Shaking Out Shells with SSHamble

Presented at DEF CON 33 (2025), Aug. 9, 2025, 3 p.m. (20 minutes).

Secure Shell (SSH) is finally fun again! After a wild two years, including a near-miss backdoor, clever cryptographic failures, unauthenticated remote code execution in OpenSSH, and piles of state machine bugs and authentication bypass issues, the security of SSH implementations has never been more relevant. This session is an extension of our 2024 work (Unexpected Exposures in the Secure Shell) and includes new research as well as big updates to our open source research and assessment tool, SSHamble. References: - [link](https://boehs.org/node/everything-i-know-about-the-xz-backdoor) - [link](https://github.com/ssh-mitm/ssh-mitm) - [link](https://ssh-comparison.quendi.de/comparison/hostkey.html) - [link](https://words.filippo.io/ssh-whoami-filippo-io/) - [link](https://github.com/badkeys/badkeys) - Metasploit: ssh_identify_pubkeys (2012) - regreSSHion: [link](https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt) - Terrapin: [link](https://terrapin-attack.com/) - [link](https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/) - [link](http://thetarpit.org/2018/shithub-2018-06) - [link](https://helda.helsinki.fi/server/api/core/bitstreams/471f0ffe-2626-4d12-8725-2147232d849f/content) - [link](https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/) - Kannisto, J., Harju, J. (2017). The Time Will Tell on You: Exploring Information Leaks in SSH Public Key Authentication. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. [link](https://doi.org/10.1007/978-3-319-64701-2_22) - West, J.C., Moore, T. (2022). Longitudinal Study of Internet-Facing OpenSSH Update Patterns. In: Hohlfeld, O., Moura, G., Pelsser, C. (eds) Passive and Active Measurement. PAM 2022. Lecture Notes in Computer Science, vol 13210. Springer, Cham. [link](https://doi.org/10.1007/978-3-030-98785-5_30) - Neef, S. (2022). Source & result datasets for "Oh SSH-it, what's my fingerprint? A Large-Scale Analysis of SSH Host Key Fingerprint Verification Records in the DNS" [Data set]. Zenodo. [link](https://doi.org/10.5281/zenodo.6993096) - [link](https://www.openwall.com/lists/oss-security/2025/04/16/2) - [link](https://platform.sh/blog/uncovered-and-patched-golang-vunerability/) - [link](https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466) - [link](https://badkeys.info/ & https://github.com/badkeys/badkeys) - [link](https://github.com/runZeroInc/sshamble) - [link](https://github.com/runZeroInc/excrypto) - [link](https://www.runzero.com/blog/inside-out-attack-surface-management/)

Presenters:

• HD Moore / hdm   as HD Moore
  Most recognized as the creator of Metasploit, HD's professional journey began with exploring telephone networks, developing exploits for the Department of Defense, and hacking into financial institution networks. When he's not working on runZero, he enjoys making weird Go projects, building janky electronics, running in circles, and playing single-player RPGs.

Similar Presentations:

• DEF CON 32 (2024) / Laundering Money
• DEF CON 32 (2024) / Defeating EDR Evading Malware with Memory Forensics
• DEF CON 33 (2025) / Edge of Tomorrow: Foiling Large Supply Chain Attacks By Taking 5k Abandoned S3 Buckets from Malware and Benign Software