SSH Auditor - The Best Way To Scan For Weak Ssh Passwords On Your Network

The Best Way To Scan For Weak Ssh Passwords On Your Network

ssh-auditor will automatically:
  • Re-check all known hosts as new credentials are added. It will only check the new credentials.
  • Queue a full credential scan on any new host discovered.
  • Queue a full credential scan on any known host whose ssh version or key fingerprint changes.
  • Attempt command execution as well as attempt to tunnel a TCP connection.
  • Re-check each credential using a per credential scan_interval - default 14 days.
It's designed so that you can run ssh-auditor discover + ssh-auditor scan from cron every hour to to perform a constant audit.


Earlier demo showing all of the features

Demo showing improved log output


$ brew install go # or however you want to install the go compiler
$ go get github.com/ncsa/ssh-auditor

or Build from a git clone
$ go build

Build a static binary including sqlite
$ make static

Ensure you can use enough file descriptors
$ ulimit -n 4096

Create initial database and discover ssh servers
$ ./ssh-auditor discover -p 22 -p 2222

Add credential pairs to check
$ ./ssh-auditor addcredential root root
$ ./ssh-auditor addcredential admin admin
$ ./ssh-auditor addcredential guest guest --scan-interval 1 #check this once per day

Try credentials against discovered hosts in a batch of 20000
$ ./ssh-auditor scan

Output a report on what credentials worked
$ ./ssh-auditor vuln

RE-Check credentials that worked
$ ./ssh-auditor rescan

Output a report on duplicate key usage
$ ./ssh-auditor dupes

Report query.
This query that ssh-auditor vuln runs is
hc.hostport, hc.user, hc.password, hc.result, hc.last_tested, h.version
host_creds hc, hosts h
h.hostport = hc.hostport
and result!='' order by last_tested asc

Disqus Comments