DarkSSH v4.0.0

1.1 Checker Mode

• Fast IP:Port scanning to find active SSH servers (scans lists of targets in parallel and supports large input files).
• Distinguish alive servers from dead ones using TCP-level and SSH-handshake probes.
• Identify genuine SSH protocol servers by verifying SSH banner and protocol compliance.
• Save a validated list of reachable and genuine SSH servers to an output file (append or replace modes available).
• Filter out inactive, unreachable, or timed-out hosts via configurable thresholds.

1.2 Cracker Mode

• Test username/password combinations against discovered SSH servers with configurable credential lists and permutations.
• Support for SSH public-key authentication tests including loading private keys and testing key-based logins.
• Save successful login credentials (username, password, key fingerprint, server details) to secure encrypted output files.
• Perform multi-threaded credential testing across many targets simultaneously with per-target rate limits.
• Resume capability that persists progress state periodically so interrupted jobs can continue from the last processed item without duplication.

2.1 Banner Analysis

• Check known honeypot signatures (Cowrie, Kippo, FakeSSH and other common honeypots) by matching banner fingerprints, default messages, and known constructs used by those projects.
• Detect suspicious or outdated OpenSSH versions by parsing banner version strings and comparing against known safe/recent version ranges.
• Analyze banner length and formatting: extremely short or unusually long banners are flagged, as are banners with misformatted version strings.
• Identify unusual or non-printable characters in the banner that may indicate emulation or fake implementations.
• Verify SSH protocol version indicators (e.g., SSH-2.0 or SSH-1.99) and flag mismatches or uncommon combinations used by honeypots.

2.2 Timing Analysis

• Measure server response times at multiple handshake stages (TCP SYN/ACK, SSH banner, key exchange handshake steps).
• Detect very fast responses (< 10ms) which often indicate emulated or scripted honeypots returning canned replies.
• Detect very slow responses (> 2s) which can indicate overloaded services, throttling, or network anomalies — also used as a heuristic in the scoring model.
• Analyze channel creation times (how long a server takes to open channels and respond to channel requests) for abnormal timing patterns.
• Record packet round-trip times during active probes and include variance/jitter in the timing profile.

2.3 Behavioral Analysis

• Enumerate supported authentication methods advertised by the server and compare to typical OpenSSH responses.
• Detect servers that advertise or accept SSH_AUTH_METHOD_NONE (no-auth) or other unusual authentication paths, which is a strong honeypot indicator.
• Identify servers that do not properly support public key authentication (missing or broken implementation) which is common in lightweight honeypots.
• Attempt safe, non-destructive execution of limited commands (whoami, uptime, uname) and analyze output for signs of emulation versus real system responses (output structure, timing, content consistency).
• Detect immediate root access or suspicious privilege indicators returned early in sessions (often a honeytrap behavior to entice attackers).

2.4 Cryptography & Algorithms Analysis

• Inspect Key Exchange (KEX) algorithms offered by the server and compare to modern secure lists.
• Flag usage of weak or legacy ciphers and algorithms such as 3DES, Blowfish, or Arcfour as potential insecure or emulated setups.
• Analyze server key sizes and types (RSA, ECDSA, ED25519) and check for abnormally small keys or inconsistent metadata.
• Specifically check for the presence of diffie-hellman-group1 or other deprecated groups and mark them as potential risk/honeypot evidence.

2.5 Operating System & Environment Analysis

• Collect innocuous environment information exposed via safe probes (e.g., /proc/cpuinfo where accessible through indirect means) to build a fingerprint of the host environment.
• Detect virtualization artifacts suggesting QEMU, VMware, VirtualBox, or KVM environments by analyzing reported CPU and device info patterns.
• Analyze user account listings or metadata (when safely obtainable) to detect unrealistic user counts or default honeypot accounts.
• Check uptime values for suspiciously low or high durations that do not match typical server behavior.
• Detect abnormal filesystem structures or placeholder filesystem metadata indicative of containerized/emulated filesystems.

2.6 Advanced Network Analysis

• Measure jitter across repeated probes and use that statistical profile when scoring host authenticity.
• Track bandwidth characteristics where possible and note sudden or artificial-looking stability in throughput as a potential honeypot sign.
• Estimate packet loss rate under controlled test conditions and include it in the network fingerprint.
• Analyze TCP retransmission rates and patterns for anomalies compared to normal production servers.
• Aggregate these network metrics into the overall anomaly detection model.

2.7 Scoring System

• Compute a comprehensive honeypot score by combining banner, timing, behavioral, crypto, OS/environment, and network signals.
• Confidence levels are reported: High (>0.7), Medium (>0.5), Low (≤0.5) with reasoned breakdowns of contributing factors.
• Produce a combined confidence score that weights signals according to empirically derived importance.
• Provide a detailed report explaining which heuristics and measurements resulted in the honeypot classification so operators can review the findings.

3.1 Thread Management

• Support for 4 to 512 concurrent threads configurable by the user or auto-tuned based on detected CPU core count.
• Automatic thread pool sizing and dynamic adjustment according to runtime load and CPU resources.
• Thread affinity optimization to bind threads to specific cores for reduced context-switching and cache locality.
• Safe lifecycle management for threads including clean startup, graceful shutdown, and watchdogs for hung workers.

3.2 Task Queue System

• High-performance ring buffer with 512K entry capacity for lock-free MPMC task queuing.
• Lock-free operations using atomic variables to minimize contention and improve throughput.
• Auto-resize strategies to expand queue capacity or apply backpressure when nearing capacity.\li>
• Priority-based scheduling to allow urgent tasks to be handled promptly without starving background work.

3.3 Thread Pool Management

• Worker threads with automatic load balancing across tasks and targets.
• Dedicated monitoring thread(s) for real-time observation of pool health and task distribution.
• Cleanup thread for periodic resource reclamation and handling of orphaned or failed tasks.
• Thread synchronization primitives including mutexes and spinlocks used judiciously to avoid deadlocks and minimize contention on hot paths.

4.1 Stealth Mode (Normal)

• Introduce randomized delays between 50ms and 300ms per connection attempt to reduce detectability by pattern-based IDS/IPS systems.
• Vary connection patterns (timing, ordering, target rotation) to avoid signature-based detection.
• Adjust timing heuristics dynamically based on network conditions to mimic normal traffic behavior.

4.2 Ultra-Stealth Mode (Advanced)

• Employ more complex connection and timing patterns designed to obfuscate automated fingerprinting systems.
• Apply micro-variations in timing (sub-millisecond adjustments where feasible) to break deterministic patterns.
• Use pattern-breaking randomization techniques to fragment observable sequences.
• Maintain lower average delays while intelligently spreading attempts to appear human-like and avoid bursts.

4.3 Anti-Block System

• Automatically detect when a server or network is blocking or rate-limiting requests and react accordingly.
• Implement exponential backoff for retries to avoid persistent rapid retries that would trigger blocks.
• Adapt delays based on measured response-time signals to reduce the chance of being classified as abusive traffic.
• Dynamically adjust connection parameters (timeouts, window sizes, proxy usage) to attempt alternative paths when blocking is detected.

4.4 Traffic Pattern Obfuscation

• Randomize timing patterns across multiple dimensions (inter-request, intra-session, per-target) to minimize recognizable signatures.
• Tweak TCP flags where applicable (e.g., toggling TCP_NODELAY) to create subtle variation in packetization behavior.
• Apply multi-layer encryption for stored logs and sensitive telemetry to reduce forensic disclosure and to control visibility of interaction fingerprints.
• Dynamically modify the depth or strength of logging/encryption for operational resilience when detection risk increases.

5.1 Proxy Support

• Full SOCKS5 proxy support with ability to set authentication and chained proxies.
• Proxy rotation to cycle through a provided list of proxies to distribute connection origin points.
• Retry mechanisms specifically for proxy failures with configurable retry counts and backoff strategies.
• Proxy health checking to avoid repeatedly using degraded or dead proxies.

5.2 DNS Caching

• Cache DNS resolution results to minimize repeated lookups and reduce latency.
• TTL for cache entries configurable (default 30 minutes) with safe eviction policies.
• Lock-free read access where possible with mutex protection on writes to ensure thread-safe operations.
• Automatic cache eviction policies to remove stale entries and control memory usage.

5.3 Connection Optimization

• Use TCP_NODELAY to reduce latency for small request/response interactions.
• Support TCP_FASTOPEN where available for faster initial handshakes.
• Utilize SO_KEEPALIVE to maintain long-lived connections when appropriate.
• Offer custom linger and socket options to tune connection teardown behavior.

5.4 Network Analysis

• Real-time latency monitoring and aggregation across multiple probes.
• Calculate jitter and packet loss statistics to feed into scoring and adaptive timeout decisions.
• Measure bandwidth and track throughput variability over time.
• Monitor TCP retransmission rates and other transport-layer metrics to identify degraded links.
• Compute a derived network stability score summarizing observed network health.

5.5 Adaptive Timeout

• Dynamically adjust connection and operation timeouts based on observed latency and jitter to reduce false timeouts and maximize throughput.
• Incorporate jitter into timeout calculations and smooth adjustments over time to avoid oscillation.
• Enforce configured minimum and maximum timeout bounds (1–60 seconds) to prevent extreme values.

6.1 Huge Pages Support

• Use 2MB huge pages for large allocations to reduce TLB pressure and improve throughput.
• Automatic fallback to normal allocations when huge pages are not available.
• Monitor memory pressure and adjust strategies accordingly.

6.2 Memory Alignment

• 128-byte cache line alignment for hot data structures to minimize false sharing and improve cache utilization.
• 4KB page alignment for page-friendly operations and mmap usage.
• Design optimal memory layouts for predictable access patterns.

6.3 Memory Recovery System

• Automatically detect memory pressure and trigger recovery strategies.
• Three-tier recovery strategies: Normal (light), Aggressive (reclaim more memory), Emergency (forceful trimming and cache drops).
• Use exponential backoff for repeated recovery attempts to avoid thrashing.
• Automatic invocation of malloc_trim and optional dropping of OS caches when critical.

6.4 Memory Pooling

• Pre-allocated memory block pools for frequently used buffers to avoid frequent allocations and fragmentation.
• Zero-copy operations where possible to reduce memory bandwidth.
• Memory reuse strategies to lower allocation/deallocation overhead.

6.5 Smart Allocation

• Use mmap for large files or buffers (>1MB) to optimize I/O and memory usage.
• aligned_alloc for cache-friendly alignment requirements.
• Lock critical large allocations in memory (>16MB) when necessary to prevent swapping.
• Provide madvise hints (MADV_SEQUENTIAL, MADV_WILLNEED) to the OS to optimize paging.

7.1 Checker Statistics

• Total checked servers, categorized counts: Good (valid), Bad (invalid), and Unreachable.
• Counts of timeouts and detected honeypots, with breakdowns by category.
• Error counts and mean response time (milliseconds) with min/max values reported.
• Packet loss rate, overall success rate, and TCP stability score for the checking subsystem.

7.2 Cracker Statistics

• Total number of attempts, successful logins captured, and failure counts with timestamps.\li>
• Attempts per second metric to measure brute-force throughput and throttling behavior.
• Bandwidth efficiency indicators and TCP success rate to evaluate network utilization for cracking operations.

7.3 Network Statistics

• Average latency (ms), jitter (ms), and measured bandwidth (Mbps) statistics.
• Network health score aggregated from multiple network signals.
• Connection stability metrics across the run.

7.4 System Statistics

• CPU usage percentage, RAM usage percentage, and active thread counts updated in real time.
• Memory pressure indicators and I/O throughput monitoring for the host system.

7.5 Progress Tracking

• Visual progress bar with precise percentage completion and elapsed time.
• Concurrent terminal display and UI updates to show live progress per task group.

8.1 Multi-Layer Encryption

• Double-layer AES-256-CBC encryption for sensitive artifacts such as credential storage and session logs.
• Use random keys per-layer and per-session where applicable to reduce correlation risk.
• Random IV generation for each encryption operation to guarantee semantic security.
• Protect sensitive logs and outputs with encryption at rest and in transit as needed.

8.2 Key Management

• Generate cryptographic keys using secure RNG (RAND_bytes or equivalent) and ephemeral key strategies where reasonable.
• Keep keys in protected in-memory structures and avoid persistent disk writes of plaintext keys.
• Use secure erasure patterns on memory when keys are retired to reduce leakage risk.

8.3 Secure Logging

• Encrypt logs containing sensitive data and compress them with ZSTD (level 3 default) to save space.
• Atomic write operations for log files to avoid corruption and partial writes.
• Thread-safe logging mechanisms to prevent race conditions in high-concurrency environments.

9.1 Large File Support

• Support for files up to 1TB with memory-mapped I/O for efficient large-file processing.
• Optimizations for sequential reads and chunk-based processing to minimize memory overhead.

9.2 File Formats

• Support a variety of input formats (plain lists, CSV, JSON-lines, etc.) and automatically detect format where possible.
• Full UTF-8 encoding support and robust handling of long line lengths (up to 1MB per line).

9.3 State Persistence

• Persist runtime state periodically so long-running jobs can resume from the latest saved checkpoint.
• Resume capabilities with checksum validation for integrity and encrypted state files to protect sensitive progress data.

10.1 Timeout Settings

• Connection timeout: configurable range 1–60 seconds (default 3s).
• Authentication timeout: default 6s.
• Banner read timeout: default 1s.
• Dynamic timeout adjustment based on observed network latency and jitter.

10.2 Retry Mechanism

• Configurable retry attempts (1–10, default 3) with adjustable delay (0–10000ms, default 200ms).
• Exponential backoff for persistent failures to reduce rate-limiting triggers.
• Smart retry policies that vary behavior by error class (network vs auth vs server error).

10.3 Thread Configuration

• User-configurable thread counts (4–512) with auto-tuning based on CPU core count and load.
• Priority scheduling options and thread affinity controls to optimize throughput and fairness.

10.4 Buffer Sizes

• Main buffer default 512KB, tunable by user.
• Network buffer default 128KB for socket I/O buffering.
• Ring buffer capacity 512K entries for task queuing; hash table sized to 16M entries by default for internal indexing.

11.1 CPU Optimization

• Cache line alignment (128 bytes) for hot data structures, SIMD-friendly memory operations, and cpu affinity tuning.

11.2 Memory Optimization

• Zero-copy operations, memory pooling, and lazy initialization patterns to reduce allocations and improve throughput.

11.3 Network Optimization

• Connection pooling, pipelining of network operations, and batching to amortize per-connection overhead.

11.4 I/O Optimization

• Non-blocking I/O, epoll-based event handling, buffered I/O, and direct I/O for large files where appropriate.

11.5 Algorithm Optimization

• Use FNV-1a for fast hashing, lock-free structures on hot paths, and O(1) operations where possible for critical lookups.

12.1 Error Detection

• Automatic detection and classification of error types with tracking and pattern analysis.

12.2 Recovery Strategies

• Automatic retry with exponential backoff, alternative path selection, and resource reallocation.

12.3 Crash Protection

• Signal handlers for SIGINT/SIGTERM/SIGQUIT, graceful shutdown, and state preservation before exit.

12.4 Data Integrity

• Checksum validation, atomic operations, and transaction-like behavior with rollback capabilities.

13.1 Banner Display

• Polished ASCII art banner, version, and creator information along with a short system summary.

13.2 Progress Display

• Graphic progress bars, real-time stats, and color-coded status updates refreshed every second.

13.3 Help System

• Comprehensive command help, usage examples, and explanations for each option and flag.

13.4 Logging Levels

• Support for INFO, WARNING, ERROR, CRITICAL, and ATTEMPT logging levels with filters.

14.1 JSON Logging

• JSON formatted logs for machine-readability and easy integration with log systems.

14.2 Bandwidth Monitoring

• Real-time measurement, enforcement, and shaping capabilities for bandwidth usage.

14.3 TCP Analysis

• Track TCP window sizes, retransmissions, and congestion signals to diagnose network problems.

14.4 Deep Detection

• ML-based behavioral and anomaly detection layered with advanced fingerprinting.

14.5 Priority Scheduling

• Prioritize tasks by latency sensitivity with fast-path execution for urgent work and fair scheduling for background tasks.

14.6 Auto-Optimization

• Self-tuning algorithms that adjust parameters automatically and continuously based on performance profiles.

15.1 Dead Server Filtering

• Pre-check mechanisms to identify and skip dead or permanently-down targets to save resources.

15.2 Adaptive Speed

• Automatically adjust operational speed, throttle when problems are detected, and accelerate under favorable conditions balancing speed and stability.

15.3 Precision Mode

• Precision timing modes using high-resolution timers for nanosecond measurements and double-precision calculations.

15.4 Crash Proof

• Crash protection, automatic recovery strategies, and state preservation to continue after failures.

16.1 Ring Buffer

• Lock-free MPMC ring buffer with power-of-two sizing, overflow/underflow handling, and contention tracking.

16.2 Hash Table

• Large hash table (16M entries), FNV-1a hashing, chaining for collisions, and per-bucket locking where necessary.

16.3 Cache Block

• Cache block metadata tracking, access counting, and lifecycle management tuned for memory pressure.

16.4 Task Structure

• Comprehensive task metadata including timing, network metrics, and embedded statistics for accurate monitoring and retries.\li>

17.1 Input Validation

• IP:Port format validation, type checking, and sanitization to prevent malformed input.

17.2 Network Validation

• Connectivity verification, protocol compliance, and response validation layers.

17.3 Authentication Validation

• Credential format checks, key file integrity validation, and confirmation of successful authentications.

18.1 SSH Protocol

• Full SSH-2.0 support with multiple authentication methods, channel management, and shell interactions where appropriate.\li>

18.2 Network Protocols

• IPv4 support, TCP-level optimizations, SOCKS5 proxy handling, and raw socket operations for advanced uses.

19.1 Color Coding

• Success: green, Error: red, Warning: yellow, Info: blue, Special: cosmic palette.

19.2 Real-Time Feedback

• Instant updates, progress indication, and fast status changes to keep users informed.

19.3 Clear Screen

• Organized, professional terminal UI with reduced clutter and clear rendering.

20.1 Platform Support

• Main target: Linux x86-64 with POSIX compliance and kernel feature usage where beneficial.

20.2 Library Dependencies

• Depends on libssh for SSH protocol handling, OpenSSL for crypto, zstd for compression, pthread for threading, and math/libc utilities.

20.3 Resource Management

• Careful management of file descriptors, sockets, memory, and CPU utilization to ensure stability under high load.