By default ssh logs out ssh attempts , wether they’re successful or not , what it doesn’t do by default is log out the passwords they’ve tried. So i thought it would be a good idea to slightly modify ssh to log them passwords too. So here we go , you will need to quickly compile openssh , zlib and openssl Note you have to have build essentials gcc glibc-devel and others… Nothing to note up there other than: sed -e 's/struct passwd \* pw = authctxt->pw;/logit("Honey: Username: %s Password: %s", authctxt->user, password);\nstruct passwd \* pw = authctxt->pw;/' -i auth-passwd.c I am basically injecting a little call before the struct definition , check the code of if you wanna know more about it. logit() auth-passwd.c So that will compile zlib , openssl and openssh and will prefix it all to /opt/openssh2 You can start openssh as follows: /opt/openssh2/dist/sbin/sshd -f /opt/openssh2/dist/etc/sshd_config That should get the daemon going , and you can try a few fake attempts to login over ssh: After 10 hours , the results are quite interesting: First , countries that i got hits from: (Thanks to ) ipheatmap.azurewebsites.net Countries that sshed to my box "HR Pula""CN Wuchuan""KR Seoul""DE Frankfurt am Main""NL ""CN Shenzhen""RU Yekaterinburg""RU Nyagan""US Boydton""CN Kunshan""CN Hefei""TH Kamphaeng Phet""CN Beijing""HK Hong Kong""IL Tel Aviv""FR ""PL Inowrocław""PL Krakow""IT Giugliano in Campania""FR Paris""GB London""VN Hanoi""VN Hanoi""VN Hanoi""CN Zhengding""CN Dongyangshi""CN Qingdao""CN Bengbu""CN Shanghai""US Los Angeles""IN Bengaluru""KR Seoul""KR Bucheon-si""KR Yangsan"" ""JP ""CL ""FR ""JP Tokyo""US Buffalo""HK ""CN Lianyungang""CN Beijing""US Chicago""AR Villa Allende""US Piscataway""AL ""BR Recife""IT Soci""CO Bucaramanga""AR ""TR Ağrı""FR ""CA Montreal""MY Kuala Selangor""FR Ivry-sur-seine""FR " (Thanks to ) (you can curl it and jq it) ipinfo.io So now the most frequent passwords! 46 password43 12345636 123429 admin29 1234517 abc12316 root11 support10 test10 1239 ubnt9 fucker9 fake8 raspberry8 guest8 admin1237 password1237 default7 1234567896 user6 alpine6 123456786 1111115 wubao5 ubuntu5 raspberrypi5 manager5 git5 12345674 system4 operator4 mysql4 14 00000043 waldo3 tomcat3 postgres3 pi And the most used users were:(counting the attempts) 1689 root72 admin31 test24 postgres21 jenkins14 user13 mysql12 support12 fake11 nagios11 deploy10 oracle10 guest9 mother9 hadoop8 vagrant8 tomcat8 pi8 git7 ubuntu6 zabbix6 weblogic6 user16 debian6 backup5 prueba I’m gisting the full , so you can find look your fav password in there :) thing
