Active and Passive Collection of SSH key Material for Cyber Threat Intelligence

Abstract

Fingerprinting, tracing and tracking SSH network activities is a key functionality in network forensic and incident response. In the past years, Passive DNS and SSL have been a cornerstone for efficient incident handling at CIRCL. SSH connectivity is used to manage various devices from IoT up to network equipment or even critical devices. Passive SSH goal is to provide a fast-lookup database with the history of all the SSH keys seen per IPv4/IPv6 address on the global Internet. We developed an open source software toolkit to gather, analyse and store SSH key materials and provide an access to members of the CSIRT community.