sshprank tool: step by step guide


This article is about the sshprank tool, which is a fast scanner for a large number of SSH servers. The program searches for computers running SSH and tries to log in using the specified credentials, that is, it performs brute force. Another program is able to very quickly collect banners of a large number of SSH.

SSH is the most important service for connecting and executing commands on remote Linux computers. But SSH is also heavily used on FreeBSD computers, and even sometimes on Windows.

How to install sshprank

Install sshprank on Kali Linux

sudo apt install python3-pip

git clone

cd sshprank

sudo pip3 install -r docs/requirements.txt

./ -H

Install sshprank in BlackArch

The program is preinstalled in BlackArch.

sudo pacman -S sshprank

How to create a host list

The sshprank program does not directly support ranges, although a little later I will show how you can still specify subnets for scanning using sshprank. Therefore, for sshprank, you need to create a list of hosts.

So, I want to scan the range To list hosts, I run the following command:

echo -e 178.202.{0..255}.{0..255}"\n" | sed 's/ //'> hosts.txt

head -n 10 hosts.txt

Check that we have succeeded:

sshprank tool

How to start sshprank

In sshprank, hosts can be specified with the following options:

 -h <HOST: [PORTS]> - one port for hacking. You can specify multiple ports, in this
                          case, separate them with commas, i.e.: 22,2022,22222 (default port: 22)

  -l <FILE> - list of hosts for hacking. Format: <host> [: ports]. You can specify multiple ports,

                          in this case, separate them with commas (default port: 22)

That is, if we want to specify a single host, then this can be done using the -h option :

./ -h

You can also specify ports (otherwise, the default port is used for SSH service 22):

./ -h,2020,2021,2121

By default, the program does not display any information, it does not even show hacked hosts, logins, and passwords. To display this information, use the -v option :

./ -h -v

If the login and password are not specified, then “root” is used as the login, and “root” is used as the password.

How to specify login and password files in sshprank

To specify a username, password or dictionaries with them, the following options are used:

  -u <USER> - a single username (default: root)

  -U <FILE> - list of user names

  -p - one password (default: root)

  -P <FILE> - list of passwords

  -C <FILE> - list of combinations USER: PASSWORD

Tiny dictionaries come with the program:

lists /user.txt - usernames
lists /pws.txt - passwords

lists /combo.txt - user name and password combinations

But the dictionaries are very tiny, I would recommend using other, more suitable ones.

Run sshprank with respect to one host to select a username and password, for brute force the specified dictionaries will be used:

 ./ -h -U user.txt -P password.txt -v  

sshprank tool

sshprank result

If we had not used the -v option, then practically nothing would have been output. The -v option displays information about connection attempts, successfully selected accounts, as well as the reasons for the failure, for example:

[!] could not connect: - Could not connect (because the SSH service is not running, or the host is generally offline).

[!] login failure: (auth timeout) - authentication timeout - the most probable reason is an incorrect username or password.

[!] login failure: (auth failed) - the server clearly reported a failed login (incorrect username or password).

[!] login failure: (Pubkey auth) - failed to authenticate due to the fact that the login is performed using the public key.

Pay attention to the line with a green asterisk:

[*] found login: 

That is the login (root) and password (kali) for the service on port 22 on the host were found.

All successfully found logins and passwords are saved in the owned.txt file in the current working folder. The name and path to the file can be changed with the -o <FIL> option.

How to scan a large number of SSH

We can specify a list of hosts using the following option:

We can specify a list of hosts using the following option:

  -l <FILE> - list of hosts for hacking. Format: <host> [: ports]. You can specify multiple ports,

                          in this case, separate them with commas (default port: 22)

Launch Example:

./ -l hosts.txt -U lists /user.txt -P lists /password.txt -v

It is not possible to figure out sshprank output if multiple hosts are scanned. To constantly avoid manually checking the owned.txt file, you can use the following commands:

touch owned.tx

tail -f owned.txt

The first command will create the file if it does not already exist. And the second command will immediately display all changes in this file if they take place.

How to quickly collect SSH banners in a large network

To do this, use the -b option :

-b <FILE> - list of hosts for collecting sshd banners in
                          format: <host> [: ports]. Multiple ports may be

                          separated by commas (default port: 22)

That is, with this option you can specify a list of hosts in the same format as the -l option. Only the operating mode will change - instead of brute-force banners will be collected.

Next, an example run, the results will be saved to the specified file:

./ -b hosts.txt > ssh_banners.txt

sshprank tool

You can monitor the contents of this file in the same way:

touch ssh_banners.txt

tail -f ssh_banners.txt

Banners can be used for various purposes. For example, you can find all Windows computers running the SSH service:

cat ssh_banners.txt | grep -i windows

On Windows servers, SMB and RDP service ports are often open, you can play with them.

To filter hosts running Windows:

cat ssh_banners.txt | grep -i windows | awk -F ':' '{print $ 1}'> windows_hosts.txt

Scan to SMB and NetBIOS :

sudo nmap -iL windows_hosts.txt -p 139,445 --open

Scan to open RDP ports :

sudo nmap -iL windows_hosts.txt -p 3389 -sU -sS --open

An example of obtaining information about RDP and the name of a Windows computer :

sudo nmap -p 3389 -sU -sS --script 'rdp- *'

To find computers running FreeBSD:

cat ssh_banners.txt | grep -i bsd

By banners, you can search for old versions of Linux distributions, specific versions of the SSH implementation that are known to be vulnerable, perform statistical analysis, and more.

Masscan Options

sshprank uses module Masscan, and also has the option -m, where you can pass options, are already in itself Masscan. A few examples:

Quick scan, then hack of ssh services found. Data for scanning is transmitted to masscan (-m '-p22,2022 --rate = 5000 --source-ip --range') :

sudo ./sshprank -m '-p22,2022 --rate = 5000 --source-ip --range'

That is, the ranges of IP addresses for scanning are specified in the masscan option  --range.

Generate a thousand random IPv4 addresses, then scan the ports at a speed of 1k p / s and try to crack the found sshd servers with the 'root: root' credentials:

sudo ./sshprank -m '-p22 --rate = 1000' -r 1000 -v

You can specify not only these but any Masscan options. 


sshprank comes in handy when your goal is SSH servers scattered across a large network or when you need to collect SSH banners over large ranges very quickly. For example, from the / 16 range (65536 IP addresses), you can collect SSH service banners in just a few minutes.

Post a Comment

Previous Post Next Post