yeti icon indicating copy to clipboard operation
yeti copied to clipboard

Published 20 hours ago verified publisher icon yeti-platform

Add observable type HAASH

Open dumprop opened this issue 5 years ago • 2 comments
trafficstars

HASSH is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of a small MD5 fingerprint.

More info: https://github.com/salesforce/hassh

It may be used for identification of an attacker accross IP addresses Can it be helpful for yeti?

dumprop avatar Jan 29 '20 14:01 dumprop

Yes, very interesting! But where do you suggest we get the source data from?

tomchop avatar Jan 29 '20 21:01 tomchop

Currently I dont know any haash feed, but they have 3 predefined values: de30354b88bae4c2810426614e1b6976 Powershell Renci.SshNet.SshClient.0.0.1 (used by Empire exploit modules) fafc45381bfde997b6305c4e1600f1bf Ruby/Net::SSH_5.0.2 x86_64-linux (used by Metasploit exploit modules) b5752e36ba6c5979a575e43178908adf Python Paramiko_2.4.1 (used by Metasploit exploit modules) I think it can be an observable object without any feed, such as bitcoin wallet or mac address Maybe there will be feed in future :)

dumprop avatar Jan 31 '20 11:01 dumprop