Dsniff/sshow

From aldeid
Jump to navigation Jump to search
You are here:
sshow

Description

sshow analyzes encrypted SSH-1 and SSH-2 traffic, identifying authentication attempts, the lengths of passwords entered in interactive sessions, and command line lengths.

The following advisory describes the attacks implemented by sshow in detail: http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt

Installation

Sshow is part of the Dsniff suite. To install it, just issue:

$ sudo apt-get install dsniff

Usage

Syntax

sshow [-d] [-i interface | -p pcapfile] [expression]

Options

-d
Enable verbose debugging output.
-i interface
Specify the interface to listen on.
-p pcapfile
Process packets from the specified PCAP capture file instead of the network.
expression
Specify a tcpdump(8) filter expression to select traffic to sniff.

Examples

Video

{{#widget:YouTube|id=FVUemS5EIec}}

Live mode: show information in real time

# sshow -d -i eth1 "host 192.168.1.13" 
sshow: listening on eth1 [host 192.168.1.13]
- 192.168.1.16:54232 -> 192.168.1.13:22: ESTABLISHED
+ 192.168.1.16:54232 -> 192.168.1.13:22: SSH protocol 2
53 53 48 2d 32 2e 30 2d 4f 70 65 6e 53 53 48 5f 35 2e 35 70 31 20 44 65
62 69 61 6e 2d 36 2b 73 71 75 65 65 7a 65 31 0d 0a
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (825 to 832 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (761 to 768 bytes, 0.00 seconds)
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (1 to 8 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (129 to 136 bytes, 0.00 seconds)
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (121 to 128 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (697 to 704 bytes, 0.00 seconds)
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (0 bytes, 0.00 seconds)
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (25 to 32 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (25 to 32 bytes, 0.00 seconds)
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (41 to 48 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (41 to 48 bytes, 0.00 seconds)
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (121 to 128 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (41 to 48 bytes, 0.00 seconds)
+ 192.168.1.16:54232 -> 192.168.1.13:22: GUESS: Password authentication failed
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (121 to 128 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (41 to 48 bytes, 0.00 seconds)
+ 192.168.1.16:54232 -> 192.168.1.13:22: GUESS: Password authentication failed
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (121 to 128 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (9 to 16 bytes, 0.00 seconds)
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (105 to 112 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (25 to 32 bytes, 0.00 seconds)
+ 192.168.1.16:54232 -> 192.168.1.13:22: GUESS: Password authentication failed
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (425 to 432 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (89 to 96 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (121 to 128 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (73 to 80 bytes, 0.00 seconds)
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (25 to 32 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (25 to 32 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (25 to 32 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (9 to 16 bytes, 0.00 seconds)
- 192.168.1.16:54232 <- 192.168.1.13:22: DATA (137 to 144 bytes, 0.00 seconds)
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (9 to 16 bytes, 0.00 seconds)
- 192.168.1.16:54232 -> 192.168.1.13:22: DATA (41 to 48 bytes, 0.00 seconds)
+ 192.168.1.16:54232 -- 192.168.1.13:22: CLOSED

Offline mode: analyze a pcap file

[email protected]:~# sshow -d -p test.pcap | cut -d ":" -f 4 | sort | uniq -c
sshow: using test.pcap [tcp]
      1 53 53 48 2d 32 2e 30 2d 4f 70 65 6e 53 53 48 5f 35 2e 39 0d 0a
      1  CLOSED
      1  DATA (0 bytes, 0.00 seconds)
      1  DATA (1009 to 1016 bytes, 0.00 seconds)
      1  DATA (105 to 112 bytes, 0.00 seconds)
      3  DATA (121 to 128 bytes, 0.00 seconds)
      1  DATA (129 to 136 bytes, 0.00 seconds)
      1  DATA (137 to 144 bytes, 0.00 seconds)
      1  DATA (1 to 8 bytes, 0.00 seconds)
     15  DATA (25 to 32 bytes, 0.00 seconds)
      4  DATA (41 to 48 bytes, 0.00 seconds)
      1  DATA (425 to 432 bytes, 0.00 seconds)
      1  DATA (441 to 448 bytes, 0.00 seconds)
      1  DATA (569 to 576 bytes, 0.00 seconds)
      1  DATA (57 to 64 bytes, 0.00 seconds)
      1  DATA (89 to 96 bytes, 0.00 seconds)
      1  DATA (961 to 968 bytes, 0.00 seconds)
      3  DATA (9 to 16 bytes, 0.00 seconds)
      1  ESTABLISHED
      2  GUESS
      1  SSH protocol 2

Comments

blog comments powered by Disqus