating system and network-connected device.

What we did #

runZero conducted a deep dive into the SSH ecosystem and identified vulnerabilities across a wide range of implementations. During the research process, we developed an open-source tool, called SSHamble, that can be used to identify vulnerable implementations and extend our research. We presented this work at the Black Hat USA 2024 and DEF CON 32.

Why this research matters #

SSH is the most commonly exposed remote administration protocol outside of HTTP and is critical to the security of most organizations. This work highlights unexpected exposures in common and lesser-known SSH implementations.

Examples of attacks include:

  • Unauthenticated remote access due to unexpected state transitions
    • Remote command execution in post-session login implementations

    • Information leaks through unlimited high-speed authentication requests

    SSHamble, our open-source research tool, can be used to reproduce these attacks and adapt this research to new techniques. The SSHamble interactive shell provides raw access to SSH requests in the post-session (but pre-execution) environment, enabling simple testing of environment control, signal processing, port forwarding, and much more.

    Get access to SSHamble #

    Interested in doing your own SSH research or building upon runZero's? You can get SSHamble and use it for your own security testing. 

    Level up your knowledge of SSH and SSHamble with this special episode of runZero Hour, our monthly deep dive series with the runZero Research Team. 

      Written by HD Moore

      HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

      More about HD Moore

      Written by Rob King

      Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

      More about Rob King
      Subscribe Now

      Get the latest news and expert insights delivered in your inbox.

      Welcome to the club! Your subscription to our newsletter is successful.


      Related Articles

      runZero Insights
      Taming the Typhoons: How runZero Keeps You Ahead of State-Sponsored Cyber Threats
      China's Typhoon cyber attacks are evolving, but runZero helps you stay one step ahead with unmatched visibility and proactive defense.
      runZero Insights
      Ensure compliance with DORA’s ICT risk framework using runZero
      Learn how to uncover unmanaged and unknown assets— including IT, OT, and IoT— to meet DORA's hidden risk requirements using runZero.
      Life at runZero
      Employee Spotlight: Doug Markiewicz
      Doug Markiewicz is a strategic Customer Success Engineer with a passion for solving complex cybersecurity problems. Learn more about his journey as...
      runZero Insights
      Evolving from IT to IoT: Flax Typhoon preyed on the lesser knowns
      A look at Flax Typhoon's latest operations, and how runZero’s unknown and IoT asset visibility can help calm the storm for security teams.

      See Results in Minutes

      Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

      © Copyright 2024 runZero, Inc. All Rights Reserved