sshfinder is a fast, reliable tool for discovering open SSH services
across one or many targets. It scans for open TCP ports and then confirms
which of them actually speak SSH — running both stages concurrently for
speed.
- Multiple targets — scan many IPs, hostnames, and CIDR networks
(e.g.
10.0.0.0/24) in a single run, or load them from a file. - Parallel scanning — ports are probed concurrently and hosts are scanned in parallel, making large scans dramatically faster.
- Two scan back-ends:
connect— portable TCP connect scan, no privileges required (default).syn— half-open SYN scan via Scapy (faster, requires root).
- Reliable SSH validation — reads the SSH identification banner (RFC 4253) by default, with optional full Paramiko handshake validation.
- SSH security audit (
--audit) — turns discovery into attack-surface intelligence for pentesters: enumerates accepted authentication methods (flagging password auth), lists offered KEX/cipher/MAC/host-key algorithms and flags weak/deprecated ones, detects Terrapin (CVE-2023-48795), and correlates shared host keys across targets to reveal cloned or load-balanced infrastructure. - Zero required dependencies — the default connect scan and banner validation run on the Python standard library alone.
- Pipelined identification — the service behind each open port is
identified (and audited) the instant the port is found, in parallel with the
rest of the port sweep. SSH services are confirmed without waiting for the
whole scan to finish, and every open port is labelled
[SSH]/[not ssh]so an open port is never mistaken for an SSH one. - Live, per-socket discovery — open ports and confirmed SSH services are
printed the moment they are found, as
host:port, so it is always clear which result belongs to which target when scanning many hosts. - Live progress & robust Ctrl+C — a real-time progress indicator shows the scan is working. Ctrl+C is honoured even on Windows (where an unbounded thread wait normally swallows it): the first press stops gracefully and returns partial results, a second forces an immediate exit.
- Clear host status — distinguishes open, closed, and filtered ports, so a firewalled or unreachable host is reported as such instead of looking like a hang.
- Machine-readable output — human-friendly text or
--json, optionally written to a file.
git clone https://github.com/kabiri-labs/sshfinder.git
cd sshfinder
# Installs paramiko (recommended: enables the full --audit deep checks and
# --validate paramiko):
pip install -r requirements.txt
# Optional, only for half-open SYN scans (needs root):
pip install scapy>=2.5The core connect scan, banner validation and the dependency-free parts of
--audit (algorithm inventory, weak-crypto flags, Terrapin) work without any
third-party packages; paramiko unlocks host-key fingerprints, auth-method
enumeration and shared-key correlation.
Requires Python 3.9+.
python sshfinder.py [targets ...] [options]| Option | Description |
|---|---|
targets |
One or more IPs, hostnames, or CIDR networks. |
-iL, --target-file FILE |
Read targets from a file (one per line, # comments allowed). |
-p, --ports SPEC |
Ports to scan, e.g. 22,80,1000-2000 (default: 1-65535). |
--scan-method {auto,connect,syn} |
Scan back-end (default: auto). |
--validate {banner,paramiko,none} |
SSH validation strategy (default: banner). |
--audit |
Audit each SSH service (algorithms, host key, auth methods, Terrapin, shared-key correlation). |
-t, --timeout SECONDS |
Per-connection timeout (default: 2.0). |
-w, --workers N |
Concurrent probes per host (default: 200). |
--host-concurrency N |
Hosts scanned in parallel (default: 16). |
-r, --retries N |
Retries for timed-out probes (default: 0). |
--json |
Emit results as JSON. |
-o, --output FILE |
Write results to a file instead of stdout. |
--no-progress |
Disable the live progress indicator. |
-v |
Verbose (debug) logging. |
-q, --quiet |
Suppress progress and informational logging. |
Note on slow scans. Scanning the full
1-65535range against a firewalled or unreachable host is inherently slow: every filtered port must wait out the timeout. The progress indicator shows it is still working, and Ctrl+C stops it promptly. To go faster, narrow the ports (e.g.-p 22,2222), lower the timeout (-t 1), or raise concurrency (-w).
auto selects the SYN scan when running as root with Scapy installed,
and otherwise falls back to the privilege-free connect scan.
Scan a single host on the common SSH ports:
python sshfinder.py 192.168.1.1 -p 22,2222Scan an entire subnet and emit JSON:
python sshfinder.py 10.0.0.0/24 -p 22,2222 --json -o results.jsonScan many targets from a file with a fast SYN scan (as root):
sudo python sshfinder.py -iL targets.txt --scan-method synStrictly validate SSH with a full handshake:
python sshfinder.py example.com -p 22 --validate paramikoAudit the SSH attack surface across a subnet (auth methods, weak crypto, Terrapin, shared host keys):
python sshfinder.py 10.0.0.0/24 -p 22,2222 --auditExample audit output:
=== 10.0.0.5 ===
open: 10.0.0.5:22
SSH 10.0.0.5:22 (SSH-2.0-OpenSSH_7.4)
host key: ssh-ed25519 SHA256:T/ZM4jOL4amTsO5K3AaCdg2...
auth: publickey, password [!] password auth enabled
[!] Terrapin (CVE-2023-48795): VULNERABLE
[!] weak ciphers: aes128-cbc
Shared SSH host keys (possible shared/cloned hosts):
SHA256:T/ZM4jOL4amTsO5K3AaCdg2...
-> 10.0.0.5:22, 10.0.0.9:22
The algorithm inventory, weak-crypto flags and Terrapin check work with no
dependencies. Host key fingerprints, auth-method enumeration and shared-key
correlation use Paramiko (pip install paramiko).
pip install -r requirements-dev.txt
pytestOnly scan systems you own or are explicitly authorized to test. Unauthorized scanning may be illegal in your jurisdiction.