{"id":33245386,"url":"https://d4-project.github.io/passive-ssh/","last_synced_at":"2026-03-29T21:00:42.895Z","repository":{"id":56270319,"uuid":"311714670","full_name":"D4-project/passive-ssh","owner":"D4-project","description":"A Passive SSH back-end and scanner.","archived":false,"fork":false,"pushed_at":"2025-06-18T08:23:13.000Z","size":2639,"stargazers_count":104,"open_issues_count":1,"forks_count":11,"subscribers_count":14,"default_branch":"main","last_synced_at":"2026-01-27T05:49:27.873Z","etag":null,"topics":["hassh","passive-ssh","passive-ssh-server","ssh","ssh-scanner","threat-intelligence"],"latest_commit_sha":null,"homepage":"https://d4-project.github.io/passive-ssh/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/D4-project.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-11-10T16:12:33.000Z","updated_at":"2025-09-13T04:26:21.000Z","dependencies_parsed_at":"2024-11-06T03:33:07.914Z","dependency_job_id":"9d306a0c-53ff-4fa0-8d99-84beb4dbca17","html_url":"https://github.com/D4-project/passive-ssh","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/D4-project/passive-ssh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D4-project%2Fpassive-ssh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D4-project%2Fpassive-ssh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D4-project%2Fpassive-ssh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D4-project%2Fpassive-ssh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/D4-project","download_url":"https://codeload.github.com/D4-project/passive-ssh/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D4-project%2Fpassive-ssh/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31164979,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-29T18:55:37.765Z","status":"ssl_error","status_checked_at":"2026-03-29T18:55:04.089Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hassh","passive-ssh","passive-ssh-server","ssh","ssh-scanner","threat-intelligence"],"created_at":"2025-11-16T21:00:32.225Z","updated_at":"2026-03-29T21:00:42.888Z","avatar_url":"https://github.com/D4-project.png","language":"Python","readme":"# Passive SSH\n\n![Passive SSH logo](https://raw.githubusercontent.com/D4-project/passive-ssh/main/doc/logo/passivessh.png)\n\nPassive SSH is an open source framework composed of a scanner and server to store and lookup the SSH keys and fingerprints per host (IPv4/IPv6/onion).\n\nThe key materials along fingerprints and hosts are stored in a fast-lookup database. The system provides an historical view of SSH keys seen but also\ncommon key materials reused on different IP addresses.\n\nRelated paper for this work: [Active and Passive Collection of SSH Key Material for Cyber Threat Intelligence](https://dl.acm.org/doi/full/10.1145/3491262).\n\n# Features\n\n- A simple SSH scanner\n- A server storing key materials in a Redis database\n- A simple ReST API to lookup by SSH fingerprints (including [hassh](https://github.com/salesforce/hassh) or host (IPv4, IPv6 or onion addresses)\n- Statistics of SSH banners and SSH fingerprints\n\n\n## Server Requirements\n\n- Python \u003e= 3.6\n- Redis \u003e5.0\n- tornado\n\n## Scanner Requirements\n\n- Python \u003e= 3.6\n- [D4 paramiko](https://github.com/D4-project/paramiko.git)\n- pysocks (required to scan Tor hidden services)\n\n## Install\n\n~~~~\n./install.sh\n~~~~\n\n- Install Redis and all pythons requirements.\n- All Python 3 code will be installed in a virtualenv (PSSHENV).\n\n### Tor proxy\n\nThe ssh scanner can be used with a Tor proxy to scan a host or an hidden service.\n\nDon't forget to install the Tor proxy if you want to scan Tor hidden services: `sudo apt-get install tor -y`\n\n## Running\n\nLaunch the redis and the tornado server:\n\n~~~~\n./LAUNCH -l\n~~~~\n\n### Manual scan\n\nA SSH scanner is included to scan small networks or internal infrastructure.\n\n~~~~\n. ./PSSHENV/bin/activate\ncd bin/\n\n# Scan a host\n./ssh_scan.py -t \u003chost: 10.0.0.12\u003e\n\n# Scan a network range\n./ssh_scan.py -r \u003cnetwork range: 10.0.0.0/8\u003e\n~~~~\n\n## API\n\nAn API is available to query the Passive SSH server.\n\nBy default, the tornado server for Passive SSH is running on port 8500.\n\n~~~~\ncurl http://localhost:8500/banners\n~~~~\n\n### Endpoints\n####  `/stats`\nReturn server staticstics:\n  - number of SSH banners\n  - number of scanned hosts:\n      - ip\n      - onion\n  - number of fingerprints by type\n\n#### `/banners`\nReturn all banners ordered by scores\n\n#### `/banner/hosts/\u003cbanner\u003e`\nGet hosts by banner:\n  - banner\n  - list of hosts\n\n#### `/keys/types`\nReturn the list of all keys types\n\n#### `/host/ssh/\u003chost\u003e`\nReturn host SSH metadata:\n  - first seen\n  - last seen\n  - ports\n  - list of banners\n  - list of fingerprints\n\n#### `/host/history/\u003chost\u003e`\nReturn the SSH history of an host\n\n#### `/fingerprints`\nReturn all fingerprints ordered by scores\n\n#### `/fingerprint/all/\u003cfingerprint\u003e`\nGet hosts by fingerprint:\n  - first seen\n  - last seen\n  - key type\n  - key base64\n  - fingerprint\n  - list of hosts\n\n#### `/fingerprint/type/\u003ckey_type\u003e/\u003cfingerprint\u003e`\nGet hosts by type of key and fingerprint:\n  - first seen\n  - last seen\n  - key type\n  - key base64\n  - fingerprint\n  - list of hosts\n\n#### `/hasshs`\nReturn all [hasshs](https://github.com/salesforce/hassh) ordered by scores\n\n#### `/hassh/hosts/\u003chassh\u003e`\nGet hosts by [hassh](https://github.com/salesforce/hassh):\n  - hassh\n  - list of hosts\n  - kexinit\n# Existing Passive SSH database\n\n- CIRCL Passive SSH - [access can be requested](https://www.circl.lu/contact/) if you are a CSIRT member of [FIRST.org](https://www.first.org/), [TF-CSIRT](https://www.trusted-introducer.org/), [CNW network](https://www.enisa.europa.eu/topics/csirts-in-europe/csirts-network) or vetted security researchers.\n\n# License\n\nThe software is free software/open source released under the GNU Affero General Public License version 3.\n\n# Citation\n\nIf you want to cite this work, you can cite it as follows: [Active and Passive Collection of SSH Key Material for Cyber Threat Intelligence](https://dl.acm.org/doi/full/10.1145/3491262)\n\n~~~\n@article{dulaunoy2022active,\n  title={Active and Passive Collection of SSH key material for cyber threat intelligence},\n  author={Dulaunoy, Alexandre and Huynen, Jean-Louis and Thirion, Aurelien},\n  journal={Digital Threats: Research and Practice (DTRAP)},\n  volume={3},\n  number={3},\n  pages={1--5},\n  year={2022},\n  publisher={ACM New York, NY}\n}\n~~~\n","funding_links":[],"categories":["Blue Team"],"sub_categories":["Threat Hunting"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/d4-project.github.io%2Fpassive-ssh%2F","html_url":"https://awesome.ecosyste.ms/projects/d4-project.github.io%2Fpassive-ssh%2F","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/d4-project.github.io%2Fpassive-ssh%2F/lists"}