SSH Snake - Tanium Tech Talks #95
In January of 2024. the Linux / Unix world was rocked by a script that worms its way through insecure SSH connections to map your environment. A team of two Tanium SMEs built content that you need to find and map your exposure, giving you the information necessary to remediate your environment.
In episode 95 of Tanium Tech Talks, host Ashley McGlone welcomes technical account manager Bart van Knijff and Tyler Schultz, director of endpoint security research, for a deep-dive conversation about Tanium’s SSH-Snake tool, a script that exploits insecure SSH connections to map environments. Bart and Tyler discuss the tool’s implications and how Tanium’s solutions can help detect and mitigate its risks.
Key takeaways
Introduction to SSH-Snake: SSH-Snake is a Bash script that exploits insecure SSH connections to traverse networks and map environments without needing passwords, posing a significant security risk.
Importance of SSH configuration: SSH is widely used for system administration on Linux systems, but many organizations do not regularly review or audit their SSH configuration policies, leading to vulnerabilities.
Script capabilities: SSH-Snake can find private keys and traverse networks using only these keys, without needing passwords, making it a powerful and dangerous tool.
Detecting SSH-Snake: Bart and Tyler developed Tanium content to help detect SSH-Snake in environments, including dashboards that show SSH servers and key hygiene.
Visualization and analysis: Using Tanium’s tools, users can export data and visualize SSH access paths in their network without running the SSH-Snake script, helping to identify potential risks.
Future enhancements: Future plans include packages to delete unauthorized keys and centralize key management to improve security and lifecycle management.
Accessing the tools: Cloud customers already have access to the relevant content, while on-premises customers need to update their Emerging Issues content set to use the tools.
Expanding Guardian content: Tanium is expanding its Guardian content to include risks from misconfigurations and other non-traditional vulnerabilities, providing broader security insights.