SSHamble is a research tool for SSH implementations that includes:
- Interesting attacks against authentication
- Post-session authentication attacks
- Pre-authentication state transitions
- Authentication timing analysis
- Post-session enumeration
This project is a work-in-progress and likely to change quickly.
You can reach our team via research[Ξ±π½]
Binaries are available from the releases page.
To build SSHamble from source, ensure that you have a recent version of Go (1.22.6+) installed.
You can use Go to install a binary into the bin
directory in your GOPATH.
If you are using macOS, you may run into errors at runtime unless you disable CGO before building:
$ export CGO_ENABLED=0
$ go install
To build from source locally:
$ git clone
$ cd sshamble
$ go build -o sshamble
$ ./sshamble -h
To enable experimental badkeys support, run the generator first:
$ git clone
$ cd sshamble
$ go generate ./...
$ go build -o sshamble
$ ./sshamble -h
$ ./sshamble -h
ββββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββ βββββββββ βββββββββ ββ ββ βββββββββ ββββββββββ βββββββββ ββ ββββββββ
ββββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ
βββ βββββββββ βββββββββ βββββββββ βββββββββ ββ ββ ββ βββββββββ ββ ββββββββ
ββββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ
ββββ βββββββββ βββββββββ ββ ββ ββ ββ ββ ββ ββ βββββββββ βββββββ ββββββββ
ββββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
An exploration tool for (in)secure shell services.
Start a network scan using:
$ ./sshamble scan -o results.json
Analyze the results using:
$ ./sshamble analyze -o results-directory results.json
sshamble [command]
Available Commands:
analyze Analyzes a scan JSON output file and buckets results
help Help about any command
scan Enumerates a set of targets for SSH capabilities and exposures
-h, --help help for sshamble
Use "sshamble [command] --help" for more information about a command.
$ ./sshamble scan -h
Enumerates a set of targets for SSH capabilities and exposures
sshamble scan [-p 22] [-u root,admin] [-o scan.json] [-l scan.log] [--log-level trace] ... [flags]
--categories string The list of categories to include. (default "bypass,gssapi,keyboard,password,pubkey,userenum,vuln")
--checks string The list of checks to run. Non-default ("userenum-none-timing,userenum-password-timing,userenum-pubkey-timing") (default "gssapi-any,keyboard-any,keyboard-empty,keyboard-null,keyboard-user,password-any,password-change-empty,password-change-null,password-empty,password-null,password-user,pubkey-any,pubkey-bulkhalf,pubkey-hunt,pubkey-user,skip-auth,skip-auth-method-empty,skip-auth-method-null,skip-auth-none,skip-auth-pubkeyany,skip-auth-success,skip-ssh-userauth,vuln-generic-env,vuln-gogs-env,vuln-ruckus-password-escape,vuln-softserve-env,vuln-tcp-forward")
--client-version string The client version string to send (default "OpenSSH_9.8p1")
--config string config file (default is $HOME/.sshamble.json)
-h, --help help for scan
-i, --input-targets string The optional file to read targets from
-I, --interact string Open an interactive shell for the 'first', 'all', or 'none' sessions (default "none")
--interact-auto string A comma-separated set of commands to run in the interactive session (default "pty,shell")
-l, --log string The file to write logs to (default is stderr) (default "-")
-L, --log-level string The log level to write (trace,debug,info,warn,error) (default "info")
-m, --max-connections uint The maximum number of concurrent connections (default 5000)
-o, --output string The destination file for JSON output (default "stdout")
--password string An optional password to try for authentication
--password-file string An optional file with clear-text passwords to try for authentication
-p, --ports string The list of ports to check when not specified with the target (comma-separated) (default "22")
--pprof string Start a Go pprof debug listener on the provided port
--private-key string The optional file containing a private key for authentication
--private-key-passphrase string The optional passphrase for a private key file
--pubkey-bulk-limit uint The number of pubkey half-auths to test for max attempts (default 10)
--pubkey-hunt-conn-limit uint The number of public keys to test in each connection (default 250000)
--pubkey-hunt-file string The optional file containing public keys to hunt
--retries uint The retry count for subsequent failed connections after an initial success (default 2)
--timeout uint The number of seconds to wait for a target to respond (default 5)
--userenum-max-per-session-count uint The maximum number of authentication attempts per session (default 1023)
--userenum-test-count uint The number of tests to apply during username enumeration (default 2500)
-u, --users string The list of usernames to test on each target (comma-separated) (default "root")