SSH: Secure Shell
encrypted layer 7 SSH
Contents
Introduction
This tutorial discusses the plugin sshDecode. It extracts certain tokens including the hashes. Yes, it is encrypted, but you can still learn a lot, helping you when proceeding with Encrypted Traffic Mining.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow cdpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: ssh_succ.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing SSH traffic!
sshDecode
Let’s look at the plugin configuration first:
sshDecode
vi src/sshDecode.h
You can configure the operations of the plugin how it should detect or decode SSH and how the hashes should be coded. We leave everything as default.
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define SSH_USE_PORT 0 // Count all packets to/from SSH_PORT as SSH
#define SSH_DECODE 2 // 0: Do not decode SSH handshake messages
// 1: Only decode SSH Key Exchange Init messages
// 2: Decode all SSH Exchange messages
#define SSH_FINGERPRINT 1 // Algorithm to use for the fingerprint (require SSH_DECODE == 2)
// 0: no fingerprint, 1: MD5, 2: SHA256
#define SSH_ALGO 1 // Output chosen algorithms
#define SSH_LISTS 0 // Output lists of supported algorithms
#define SSH_HASSH 1 // Output HASSH fingerprint (hash and description)
#define SSH_HASSH_STR 0 // Also output HASSH fingerprint before hashing
#define SSH_HASSH_DLEN 512 // Max length for HASSH descriptions
#define SSH_HASSH_STR_LEN 1024 // Max length for uncompressed HASSH signatures
#define SSH_BUF_SIZE 512 // Buffer size for strings
#define SSH_HKT_SIZE 48 // Host Key Type
#define SSH_DEBUG 0 // Activate debug output
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define SSH_HASSH_NAME "hassh_fingerprints.tsv" // Name of the HASSH database
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Now run t2 on the supplied pcap.
================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 78824 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: sshDecode, 0.8.14 03: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) [INF] sshDecode: 49 HASSH fingerprints loaded Processing file: /home/wurst/data/ssh_succ.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1450627994.669582 sec (Sun 20 Dec 2015 16:13:14 GMT) Dump stop : 1450628048.881344 sec (Sun 20 Dec 2015 16:14:08 GMT) Total dump duration: 54.211762 sec Finished processing. Elapsed time: 0.007356 sec Finished unloading flow memory. Time: 0.008319 sec Percentage completed: 100.00% Number of processed packets: 625 Number of processed bytes: 88924 (88.92 K) Number of raw bytes: 88924 (88.92 K) Number of pad bytes: 340 Number of pcap bytes: 98948 (98.95 K) Number of IPv4 packets: 542 [86.72%] Number of IPv6 packets: 39 [6.24%] Number of A packets: 470 [75.20%] Number of B packets: 155 [24.80%] Number of A bytes: 58218 (58.22 K) [65.47%] Number of B bytes: 30706 (30.71 K) [34.53%] Average A packet load: 123.87 Average B packet load: 198.10 -------------------------------------------------------------------------------- sshDecode: Aggregated sshStat=0x103b sshDecode: Number of SSH flows: 8 [9.30%] -------------------------------------------------------------------------------- Headers count: min: 2, max: 4, average: 3.03 Number of LLC packets: 27 [4.32%] Number of IGMP packets: 10 [1.60%] Number of ICMPv6 packets: 18 [2.88%] Number of TCP packets: 365 [58.40%] Number of TCP bytes: 59122 (59.12 K) [66.49%] Number of UDP packets: 166 [26.56%] Number of UDP bytes: 22408 (22.41 K) [25.20%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 86 Number of processed A flows: 82 [95.35%] Number of processed B flows: 4 [4.65%] Number of request flows: 82 [95.35%] Number of reply flows: 4 [4.65%] Total A/B flow asymmetry: 0.91 Total req/rply flow asymmetry: 0.91 Number of processed packets/flows: 7.27 Number of processed A packets/flows: 5.73 Number of processed B packets/flows: 38.75 Number of processed total packets/s: 11.53 Number of processed A+B packets/s: 11.53 Number of processed A packets/s: 8.67 Number of processed B packets/s: 2.86 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 1.59 Average full raw bandwidth: 13122 b/s (13.12 Kb/s) Average full bandwidth : 12620 b/s (12.62 Kb/s) Max number of flows in memory: 86 [0.03%] Memory usage: 0.02 GB [0.02%] Aggregated flowStat=0x0c0000000200c064 [INF] Layer 2 flows [INF] IPv4 flows [INF] IPv6 flows [INF] ARP [INF] LLDP [INF] SSDP/UPnP
So we have eight flows and the aggregated sshStat tells us that
there is a Diffie-Hellman involved.
The sshStat column with value 0x103b is to be interpreted as follows:
bit | sshStat | Description
=============================================================================
0 | 0x0001 | Flow contains SSH protocol
1 | 0x0002 | Keeps track of who sent the SSH banner first
3 | 0x0008 | Key Exchange Init message seen
4 | 0x0010 | Diffie-Hellman Key Exchange Init message seen
5 | 0x0020 | Diffie-Hellman Key Exchange Reply message seen
12 | 0x1000 | New Keys message seen
If we select the SSH flows we learn that OpenSSH 6.0 / 7.1 is involved.
tawk 'bitsanyset($sshStat, 0x0001)' ~/results/ssh_succ_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto sshStat sshVersion sshHostKeyType sshFingerprint sshCookie sshKEX sshSrvHKeyAlgo sshEncCS sshEncSC sshMacCS sshMacSC sshCompCS sshCompSC sshLangCS sshLangSC sshHassh sshHasshDesc
A 26 0x0400000000004000 1450628004.529458 1450628016.088016 11.558558 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.233 04 "Private network" 37332 10.20.0.171 04 "Private network" 22 6 0x101b "SSH-2.0-OpenSSH_7.1" e97458497c02f134bcadf82e24888724 ecdh-sha2-nistp256 ssh-rsa aes128-ctr aes128-ctr hmac-md5 de75d6191ba48aa3b1ea4577b1604dfb
B 26 0x0400000000004001 1450628004.529832 1450628016.087998 11.558166 1 3 eth:ipv4:tcp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 10.20.0.171 04 "Private network" 22 10.20.6.233 04 "Private network" 37332 6 0x1029 "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2" ecdsa-sha2-nistp256 e6:fc:f1:4c:1f:0c:eb:ec:32:1d:7c:83:90:ae:07:70 0cb234edd1fc4624fef696ed213c615b ce3c327f37ea2ec21f317fbc3fd1ea43
A 55 0x0400000000004000 1450628020.480513 1450628028.810340 8.329827 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.233 04 "Private network" 37334 10.20.0.171 04 "Private network" 22 6 0x101b "SSH-2.0-OpenSSH_7.1" b46519eb5e83864a379628a9ce5dd9b6 ecdh-sha2-nistp256 ssh-rsa aes128-ctr aes128-ctr hmac-md5 de75d6191ba48aa3b1ea4577b1604dfb
B 55 0x0400000000004001 1450628020.480748 1450628028.810304 8.329556 1 3 eth:ipv4:tcp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 10.20.0.171 04 "Private network" 22 10.20.6.233 04 "Private network" 37334 6 0x1029 "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2" ecdsa-sha2-nistp256 e6:fc:f1:4c:1f:0c:eb:ec:32:1d:7c:83:90:ae:07:70 3f06443da53fc7bda8c79616b8b70455 ce3c327f37ea2ec21f317fbc3fd1ea43
A 66 0x0400000000004000 1450628031.531563 1450628040.205273 8.673710 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.233 04 "Private network" 37336 10.20.0.171 04 "Private network" 22 6 0x101b "SSH-2.0-OpenSSH_7.1" f8960a89ec0a725f247b17164cbb5639 ecdh-sha2-nistp256 ssh-rsa aes128-ctr aes128-ctr hmac-md5 de75d6191ba48aa3b1ea4577b1604dfb
B 66 0x0400000000004001 1450628031.531825 1450628040.205236 8.673411 1 3 eth:ipv4:tcp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 10.20.0.171 04 "Private network" 22 10.20.6.233 04 "Private network" 37336 6 0x1029 "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2" ecdsa-sha2-nistp256 e6:fc:f1:4c:1f:0c:eb:ec:32:1d:7c:83:90:ae:07:70 f05ae7bcdd283d561f2e588e3fd48f62 ce3c327f37ea2ec21f317fbc3fd1ea43
A 76 0x0400000000004000 1450628041.583747 1450628047.913554 6.329807 1 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.233 04 "Private network" 37338 10.20.0.171 04 "Private network" 22 6 0x101b "SSH-2.0-OpenSSH_7.1" d4538ff7ed01147ab232886ff6ae8c47 ecdh-sha2-nistp256 ssh-rsa aes128-ctr aes128-ctr hmac-md5 de75d6191ba48aa3b1ea4577b1604dfb
B 76 0x0400000000004001 1450628041.583991 1450628047.913518 6.329527 1 3 eth:ipv4:tcp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 10.20.0.171 04 "Private network" 22 10.20.6.233 04 "Private network" 37338 6 0x1029 "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2" ecdsa-sha2-nistp256 e6:fc:f1:4c:1f:0c:eb:ec:32:1d:7c:83:90:ae:07:70 eb2a508b905c141d31d4fd4182f2bc1d ce3c327f37ea2ec21f317fbc3fd1ea43In the packet file all the SSH flows show in the l7Content the detailed information of the packet.
tawk 'bitsanyset($sshStat, 0x0001)' ~/results/ssh_succ_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto sshStat l7Content
67 26 0x0400000000004000 1450628004.530052 0.000192 0.000594 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.233 04 Private network 37332 10.20.0.171 04 Private network 22 6 0x0003 SSH-2.0-OpenSSH_7.1\r\n
69 26 0x0400000000004001 1450628004.537638 0.007434 0.007806 3 eth:ipv4:tcp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 10.20.0.171 04 Private network 22 10.20.6.233 04 Private network 37332 6 0x0001 SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2\r\n
70 26 0x0400000000004000 1450628004.537710 0.007658 0.008252 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.233 04 Private network 37332 10.20.0.171 04 Private network 22 6 0x0003
71 26 0x0400000000004000 1450628004.538022 0.000312 0.008564 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.233 04 Private network 37332 10.20.0.171 04 Private network 22 6 0x000b ...4\n..tXI|..4....$..$....curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1....ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa....chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-s
72 26 0x0400000000004000 1450628004.538192 0.000170 0.008734 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.233 04 Private network 37332 10.20.0.171 04 Private network 22 6 0x000b ha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....none,zlib@openssh.com,zlib....none,zlib@openssh.com,zlib.......................
73 26 0x0400000000004001 1450628004.538581 0.000943 0.008749 3 eth:ipv4:tcp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 10.20.0.171 04 Private network 22 10.20.6.233 04 Private network 37332 6 0x0009 ....\t...4...F$....!<a[....ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1...#ssh-rsa,ssh-dss,ecdsa-sha2-nistp256....aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....none,zlib@openssh.com....none,zlib@openssh.com......................
74 26 0x0400000000004000 1450628004.576643 0.038451 0.047185 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.233 04 Private network 37332 10.20.0.171 04 Private network 22 6 0x000b
75 26 0x0400000000004001 1450628004.576877 0.038296 0.047045 3 eth:ipv4:tcp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 10.20.0.171 04 Private network 22 10.20.6.233 04 Private network 37332 6 0x0009
76 26 0x0400000000004000 1450628004.576893 0.000250 0.047435 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.233 04 Private network 37332 10.20.0.171 04 Private network 22 6 0x001b ...L.....A...[."..I.:."@W...?..k@..C).I.&...Q.z_9<..^...eZ...........Y...g......
77 26 0x0400000000004001 1450628004.579220 0.002343 0.049388 3 eth:ipv4:tcp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 10.20.0.171 04 Private network 22 10.20.6.233 04 Private network 37332 6 0x1029 ...$.....h....ecdsa-sha2-nistp256....nistp256...A.n...z....+4.3....H.A..b.!^._.8Rjl.n...TF..@.ZK....e0.i......^.m....A.y|....{.b.;.3f~S.Z9D.".\..0A-7.zn+%63.l..^....c.}..s..g...g........e....ecdsa-sha2-nistp256...J...!...[...J.....<....\r;B..!............!..2.yH.{.wVW...y..65.;..?...3dz..............\n...........
78 26 0x0400000000004000 1450628004.579253 0.002360 0.049795 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.233 04 Private network 37332 10.20.0.171 04 Private network 22 6 0x001b
79 26 0x0400000000004000 1450628004.580089 0.000836 0.050631 3 eth:ipv4:tcp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.233 04 Private network 37332 10.20.0.171 04 Private network 22 6 0x101b ....\n...........
80 26 0x0400000000004001 1450628004.617691 0.038471 0.087859 3 eth:ipv4:tcp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 10.20.0.171 04 Private network 22 10.20.6.233 04 Private network 37332 6 0x1029
...Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf sshDecode --reset && t2build sshDecode
Have fun analyzing.