Sshkeydata

From aldeid
Jump to navigation Jump to search

Description

Sshkeydata is a command line SSH content analysis tool. This program analyses keydata files created by chaosreader, and can estimate the original commands typed during SSH sessions.

Here is the typical scenario: You have captured some SSH and some telnet sessions in tcpdump or snoop files, originating from the same user. Sshkeydata compares details from the known telnet session with details from the unknown SSH session to estimate the commands typed. First, chaosreader is executed on the dump files which generates keydata files - these contain keystroke delays and other details from the sessions. Then sshkeydata is run on the keydata files and estimates of the original commands within the SSH session are given.

Installation

$ cd ~/src/
$ wget http://downloads.sourceforge.net/project/chaosreader/sshkeydata/0.20/sshkeydata0.20
$ chmod +x sshkeydata0.20

Usage

./sshkeydata plaintext.keydata[...] ssh.keydata

Example

Sniff a SSH session and a telnet session

In this example, we will show how sshkeydata is able to decrypt keystrokes from 2 files: telnet keydata file and ssh keydata file, both created by chaosreader.

We need 2 capture files (tcpdump will be used to save the pcap files):

  • Sniff a SSH session:
sudo tcpdump -nS -s1515 -i eth1 -w ssh.pcap
  • Sniff a telnet session:
sudo tcpdump -nS -s1515 -i eth1 -w telnet.pcap

Analyze ssh.pcap with Chaosreader

Once done, we run chaosreader against ssh.pcap:

$ ./chaosreader0.94 ssh.pcap
Chaosreader ver 0.94

Opening, ../ssh.pcap

Reading file contents,
 100% (20416/20416)
Reassembling packets,
 100% (136/136)

Creating files...
   Num  Session (host:port <=> host:port)              Service
  0001  192.168.1.18:58644,192.168.1.16:22             ssh

index.html created.

It will create a *.keydata file:

$ ll
total 44
drwxrwxr-x 2 pilou pilou 4096 août  12 17:17 ./
drwxrwxr-x 3 pilou pilou 4096 août  12 17:12 ../
-rw-rw-r-- 1 pilou pilou  323 août  12 17:17 getpost.html
-rw-rw-r-- 1 pilou pilou    0 août  12 17:17 httplog.text
-rw-rw-r-- 1 pilou pilou  304 août  12 17:17 image.html
-rw-rw-r-- 1 pilou pilou 1785 août  12 17:17 index.html
-rw-rw-r-- 1 pilou pilou  403 août  12 17:17 index.text
-rw-rw-r-- 1 pilou pilou 5434 août  12 17:17 session_0001.textSSH.html
-rw-rw-r-- 1 pilou pilou  564 août  12 17:17 session_0001.textSSH.keydata
-rwxr-xr-x 1 pilou pilou 5951 août  12 17:17 session_0001.textSSH.replay*

Analyze telnet.pcap with Chaosreader

Next, we use chaosreader to parse the telnet.pcap file and use the --keydata option:

$ ./chaosreader0.94 --keydata telnet.pcap
Chaosreader ver 0.94

Opening, ../telnet.pcap

Reading file contents,
 100% (14892/14892)
Reassembling packets,
 100% (167/167)

Creating files...
   Num  Session (host:port <=> host:port)              Service
  0001  192.168.1.18:46031,192.168.1.16:23             telnet

index.html created.

A second *.keydata file is created:

$ ll
total 56
drwxrwxr-x 2 pilou pilou 4096 août  12 17:18 ./
drwxrwxr-x 3 pilou pilou 4096 août  12 17:12 ../
-rw-rw-r-- 1 pilou pilou  323 août  12 17:18 getpost.html
-rw-rw-r-- 1 pilou pilou    0 août  12 17:18 httplog.text
-rw-rw-r-- 1 pilou pilou  304 août  12 17:18 image.html
-rw-rw-r-- 1 pilou pilou 1807 août  12 17:18 index.html
-rw-rw-r-- 1 pilou pilou  400 août  12 17:18 index.text
-rw-rw-r-- 1 pilou pilou 3802 août  12 17:18 session_0001.telnet.html
-rw-rw-r-- 1 pilou pilou 1059 août  12 17:18 session_0001.telnet.keydata
-rwxr-xr-x 1 pilou pilou 3557 août  12 17:18 session_0001.telnet.replay*
-rw-rw-r-- 1 pilou pilou 5434 août  12 17:17 session_0001.textSSH.html
-rw-rw-r-- 1 pilou pilou  564 août  12 17:17 session_0001.textSSH.keydata
-rwxr-xr-x 1 pilou pilou 5951 août  12 17:17 session_0001.textSSH.replay*

Use sshkeydata

Now, let's use sshkeydata to decrypt the keystrokes:

$ ./sshkeydata0.20 session_0001.telnet.keydata session_0001.telnet.keydata 

Analysis of Target Data,

Examining 1, keys 9, response 1, argv oopsoops
  1    0.709865    37.21  oopsoops
  2    3.242430     1.78  oopsoops

Examining 9, keys 11, response 1, argv pilou\n
  1    0.709865    37.21  pilou

Examining 10, keys 9, response 1, argv oopsoops\n
  1    0.709865    37.21  oopsoops
  2    3.133954     1.91  oopsoops

Examining 11, keys 5, response 1, argv cd /\n
  1    0.709865    37.21  cd /

Examining 12, keys 3, response 1, argv ls\n
  1    0.709865    37.21  ls

Examining 13, keys 6, response 1, argv cd ..\n
  1    0.709865    37.21  cd ..


Final Report,

Num       Score  Percent  Command
  1    0.709865    37.21  oopsoops
  9    0.709865    37.21  pilou
 10    0.709865    37.21  oopsoops
 11    0.709865    37.21  cd /
 12    0.709865    37.21  ls
 13    0.709865    37.21  cd ..

Comments