Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Fingerprinting Ubuntu OS Versions using OpenSSH

Over the past couples weeks, I've been working on enhancingthe operating system detection logic in the TrustKeeper Scan Engine.

Having the capability to detect a target's operating systemcan be very useful. Whether you're performing a simple asset identificationscan or doing an in depth review, this information helps you make more informed decisions.

In this blog post, I'll be talking about a technique thatthat you can use to fingerprint a server operating system version using just itsOpenSSH banner. Also, I'll share some analysis I did using this technique andleveraging some publicly available scan data from the Critical.IO project that wasreleased earlier this year.


Anatomy of an Ubuntu OpenSSHBanner

If you've ever been so curious to connect with netcat to anUbuntu system that is running SSH, you would have seen something like this:

~ $ nc 22
SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1

Now lets take a look to at the individual components that make up the banner:

Each element has a specific meaning and tells us more aboutthe server:

  • ProtoVersion – The SSH protocol version that should be used when connecting tothis server. These days, 2.0 is prettystandard.
  • OpenSSHVersion – This indicates what version of OpenSSH is installed on thisserver. These are typically rev'd anytime a new major operating system version is released to coincide with the most stable version of OpenSSH at the time.
  • PortableVersion – OpenSSH produces two variants; a "clean" version (minimal) and a"portable" version (more compatible). The portable version indicates which revision of the portable releasethe server has installed.
  • SSHComment – This is not called out above, but is the equivalent to the combinationof the build version and patch version shown above. Basically anything after the space in theOpenSSH version is the optional SSH comment. This will vary significantlybetween operating system type and packaging provider and is usually the most useful place forgetting OS hints.
  • BuildVersion – This is the build version that is specific to Debian ("deb")-stylepackaging. This style of build versionis seen in both Debian and Ubuntu operating systems. It's common to see a major operating system release use 1-3of these build versions over it's life span.
  • PatchVersion – This is the patch version of the deb package that is specific toonly Ubuntu-based systems. It describesthe iterative package revisions involved in making small tweaks to the package andis commonly done to address bugs and security issues. There could be many of these revisions withinboth major and minor releases of the operating system.

Translate BannerElements to Ubuntu Versions

If you were to attempt totranslate the above banner to a specific Ubuntu version at a glance, itwould be very difficult because the versions we're seeing in the banner do notappear to have any correlation to the Ubuntu version. In the above example, my target is runningUbuntu 12.04, but none of the banner elements tell us this explicitly.

However, with some very basic researchwe can find the following Launchpadentry, which describes that this specific OpenSSH version, build versionand patch version were built specifically for Ubuntu 12.04 (PrecisePangolin). These three elementseffectively make a unique key that we can use to determine an Ubuntu version.


This technique wasdescribed in a July2010 blog post by Worawit (sleepya), which includes examples that go beyondjust Ubuntu. Today, we're going to talk aboutjust Ubuntu, but it's important to note that a similar process could beperformed for other operating systems that provide consistent SSH comments intheir package releases.

Analyzing a big listof OpenSSH Banners

The next step was to find a big list of OpenSSH banners and getstarted on translating SSH banners to Ubuntu versions.

Luckily, I came across HD Moore's Critical.IO project, whichhad nearly a million SSH banners from Internet-wide scans performed back inMarch. You can download the latest port22 dataset from this location.

The format of this data is in JSON, which makes it very easyto parse. I used Ruby's JSON library toparse each entry, extract its related banner and produce a histogram of whichbanners were the most common. I excludedany banners that did not contain the string SSH, assuming they were not runninga stock banner or they were not running SSH at all.

Of the 936,727 SSH banners in the resulting list, Iidentified 136,918 (15 percent) that appeared to be Ubuntu related. Within that subset, there were 118 unique UbuntuSSH banners.

I took these 118 unique banners and performed thetranslation technique above to produce mapping logic that can turn an Ubuntu SSHbanner into its respective OS version. Becausethe scan data that I used was from an Internet-wide scan, this gave me a strongsense that we've got really good sample of Ubuntu SSH banners to provide solid coveragethe next time we need to translate an arbitrary banner to it's respective Ubuntu version.

Ubuntu Systems w/ SSHRunning on the Internet

Lastly, I took my mapping logic and put it to work so Icould see what versions of Ubuntu were being used on the Internet during thistime period.

One of the things I noticed about the translated data setwas that 34 percent of all the fingerprinted versions were end-of-life versions ofUbuntu.

What's important to remember about end-of-life software isthat it no longer receives security updates, which is why updating software is an importanttenant of PCI DSS. The results of my analysis shows that alittle over one third of all Ubuntu systems running publicly available SSH servicesare potentially vulnerable to any vulnerability released after the end-of-life date of their installed software.

If you're ever curious whether an Ubuntu version is end oflife, you can check the Ubuntureleases page.

Wrapping Up

So as you can see this process is relatively easy to do, andit helps us understand more about a given target, which is always good.

You can perform this process ad-hoc on a penetration testand get a real sense for what operating system is installed on the target,which affects the subset of software that could be installed on it. In particular, this process gives us clues to whether the operating system has available patches for specific vulnerabilities.

During the process of performing this research, I did reachout to the erratasec team, who performeda more recent Internet scan of SSH systems back in mid September. I'm still awaiting their reply, but I hope toupdate this post with their data set if and when I can get my hands on it.

Additionally, I recently added this updated translationlogic into the operating system fingerprinting code within the TrustKeeper scan engine. We're still tuning and tweaking a couplethings, but I expect that these updates will go live within the next coupleweeks.

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More