HomeDocumentationAPI Reference
Log In
Documentation

SSH Hunter

Identify, track, and respond to SSH credential use and abuse

SSH Hunter comprises of a powerful set of tools to identify SSH key issues and track usage across your Linux systems by leveraging Sandfly's agentless architecture.

This feature gives you the ability to:

  • Track keys across all your systems.
  • See which users can access your systems.
  • Discover when keys were first and last seen, key types, and key locations.
  • Visualize how keys, users, and host access are distributed.
  • Group keys into security zones for auditing and alerting purposes.
  • Find anomalies such as duplicate keys or users with new keys unexpectedly added.
  • Rapidly respond to incidents involving compromised SSH credentials.
  • Search for new keys, old keys, banned keys, and much more.

SSH can be a serious cause of compromise on Linux due to lack of monitoring. SSH Hunter puts you in control of this critical data.

SSH Hunter

SSH Hunter

In the side bar SSH Hunter consists of the following sub-sections:

  • Security Zones - Provides the ability to group hosts by applying host and key policies to form zones.
  • Key Investigation - Provides investigative data that is focused around the use of SSH keys themselves.
  • User Investigation - Provides investigative data that is focused around the use of SSH keys by users.
  • Hosts Investigation - Provides investigative data that is focused around the use of SSH keys on hosts.
  • Tag Workbench - Provides the ability to efficiently select and tag SSH keys in bulk.

TODO: SSH Hunter needs recon_user_list_all enabled

This set of tools needs the recon_user_list_all sandfly to be active and unaffected by whitelists. Without that sandfly, scans will not collect all of the necessary data for full SSH Hunter functionality.

Expanding the SSH Hunter option in the sidebar will display all of the available sub-sections that can be accessed with a click.

SSH Hunter Menu