Is that SSH client/server really what it says it is ? Now you can tell this and more - with HASSH! Looking for signals in the initialization of encrypted communication channels is not a new concept. There are many examples of fingerprinting both unencrypted and encrypted protocols such as TLS. However somewhat surprisingly, no open source scalable fingerprinting method has been developed for one of our most common and relied upon encrypted protocols SSH — an integral component of the internet. Enter, the HASSH. HASSH is a network fingerprinting standard invented within the Detection Cloud team at Salesforce. It can be used to help identify specific Client and Server SSH implementations. These fingerprints can be easily stored, searched and shared in the form of a standard string of summary text, a hassh for the Client and hasshServer for the Server. Gaining a greater insight into the observable nature of SSH clients and servers opens up a few really interesting possibilities. HASSH can highlight Deceptive implementations, Detect novel exfiltration attempts within the SSH negotiation packets themselves, baseline devices including IOT devices, make a passive assessment of patch levels of SSH servers and clients, and can easily detect anomalous SSH components in highly controlled well understood operational environments. Further to Detection uses, HASSH can also be built into the control pipeline as an active component.