1scanssh(1) BSD General Commands Manual scanssh(1)
2
4 scanssh — scans the Internet for open proxies and SSH servers
5
7 scanssh [-VIERph] [-s scanners,...] [-n ports,...] [-u socks hosts,...]
8 [-e excludefile] addresses...
9
11 ScanSSH scans the given addresses and networks for running services. It
12 mainly allows the detection of open proxies and Internet services. For
13 known services, ScanSSH will query their version number and displays the
14 results in a list.
15 The adresses can be either specified as an IPv4 address or an CIDR like
17 IP prefix, ipaddress/masklength. Ports can be appended by adding a colon
18 at the end of address specification.
19 Additionally, the following two commands can be prefixed to the address:
21 random(n[,seed])/ The random command selects random address from the
23 address range specified. The arguments are as fol‐
24 lows: n is the number of address to randomly create in
25 the given network and seed is a seed for the pseudo
26 random number generator.
27 split(s,e)/ The split command is used to split the address range
29 in several unique components. This can be use to scan
30 from serveral hosts in parallel. The arguments are as
31 follows: e specifies the number of hosts scanning in
32 parallel and s is the number of the host this particu‐
33 lar scan runs on.
34 The options are as follows:
36 -V Causes scanssh to print its version number.
38 -I Does not send a SSH identification string.
40 -E Exit the program, if the file containing the addresses
42 for exclusion can not be found.
43 -R If addresses are generated at random, this flag causes
45 the program to ignore excluded addresses from the exclude
46 file. The default behaviour is to always exclude
47 addresses.
48 -p Specifies that ScanSSH should operate as a proxy detec‐
50 tor. This flag sets the default modes and default scan‐
51 ners to detect open proxies.
52 -h Displays the usage of the program.
54 -n ports,... Specifies the port numbers to scan. Ports are separated
56 by commas. Each specified scanner is run for each port
57 in this list. The default is 22.
58 -u socks hosts,...
60 A list of comma separated host:port pairs of SOCKS prox‐
61 ies that scanssh should use to scan through.
62 -s scanners Specifies a number of scanners should be executed for
64 each open port. Multiple scanners are separated by com‐
65 mas. The following scanners are currently supported:
66 ssh Finds versions for SSH, Web and SMTP
68 servers.
69 socks5 Detects if a SOCKS V5 proxy is running on
71 the port.
72 socks4 Detects if a SOCKS V4 proxy is running on
74 the port.
75 http-proxy Detects a HTTP get proxy.
77 http-connect Detects a HTTP connect proxy.
79 telnet-proxy Detects telnet based proxy servers.
81 -e excludefile Specifies the file that contains the addresses to be
83 excluded from the scan. The syntax is the same as for
84 the addresses on the command line.
85 The output from scanssh contains only IP addresses. However, the IP
87 addresses can be converted to names with the logresolve(8) tool included
88 in the Apache webserver.
89
92 The following command scans the class C network 10.0.0.0 - 10.0.0.255 for
93 open proxies:
94 scanssh -p 10.0.0.0/24
96 The next command scans for ssh servers on port 22 only:
98 scanssh -n 22 -s ssh 192.168.0.0/16
100 The following command can be used in a parallel scan. Two hosts scan the
102 specified networks randomly, where this is the first host:
103 scanssh 'random(0,rsd)/split(1,2)/(192.168.0.0/16 10.1.0.0/24):22,80'
105
107 At the moment, scanssh leaves a one line entry in the log file of the ssh
108 server. It is probably not possible to avoid that.
109BSD July 17, 2000 BSD