Address harvesting is the act of searching a compromised host for the names and addresses of other targets to attack, such as occurs when an email virus locates target addresses from users’ address lists or mail archives. We examine how host addresses harvested from Secure Shell (SSH) clients’ known hosts files can aid those attacking SSH servers. Each user’s known hosts file contains the names of every host previously accessed by its owner. Thus, when an attacker compromises a user’s password or identity key, the known hosts file can be used to identify those hosts on a network that are most likely to accept this compromised credential. Such attacks are not theoretical – a single attacker who targeted host authentication via SSH and employed known hosts address harvesting was able to gain access to a multitude of academic, commercial, and government systems. To show the value of known hosts files to such attackers, we present results of a study of known hosts files and...
Stuart E. Schechter, Jaeyeon Jung, Will Stockwell,