Dumps the live traffic of an ssl-encrypted stream.
Project description
HOWTO:
------
works if scapy doesn't drop packets. using pcap instead of SOCK_RAW helps a lot now.
works better on interactive traffic with slow traffic.
Dumps one file by fd in outputs/
Attaching a process is quickier with --addr 0xb788aa98 as provided by abouchet.py
INFO:abouchet:found instance <class 'ctypes_openssh.session_state'> @ 0xb788aa98
$ sudo python finder.py # try ssh, sshd and ssh-agent...
$ sudo python openssh.py `pgrep ssh`
$ sudo python openssh.py `pgrep ssh` --server # for sshd
$ sudo python openssl.py `pgrep ssh-agent` # dump RSA and DSA keys
and go and check outputs/ :
not so FAQ :
============
What does it do, really ?:
--------------------------
It dumps live AES keys from an openssh in aes128-ctr , and decrypts the traffic on the fly.
Working on adding all ciphers quickly. (aes_ctr is ok for all length, aes_cbc only half-duplex. )
It can also dump DSA and RSA keys from ssh-agent or sshd ( or others ).
How do it knows that the structures is valid ? :
------------------------------------------------
You add some constraints ( expectedValues ) on the fields. Pointers are also a good start.
Yeah, but you have to be root, so what's the use ? :
----------------------------------------------------
Monitoring ssh traffic on honeypots ?
Monitoring encrypted traffic on honeypots ?
Monitoring encrypted traffic on ... somewhere your are root ?
Where does the idea comes from ? :
-----------------------------------
use http://www.hsc.fr/ressources/breves/passe-partout.html.fr to get keys
use http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html
or http://www.rtfm.com/ssldump/ to read streams
use scapy, because it's fun ? but we need IP reassembly .
pynids could be more useful...
dsniff is now in python ?
flowgrep
use python.
What are the dependencies ? :
----------------------------
python-haystack (same author)
python-ptrace
scapy
python-pcap / python-xxxpcap ( recommended for perf issues )
paramiko (for ssh decryption) [ TODO, extract & kill dep. we only need Message and Packetizer ]
python-psutil
Conclusion :
------------
poc done.
Next, `pgrep firefox`.
Biblio
-------
Bringing volatility to Linux
http://dfsforensics.blogspot.com/2011/03/bringing-linux-support-to-volatility.html
Extracting truecrypt keys from memory
http://jessekornblum.com/tools/volatility/cryptoscan.py
python-ptrace ( hey, haypo again)
https://bitbucket.org/haypo/python-ptrace/wiki/Home
https://bitbucket.org/haypo/python-ptrace/wiki/Documentation
from ptrace.debugger.memory_mapping import readProcessMappings
openssl.py is passe-partout.py - OK - 04/03/2011
OpenSSH, testing ciphers
========================
Ciphers
Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The supported ciphers
are “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”, “arcfour”,
“blowfish-cbc”, and “cast128-cbc”. The default is:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour
force one :
ssh -c aes192-ctr log@host
firefox & NSS
=============
INFO:abouchet:found instance <class 'ctypes_nss_generated.CERTCertificateStr'> @ 0xbfe12c20 => sur la stack
INFO:abouchet:Looking at 0x85f00000-0x86000000 (rw-p)
INFO:abouchet:processed 6465536 bytes
ptrace.debugger.process_error.ProcessError: readBytes(0x84d28ae4, 392) error: [Errno 5] Input/output error
## weird ....
4894720
------
works if scapy doesn't drop packets. using pcap instead of SOCK_RAW helps a lot now.
works better on interactive traffic with slow traffic.
Dumps one file by fd in outputs/
Attaching a process is quickier with --addr 0xb788aa98 as provided by abouchet.py
INFO:abouchet:found instance <class 'ctypes_openssh.session_state'> @ 0xb788aa98
$ sudo python finder.py # try ssh, sshd and ssh-agent...
$ sudo python openssh.py `pgrep ssh`
$ sudo python openssh.py `pgrep ssh` --server # for sshd
$ sudo python openssl.py `pgrep ssh-agent` # dump RSA and DSA keys
and go and check outputs/ :
not so FAQ :
============
What does it do, really ?:
--------------------------
It dumps live AES keys from an openssh in aes128-ctr , and decrypts the traffic on the fly.
Working on adding all ciphers quickly. (aes_ctr is ok for all length, aes_cbc only half-duplex. )
It can also dump DSA and RSA keys from ssh-agent or sshd ( or others ).
How do it knows that the structures is valid ? :
------------------------------------------------
You add some constraints ( expectedValues ) on the fields. Pointers are also a good start.
Yeah, but you have to be root, so what's the use ? :
----------------------------------------------------
Monitoring ssh traffic on honeypots ?
Monitoring encrypted traffic on honeypots ?
Monitoring encrypted traffic on ... somewhere your are root ?
Where does the idea comes from ? :
-----------------------------------
use http://www.hsc.fr/ressources/breves/passe-partout.html.fr to get keys
use http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html
or http://www.rtfm.com/ssldump/ to read streams
use scapy, because it's fun ? but we need IP reassembly .
pynids could be more useful...
dsniff is now in python ?
flowgrep
use python.
What are the dependencies ? :
----------------------------
python-haystack (same author)
python-ptrace
scapy
python-pcap / python-xxxpcap ( recommended for perf issues )
paramiko (for ssh decryption) [ TODO, extract & kill dep. we only need Message and Packetizer ]
python-psutil
Conclusion :
------------
poc done.
Next, `pgrep firefox`.
Biblio
-------
Bringing volatility to Linux
http://dfsforensics.blogspot.com/2011/03/bringing-linux-support-to-volatility.html
Extracting truecrypt keys from memory
http://jessekornblum.com/tools/volatility/cryptoscan.py
python-ptrace ( hey, haypo again)
https://bitbucket.org/haypo/python-ptrace/wiki/Home
https://bitbucket.org/haypo/python-ptrace/wiki/Documentation
from ptrace.debugger.memory_mapping import readProcessMappings
openssl.py is passe-partout.py - OK - 04/03/2011
OpenSSH, testing ciphers
========================
Ciphers
Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The supported ciphers
are “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”, “arcfour”,
“blowfish-cbc”, and “cast128-cbc”. The default is:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour
force one :
ssh -c aes192-ctr log@host
firefox & NSS
=============
INFO:abouchet:found instance <class 'ctypes_nss_generated.CERTCertificateStr'> @ 0xbfe12c20 => sur la stack
INFO:abouchet:Looking at 0x85f00000-0x86000000 (rw-p)
INFO:abouchet:processed 6465536 bytes
ptrace.debugger.process_error.ProcessError: readBytes(0x84d28ae4, 392) error: [Errno 5] Input/output error
## weird ....
4894720
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
sslsnoop-0.1.tar.gz
(236.1 kB
view hashes)
