CyberChef HASSH Fingerprinting

Category: Security Operations: HASSH Client & Server Fingerprint

HASSH SSH Fingerprinting Network Security Detection

What is HASSH?

HASSH is a network fingerprinting method developed by Salesforce security researchers to identify SSH clients and servers based on their algorithm negotiation behavior. The name "HASSH" is a play on "hash" and "SSH", reflecting its core mechanism: creating MD5 hashes of specific SSH handshake parameters.

When an SSH connection is established, the client and server exchange messages listing their supported cryptographic algorithms. HASSH captures these algorithm lists from the Key Exchange Init messages and creates a unique fingerprint. This fingerprint can identify specific SSH client or server software, versions, and implementations, even when connections are encrypted.

Key Concept: HASSH doesn't break SSH encryption or compromise security. Instead, it analyzes publicly visible handshake metadata to create fingerprints that can identify SSH software. This is valuable for threat detection, anomaly detection, and network monitoring.

How HASSH Works

HASSH generates fingerprints by concatenating specific fields from the SSH Key Exchange Init (KEXINIT) message and computing an MD5 hash:

Extract the Client/Server Key Exchange Init message from SSH handshake
Concatenate four specific algorithm lists in order, separated by semicolons
Compute MD5 hash of the concatenated string
The resulting hash is the HASSH fingerprint

The Four Algorithm Lists

Component	Description	Example Values
Key Exchange Algorithms	Methods for exchanging keys	diffie-hellman-group14-sha256, ecdh-sha2-nistp256
Encryption Algorithms	Symmetric ciphers for data encryption	aes128-ctr, aes256-gcm@openssh.com
MAC Algorithms	Message Authentication Codes	hmac-sha2-256, hmac-sha1
Compression Algorithms	Compression methods	none, zlib@openssh.com

HASSH String Formation

Format: kex_algs;enc_algs;mac_algs;comp_algs

Example HASSH String:
diffie-hellman-group14-sha256,ecdh-sha2-nistp256;aes128-ctr,aes256-ctr;hmac-sha2-256,hmac-sha1;none,zlib@openssh.com

MD5 Hash (HASSH Fingerprint):
92674389fa1e47a27ddd8d9b63ecd42b

HASSH Client Fingerprint

The HASSH Client Fingerprint identifies the SSH client software. Different SSH clients (OpenSSH, PuTTY, WinSCP, etc.) advertise different algorithm preferences in different orders, creating unique fingerprints.

Common SSH Clients and Their Fingerprints

SSH Client	Version	HASSH Fingerprint
OpenSSH	7.4	92674389fa1e47a27ddd8d9b63ecd42b
PuTTY	0.70	9f7b9f7b5e3d9b2e0e3e9b7f5e3d9b2e
WinSCP	5.15	a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6
Paramiko	2.7.2	9f71a5d8c5d9b6e9f0e0b3c7a8d6e5f4

Note: The fingerprints above are examples. Actual fingerprints vary by version and configuration. Maintain an up-to-date database of known fingerprints for accurate identification.

Use Cases for Client Fingerprints

Anomaly Detection: Identify unusual SSH clients on your network
Policy Enforcement: Detect unauthorized SSH clients
Threat Hunting: Identify known malicious SSH clients or backdoors
Asset Inventory: Track which SSH clients are in use
Investigation: Correlate SSH client usage during incident response

HASSH Server Fingerprint

The HASSH Server Fingerprint identifies the SSH server software. This helps detect rogue SSH servers, identify honeypots, or inventory SSH server software across an organization.

Common SSH Servers and Their Fingerprints

SSH Server	Version	HASSH Fingerprint
OpenSSH	7.4	b12d2871a1189eff20364cf5333619ee
Dropbear	2019.78	c3e5f3e5b7d9a6f8e1c4b5a7d9e6f8a1
libssh	0.9.4	d4f8e6a1c9b7e5f3a2d8c6e9b1f4a7d5
AsyncSSH	2.7.0	e9f3b1d6c8a5e7f4b2d9c1e8a6f5b3d7

Use Cases for Server Fingerprints

Rogue Server Detection: Identify unauthorized SSH servers on the network
Honeypot Identification: Detect SSH honeypots by their unique fingerprints
Server Inventory: Track SSH server software versions
Vulnerability Management: Identify servers running vulnerable SSH implementations
Compliance Monitoring: Ensure only approved SSH server software is deployed

Using HASSH in CyberChef

CyberChef provides two operations for HASSH fingerprinting:

HASSH Client Fingerprint

Generates a HASSH fingerprint from SSH Client Key Exchange Init message data.

Input:

SSH_MSG_KEXINIT packet from client

Output:

MD5 hash identifying the client

HASSH Server Fingerprint

Generates a HASSH fingerprint from SSH Server Key Exchange Init message data.

Input:

SSH_MSG_KEXINIT packet from server

Output:

MD5 hash identifying the server

Steps to Generate HASSH Fingerprints:

Capture SSH traffic using Wireshark, tcpdump, or similar tool
Extract the SSH Key Exchange Init (KEXINIT) packets
Copy the hex dump of the client or server KEXINIT packet
Paste into CyberChef input
Add "HASSH Client Fingerprint" or "HASSH Server Fingerprint" operation
View the resulting fingerprint hash
Compare against known fingerprint databases

Input: SSH Client KEXINIT Packet (Hex)

140000016b... (truncated for display)

HASSH Algorithm String:

curve25519-sha256,ecdh-sha2-nistp256;aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256,hmac-sha2-512;none

HASSH Fingerprint (MD5):

92674389fa1e47a27ddd8d9b63ecd42b

This fingerprint identifies OpenSSH 7.4 client.

Practical Applications

Security Operations Center (SOC)

Integrate HASSH fingerprinting into SIEM systems to:

Alert on first-seen SSH clients or servers
Detect malware using SSH for C2 communications
Identify lateral movement using unusual SSH clients
Track SSH brute-force attempts by client type

Threat Intelligence

Build databases of HASSH fingerprints associated with:

Known malware families
Threat actor tools and infrastructure
Compromised devices and botnets
Legitimate software for baseline comparison

Incident Response

During investigations:

Identify what SSH clients were used by attackers
Correlate SSH activity across multiple systems
Determine if rogue SSH servers were deployed
Timeline attacker SSH tool usage

Network Monitoring

Continuous monitoring for:

Unexpected SSH client/server software
Policy violations (unauthorized SSH tools)
IoT devices with embedded SSH servers
Shadow IT SSH deployments

HASSH in Network Traffic Analysis

Capturing KEXINIT Packets

Using Wireshark to capture SSH handshake:

# Capture filter for SSH traffic
tcp port 22

# Display filter for SSH KEXINIT messages
ssh.message_code == 20

# Steps:
1. Start packet capture on interface
2. Initiate SSH connection
3. Filter for SSH KEXINIT (message type 20)
4. Right-click packet → Copy → ...as Hex Dump
5. Paste into CyberChef

Automated Fingerprinting

Many security tools now include HASSH fingerprinting:

Zeek (Bro): SSH analysis scripts with HASSH logging
Suricata: IDS rules extracting HASSH fingerprints
NetworkMiner: Parses HASSH from PCAP files
Elastic Stack: Packetbeat with SSH HASSH module

Limitations and Considerations

Fingerprint Stability

HASSH fingerprints can change when:

Software is updated to different versions
Configuration changes modify algorithm preferences
Custom builds alter default algorithm lists
Users manually configure specific algorithms

Hash Collisions

While MD5 collisions are theoretically possible, they're unlikely in practice for HASSH. Different software versions typically have distinct algorithm preferences.

Encrypted Traffic

HASSH works on encrypted SSH connections because it analyzes the unencrypted handshake. However, traffic must be intercepted during connection establishment.

Custom Implementations

Attackers aware of HASSH fingerprinting might:

Modify SSH clients to mimic legitimate software
Use common SSH clients to blend in
Randomize algorithm orders to evade detection

Defense in Depth: HASSH is one tool in a comprehensive security strategy. Combine it with other detection methods like behavioral analysis, authentication monitoring, and anomaly detection for robust security.

HASSH Databases and Resources

Public HASSH Databases

Salesforce HASSH: Original project with example fingerprints
GitHub Repositories: Community-maintained fingerprint lists
Threat Intelligence Feeds: Commercial feeds with malware HASSH data

Building Your Own Database

For custom fingerprint databases:

Inventory all authorized SSH clients and servers
Generate HASSH fingerprints for each
Document versions and configurations
Update as software is upgraded
Share findings with security community

CyberChef Recipe Ideas

Here are some useful recipe combinations involving HASSH fingerprinting:

PCAP Analysis: Extract SSH packets → HASSH Client/Server Fingerprint
Bulk Processing: Split packets → HASSH Fingerprint → Unique (identify distinct clients)
Threat Hunting: HASSH Fingerprint → Find / Replace → Compare with known bad list
Reporting: HASSH Fingerprint → To Table (create fingerprint inventory)
Format Conversion: From Hex → HASSH Fingerprint (process hex dumps)

Best Practices

For Security Monitoring

Maintain baseline of normal HASSH fingerprints in your environment
Alert on first-seen fingerprints for investigation
Correlate HASSH with other SSH metadata (usernames, IPs, times)
Regularly update your fingerprint database
Investigate anomalies promptly

For Incident Response

Extract HASSH from network captures during investigations
Compare against known attacker tool fingerprints
Search for matching fingerprints across your environment
Document new fingerprints discovered during incidents
Share IOCs including HASSH with security community

For Defense

Don't rely solely on HASSH - attackers can evade it
Combine with authentication monitoring and behavioral analysis
Enforce SSH key management policies
Use multi-factor authentication for SSH access
Monitor SSH traffic at network perimeter

← Back to Operations Guide