Skip to main content

Dumps the live traffic of an ssl-encrypted stream.

Project description

HOWTO:
------
works if scapy doesn't drop packets. using pcap instead of SOCK_RAW helps a lot now.
works better on interactive traffic with slow traffic.
Dumps one file by fd in outputs/
Attaching a process is quickier with --addr 0xb788aa98 as provided by abouchet.py
INFO:abouchet:found instance <class 'ctypes_openssh.session_state'> @ 0xb788aa98

$ sudo python finder.py # try ssh, sshd and ssh-agent...
$ sudo python openssh.py `pgrep ssh`
$ sudo python openssh.py `pgrep ssh` --server # for sshd
$ sudo python openssl.py `pgrep ssh-agent` # dump RSA and DSA keys

and go and check outputs/ :


not so FAQ :
============

What does it do, really ?:
--------------------------
It dumps live AES keys from an openssh in aes128-ctr , and decrypts the traffic on the fly.
Working on adding all ciphers quickly. (aes_ctr is ok for all length, aes_cbc only half-duplex. )

It can also dump DSA and RSA keys from ssh-agent or sshd ( or others ).

How do it knows that the structures is valid ? :
------------------------------------------------
You add some constraints ( expectedValues ) on the fields. Pointers are also a good start.

Yeah, but you have to be root, so what's the use ? :
----------------------------------------------------
Monitoring ssh traffic on honeypots ?
Monitoring encrypted traffic on honeypots ?
Monitoring encrypted traffic on ... somewhere your are root ?


Where does the idea comes from ? :
-----------------------------------
use http://www.hsc.fr/ressources/breves/passe-partout.html.fr to get keys
use http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html
or http://www.rtfm.com/ssldump/ to read streams
use scapy, because it's fun ? but we need IP reassembly .
pynids could be more useful...
dsniff is now in python ?
flowgrep
use python.


What are the dependencies ? :
----------------------------
python-haystack (same author)
python-ptrace
scapy
python-pcap / python-xxxpcap ( recommended for perf issues )
paramiko (for ssh decryption) [ TODO, extract & kill dep. we only need Message and Packetizer ]
python-psutil

Conclusion :
------------
poc done.
Next, `pgrep firefox`.


Biblio
-------

Bringing volatility to Linux
http://dfsforensics.blogspot.com/2011/03/bringing-linux-support-to-volatility.html

Extracting truecrypt keys from memory
http://jessekornblum.com/tools/volatility/cryptoscan.py

python-ptrace ( hey, haypo again)
https://bitbucket.org/haypo/python-ptrace/wiki/Home
https://bitbucket.org/haypo/python-ptrace/wiki/Documentation

from ptrace.debugger.memory_mapping import readProcessMappings

openssl.py is passe-partout.py - OK - 04/03/2011

OpenSSH, testing ciphers
========================
Ciphers
Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The supported ciphers
are “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”, “arcfour”,
“blowfish-cbc”, and “cast128-cbc”. The default is:

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour

force one :

ssh -c aes192-ctr log@host



firefox & NSS
=============
INFO:abouchet:found instance <class 'ctypes_nss_generated.CERTCertificateStr'> @ 0xbfe12c20 => sur la stack

INFO:abouchet:Looking at 0x85f00000-0x86000000 (rw-p)
INFO:abouchet:processed 6465536 bytes
ptrace.debugger.process_error.ProcessError: readBytes(0x84d28ae4, 392) error: [Errno 5] Input/output error
## weird ....

4894720

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for sslsnoop, version 0.1
Filename, size File type Python version Upload date Hashes
Filename, size sslsnoop-0.1.tar.gz (236.1 kB) File type Source Python version None Upload date Hashes View hashes

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page