147 entries in 0.116s
Framedragger: asciilifeform: but cross-checking makes sense, say if you do
ssh-keyscan for a small randomized sample, nothing bad can come out of it. let me know if you want scriptz
Framedragger: asciilifeform: but have you considered that there are fewer implementations for
ssh (and the better part of the
ssh servers in the wild run openssh), and more implementations for all kinds of broken pgp? so it may simply be less likely to spot a badly generated
ssh key.
☟︎ Framedragger: would still be curious to write/find a tool which detects low hanging fruit for EC
ssh host keys / keys with shitty parameters
Framedragger: mircea_popescu: if you mean "nobody smart", then that's one thing, but if you mean in terms of actual numbers, then i'd probably have to disagree. shitloads of ecdsa
ssh host public keys anyway (stats and breakdown to be published at some point in teh future)
Framedragger: asciilifeform: openpgp'd
ssh keys (thanks jurov for PGPy hack):
http://95.85.10.71:8000/all/openpgp/ - 13 bz2 archives, each of which contains directory with 800k-900k files (one file per key, assumption was that this'd be easiest for bulk import)
Framedragger: asciilifeform: yeah so i'll prolly end up dumping 10M
ssh keys on phuctor's ass, via its web interface. i wonder if phuctor can handle parallel requests, to a point :P i won't be an asshole about it.
☟︎ Framedragger: look i just came back from an awesome mountain hike, can't even move my legs, but have just enough energy to re-use someone else's precious hacky code to test the
ssh-rsa db entries
Framedragger: asciilifeform: do you think it's a sensible idea to try and convert
ssh public keys into rfc4880, and then submit them to phuctor (possibly in bulk)? or is that something i should leave to you?
Framedragger: asciilifeform: gotcha. i have thing which converts
ssh pubkey format to e,N,IP. i'll probably have a thing which generates rfc4880 (inserting ip address as comment field, say) from e,N,IP. thanks!
Framedragger: asciilifeform: ah wait lol: i'd be parsing
ssh rsa keys, not pgp keys - different format - though also base64 etc. i'll check!
Framedragger: i guess right now i'm more curious to see general statistics / trends, e.g. distribution of
ssh server versions per given geo region / AS etc., not that it may be too useful, but just genuinely curious
Framedragger: the latter would be quite useful - i may spin up some simple analysis thingie which shows info for those
ssh keys, and it'd be nice to be able to link to corresponding phuctor entries
Framedragger: (i used one vps at a time (switched due to abuse complaints and so that i'd be sure there's no filtering / results are not biased) for the "which IPs out of all IPv4 are alive behind :22" scan, and i then used 13 cheap VPSes for the actual
ssh key extraction out of the 20.8M alive candidates. if curious re cost: will get the bill for the 13 VPSes later, but it was basically 11 hours of scanning, 2.99eur / mo. per VPS, hourly billing, so
Framedragger: this is what i've been able to extract (timeout for
ssh server to provide
ssh keys: 7.0 seconds), but now that i better understand the nuances of this particular undertaking, re-scanning / re-extraction would be much easier. in particular, doable in 36 hours for under 2 euros of cost (and doable in shorter amount of time for more euros and more concentrated work). which means that costs are absolutely negligible, unless you want to keep
Framedragger: asciilifeform: mircea_popescu: i'd like to interrupt this joyful occasion of copulation of you two by noting that
ssh-rsa keys of all of ipv4 are now ready for phuctoring and further analysis; they are in the format of e,N,ipaddress. there's 10.6M of them, out of 20.8M something-listening-on-port-22 hosts. rejoice!
Framedragger: * 20.8M of 22-port-open
ssh servers after deduplication
☟︎ Framedragger: ..sooo, ~21.1M
ssh hosts with port 22 open in ipv4 space. i expected more, but a time will come for a re-scan, and i finally got around to 'streamlining' the process, and vc's idontcareaboutscans policy helped here, so re-scan will be a piece of cake.
Framedragger: someone also tried spidering
ssh keys from .onion hosts, and then matching them with
ssh keys of ipv4 space; i want to re-try that, too
Framedragger: (gun resume and finish ipv4 open
ssh port scans tonight with vc's node (vc: it's randomized ip range scan and only 30 kpackets/s, before you ask), and then deploy ~10 vps nodes for
ssh key extraction, feeding port-22-open-list from the former into the latter.)
Framedragger: hehe yeah,
ssh keys, welcome to idiotland i guess
Framedragger: vc: re.
https://box.cock.li/ - do you tolerate responsible and low-bandwidth netscans (TCP SYN and/or
ssh-keyscan (which doesn't attempt any
ssh auth)) perchance?
Framedragger: now i'll try scaleway / online.net and i don't use them for anything else so i'm fine with being banned. they said OK to my "responsible academic scanning" query. doesn't mean they'll follow through. but i'll just keep scanning / doing
ssh extraction there, and rsyncing often, so that if/when i get eventually banned this wouldn't be a problem.
Framedragger: (again, general ipv4 mapping is no prob, it's the more particular
ssh key extraction that is slow and very hax0ry apparently)
Framedragger: canyoubelieveit, i used *
ssh*!!11 it's..super effective
Framedragger: oh mein gott, the language of these "abuse complaints"... your Server/Customer with the IP: [...] has attacked one of our servers/partners. The attackers used the method/service: *
ssh*
Framedragger: they'd look like "31.204.153.252:22
SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u4"
Framedragger: asciilifeform et al.: a couple of representative
ssh host key samples (e,N,ip_address) - two /8's - pipeline was masscan (sort of nmap+zmap with custom tcp stack) ->
ssh-keyscan (manually parallelized) -> custom conversion into CSV
☟︎ Framedragger:
http://btcbase.org/log/2016-05-22#1470431 << hmh actually not sure now. it doesn't seem that the email addy in the
ssh host's pubkey is sent to client. yet you're right in that the email addy is included (in e.g. /etc/
ssh/ssh_host_rsa_key.pub). will check (
ssh-keyscan explicitly doesn't give/relay it though)
☝︎ Framedragger: i guess i'll give the results in that format for those 95k
ssh hosts (actual number of keys will be lower, i can see that some of those hosts are providing clients a nil set of encryption mechanisms, etc etc
Framedragger: mircea_popescu: asciilifeform: in regards to
ssh key spidering, it's best then to produce output in the form of e,N,comment - is that right? (where comment in this case would be the ip addr)
Framedragger: i'm now running the reliable but slower
ssh-keyscan on the 95k
ssh-running IPs just to get a decent sample. will later revisit wtf zmap is doing
Framedragger: ..hrm. zmap finished scanning sixteen /8's (so a sixteenth of ipv4 space, minus reserved blocks), but in those blocks there were two known servers running openssh which was picked up by
ssh-keyscan. they weren't picked up by zmap. if the thing is unreliable then it's worthless (it still found > 95k of
ssh servers though, but...)
☟︎ Framedragger: mircea_popescu: to get list of machines listening on port 22 using zmap on amazon aws micro instance with 100 mbps pipe, it takes approx 9-10 minutes per /16. note, only what's listening on port 22, but
ssh-keyscan should then plough through pretty quickly. will later run more tests, i'll leave a single instance to scan some /16s to then feed into
ssh-keyscan
Framedragger: i'm considering running zmap on high-throughput server to quickly get all internet-connected machines in ipv4 space, and then feeding that into
ssh-keyscan. may be more efficient. also need to get some disposable ip addresses or something, cause according to internet my coupla server IPs will soon be added to some shitlist
Framedragger: mircea_popescu: with timeout per host set to 5sec (default) and unaltered parallel scanning setting (
ssh-keyscan does parallel stuff pretty well but it may not be best for scanning huge numbers of hosts; case in point: default version for ubuntu 14.04 terminates if a single remote host closes conn prematurely - needed to patch this..), it took ~65 minutes (i've started logging timestamps afterwards but this is prob quite accurate). this
Framedragger: mircea_popescu: (got 2768
ssh-rsa keys on a test run on a populated /16... this will be fun.)
Framedragger: so, like, presumably, one would want keys of
ssh servers that are behind *all* routable public ipv4 addresses?
Framedragger:
ssh-keyscan nicely gives all keys presented by server, usually includes ecdsa
Framedragger: anyway.
ssh server key spider. *considers setup*
Framedragger: i suppose i should search logs for previous discussions? unless anyone wants to give a more particular summary? spider as many keys from as many hosts running
ssh as possible?
Framedragger: "also, anyone want to run a
ssh server key spider ?" << heh, k, i'm up for this, might as well be useful while i brood
☟︎