Large scale SSH port mapping
by Javantea
June 9, 2008
INTRODUCTION
Doing a bit of preliminary analysis, I found out that I could cheaply portscan a single port on every machine on the internet. To what end? Since I wrote a research virus that exploits weak passwords on SSH, it makes sense to know what servers exist and how likely an SSH attack would succeed against the network as a whole. Though I don't plan to unleash this attack and I don't expect that my virus adds to the already widespread SSH bruteforce attacks currently underway by malicious entities, I would definitely like to research and release data on who is using SSH. Since portscanning is quite easy, I started my server on the task. Note that I'm not releasing a tarball at this time since the software to do this can be printed in the usage section.
You might notice that my data is quite lacking. The final data count is 317 slash 16 (/16) networks mapped. My original plan was to work right through the numbers in random order, but my server went down without a good reason, so I backed off assuming that this much data was probably enough. I plan to finish the data at some point. It should only take a few months and a few hundred dollars that I'm already spending for hosting.
Thanks to the unwitting victims-- err test subjects of this portscan:
216.0.*.* XO Communications
64.0.*.* XO Communications
64.4.*.* MS Hotmail, etc
64.5.*.* PREFERRED COMMUNICATIONS, INC, etc
64.6.*.* Infobahn Outfitters, Inc., etc
...
77.0.*.* Telefonica Deutschland GmbH, etc
And many many more.
DATA
Calculation for cost of a large scale portscan:
Assuming no RST, SYN-ACK, or ICMP return TCP SYN packet: 58 bytes 2^24 * 58/(1024*1024) = 928 MB for a /8 2^32 * 58/(1024*1024) = 238 GB for all hosts on the internetSSH Ports open by IP
216.0.*.* 2900 64.0.*.* 1243 64.1.*.* 1230 64.2.*.* 1148 64.3.*.* 1663 64.4.*.* 378 64.5.*.* 782 64.6.*.* 728 64.7.*.* 631 64.8.*.* 1790 64.9.*.* 462 64.10.*.* 0 64.11.*.* 0 64.12.*.* 1515 64.13.*.* 14065 64.14.*.* 1122 64.15.*.* 2766 64.16.*.* 1261 64.17.*.* 2383 64.18.*.* 3282 64.19.*.* 2878 64.20.*.* 2174 64.21.*.* 4411 64.22.*.* 5644 64.23.*.* 2552 64.24.*.* 227 64.25.*.* 1348 64.26.*.* 4787 64.27.*.* 2942 64.28.*.* 2320 64.29.*.* 543 64.30.*.* 402 64.31.*.* 172 64.32.*.* 2673 64.33.*.* 9993 64.34.*.* 7485 64.35.*.* 74 64.36.*.* 0 64.37.*.* 1372 64.38.*.* 4472 64.39.*.* 835 64.40.*.* 4554 64.41.*.* 3318 64.42.*.* 722 64.43.*.* 13 64.44.*.* 16 64.45.*.* 394 64.46.*.* 4256 64.47.*.* 402 77.0.*.* 38 77.1.*.* 20 77.2.*.* 22 77.3.*.* 40 77.4.*.* 44 77.5.*.* 11 77.6.*.* 24 77.7.*.* 29 77.8.*.* 22 77.9.*.* 20 77.10.*.* 24 77.11.*.* 27 77.12.*.* 31 77.13.*.* 0 77.14.*.* 0 77.15.*.* 0 77.16.*.* 0 77.17.*.* 0 77.18.*.* 0 77.19.*.* 0 77.20.*.* 19 77.21.*.* 0 77.22.*.* 0 77.23.*.* 0 77.24.*.* 0 77.25.*.* 0 77.26.*.* 0 77.27.*.* 7 77.28.*.* 97 77.29.*.* 82 77.30.*.* 101 77.31.*.* 142 77.32.*.* 0 77.33.*.* 3 77.34.*.* 69 77.35.*.* 135 77.36.*.* 34 77.37.*.* 1966 77.38.*.* 167 77.39.*.* 123 77.40.*.* 148 77.41.*.* 120 77.42.*.* 8336 77.43.*.* 356 77.44.*.* 373 77.45.*.* 388 77.46.*.* 159 77.47.*.* 234 77.48.*.* 2279 77.49.*.* 521 77.50.*.* 23 77.51.*.* 997 77.52.*.* 31 77.53.*.* 30 77.54.*.* 136 77.55.*.* 0 77.56.*.* 214 77.57.*.* 268 77.58.*.* 37 77.59.*.* 116 77.60.*.* 269 77.61.*.* 258 77.62.*.* 59 77.63.*.* 66 77.64.*.* 62 77.65.*.* 60 77.66.*.* 273 77.67.*.* 1063 77.68.*.* 176 77.69.*.* 526 77.70.*.* 238 77.71.*.* 55 77.72.*.* 855 77.73.*.* 545 77.74.*.* 1192 77.75.*.* 1180 77.76.*.* 580 77.77.*.* 208 77.78.*.* 777 77.79.*.* 1369 77.80.*.* 0 77.81.*.* 54 77.82.*.* 60 77.83.*.* 20 77.84.*.* 38 77.85.*.* 229 77.86.*.* 89 77.87.*.* 653 77.88.*.* 123 77.89.*.* 81 77.90.*.* 1473 77.91.*.* 2517 77.92.*.* 4149 77.93.*.* 2948 77.94.*.* 705 77.95.*.* 511 77.96.*.* 33 77.97.*.* 34 77.98.*.* 27 77.99.*.* 44 77.100.*.* 38 77.101.*.* 52 77.102.*.* 38 77.103.*.* 61 77.104.*.* 1044 77.105.*.* 290 77.106.*.* 361 77.107.*.* 70 77.108.*.* 2387 77.109.*.* 169 77.110.*.* 166SSH Ports closed by IP
216.0.*.* 3726 64.0.*.* 16857 64.1.*.* 2493 64.2.*.* 1724 64.3.*.* 2387 64.4.*.* 2304 64.5.*.* 1799 64.6.*.* 1695 64.7.*.* 5008 64.8.*.* 2309 64.9.*.* 1935 64.10.*.* 104 64.11.*.* 15 64.12.*.* 912 64.13.*.* 1498 64.14.*.* 3347 64.15.*.* 3707 64.16.*.* 4319 64.17.*.* 3248 64.18.*.* 2709 64.19.*.* 6389 64.20.*.* 6130 64.21.*.* 2220 64.22.*.* 5417 64.23.*.* 274 64.24.*.* 1250 64.25.*.* 2333 64.26.*.* 2837 64.27.*.* 3476 64.28.*.* 1524 64.29.*.* 2380 64.30.*.* 2400 64.31.*.* 1758 64.32.*.* 9034 64.33.*.* 2620 64.34.*.* 7580 64.35.*.* 578 64.36.*.* 0 64.37.*.* 3467 64.38.*.* 5024 64.39.*.* 1814 64.40.*.* 4871 64.41.*.* 1495 64.42.*.* 3946 64.43.*.* 29 64.44.*.* 60 64.45.*.* 3530 64.46.*.* 4352 64.47.*.* 1473 77.0.*.* 209 77.1.*.* 181 77.2.*.* 114 77.3.*.* 180 77.4.*.* 479 77.5.*.* 107 77.6.*.* 234 77.7.*.* 405 77.8.*.* 443 77.9.*.* 274 77.10.*.* 261 77.11.*.* 407 77.12.*.* 360 77.13.*.* 0 77.14.*.* 0 77.15.*.* 0 77.16.*.* 0 77.17.*.* 0 77.18.*.* 0 77.19.*.* 0 77.20.*.* 360 77.21.*.* 0 77.22.*.* 0 77.23.*.* 0 77.24.*.* 0 77.25.*.* 0 77.26.*.* 0 77.27.*.* 260 77.28.*.* 2115 77.29.*.* 2358 77.30.*.* 1823 77.31.*.* 2015 77.32.*.* 2 77.33.*.* 4 77.34.*.* 1287 77.35.*.* 1936 77.36.*.* 190 77.37.*.* 572 77.38.*.* 675 77.39.*.* 838 77.40.*.* 3316 77.41.*.* 2228 77.42.*.* 563 77.43.*.* 1247 77.44.*.* 2541 77.45.*.* 4484 77.46.*.* 9236 77.47.*.* 4597 77.48.*.* 2377 77.49.*.* 1859 77.50.*.* 181 77.51.*.* 5460 77.52.*.* 244 77.53.*.* 534 77.54.*.* 2431 77.55.*.* 0 77.56.*.* 4066 77.57.*.* 8065 77.58.*.* 1329 77.59.*.* 25817 77.60.*.* 2093 77.61.*.* 2235 77.62.*.* 526 77.63.*.* 573 77.64.*.* 958 77.65.*.* 160 77.66.*.* 2684 77.67.*.* 560 77.68.*.* 647 77.69.*.* 1449 77.70.*.* 1025 77.71.*.* 15503 77.72.*.* 2472 77.73.*.* 2721 77.74.*.* 3367 77.75.*.* 1421 77.76.*.* 1419 77.77.*.* 1004 77.78.*.* 1181 77.79.*.* 4168 77.80.*.* 0 77.81.*.* 3174 77.82.*.* 786 77.83.*.* 34 77.84.*.* 495 77.85.*.* 4884 77.86.*.* 2244 77.87.*.* 979 77.88.*.* 1243 77.89.*.* 642 77.90.*.* 505 77.91.*.* 1187 77.92.*.* 4134 77.93.*.* 10819 77.94.*.* 2791 77.95.*.* 959 77.96.*.* 1678 77.97.*.* 1585 77.98.*.* 1270 77.99.*.* 1312 77.100.*.* 1111 77.101.*.* 1465 77.102.*.* 1341 77.103.*.* 1592 77.104.*.* 4795 77.105.*.* 3523 77.106.*.* 3021 77.107.*.* 1539 77.108.*.* 2366 77.109.*.* 1514 77.110.*.* 736
Usage
Instead of a package with tools and sample output, I decided to give you the script here. It outputs xml files which can be easily grepped for statistics such as the above. It requires root for the nmap Syn Scan, which doesn't send the syn-ack thus leaving the connection hanging and not complete. It won't show up in normal server logs. The -n is common sense, without the -n it will do a reverse lookup of every ip address giving it to you in the xml file. That would require a ton of network traffic and time wasted. Note that a lot of disk space is required to store the xml files, but once you have the ip and whether it's open, closed or filtered, you can delete the xml files.
# netscan3.sh
# by Javantea
# Feel free to copy with no license.
classA=64
if [ "$1" != "" ]; then
classA=$1
fi
date
for i in $(seq 0 255); do
sudo nmap -sS -p 22 -P0 -n -oX data2/ssh_$classA.$i.star2.xml $classA.$i.*.* >>g.txt
echo -n "$classA.$i.*.*: "
date
done
ANALYSIS
The incredibly large number of SSH ports is quite impressive. In fact, it suggests that the number of Linux and BSD machines is much larger than their competitor's number. If the numbers were equally large for all networks and we counted each as a single machine, we could forecast that 0.75% of all machines are SSH servers and that 32,388,900 SSH servers exist. This is probably not true since most servers listen on more than one IP address. Thus blocks and even IPs on their own could be owned by a server on a different IP. If a person wished to look at headers, versions, and TCP/IP options, they might be able to find more information on how many actual servers exist.
CONCLUSION
I am convinced that a well-maintained public list of all ports open on all machines in use is a positive security tool. Port scanning every machine on the internet all the time is currently too costly but if done by a consortium of vendors and interested third parties it could be done cheaply. Currently products and services exist to do this internally privately and without great consequence, but I don't know of any public port scanning project.
Companies are responsible for the security of their customers and security audits are a check and balance to ensure that basic security requirements are met. If a trained professional can get into your machines, you should guess that non-professionals are smart enough as well. In fact, it's more likely to find your SSH servers rooted by malicious entities than security professionals these days.
If you are interested in portmapping SSH, feel free to
contact me.
-
Leave a Reply
Comments: 0
Leave a reply »