Skip to main content

Dumps the live traffic of an ssl-encrypted stream.

Project description

works if scapy doesn't drop packets. using pcap instead of SOCK_RAW helps a lot now.
works better on interactive traffic with slow traffic.
Dumps one file by fd in outputs/
Attaching a process is quickier with --addr 0xb788aa98 as provided by
INFO:abouchet:found instance <class 'ctypes_openssh.session_state'> @ 0xb788aa98

$ sudo python # try ssh, sshd and ssh-agent...
$ sudo python `pgrep ssh`
$ sudo python `pgrep ssh` --server # for sshd
$ sudo python `pgrep ssh-agent` # dump RSA and DSA keys

and go and check outputs/ :

not so FAQ :

What does it do, really ?:
It dumps live AES keys from an openssh in aes128-ctr , and decrypts the traffic on the fly.
Working on adding all ciphers quickly. (aes_ctr is ok for all length, aes_cbc only half-duplex. )

It can also dump DSA and RSA keys from ssh-agent or sshd ( or others ).

How do it knows that the structures is valid ? :
You add some constraints ( expectedValues ) on the fields. Pointers are also a good start.

Yeah, but you have to be root, so what's the use ? :
Monitoring ssh traffic on honeypots ?
Monitoring encrypted traffic on honeypots ?
Monitoring encrypted traffic on ... somewhere your are root ?

Where does the idea comes from ? :
use to get keys
or to read streams
use scapy, because it's fun ? but we need IP reassembly .
pynids could be more useful...
dsniff is now in python ?
use python.

What are the dependencies ? :
python-haystack (same author)
python-pcap / python-xxxpcap ( recommended for perf issues )
paramiko (for ssh decryption) [ TODO, extract & kill dep. we only need Message and Packetizer ]

Conclusion :
poc done.
Next, `pgrep firefox`.


Bringing volatility to Linux

Extracting truecrypt keys from memory

python-ptrace ( hey, haypo again)

from ptrace.debugger.memory_mapping import readProcessMappings is - OK - 04/03/2011

OpenSSH, testing ciphers
Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The supported ciphers
are “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”, “arcfour”,
“blowfish-cbc”, and “cast128-cbc”. The default is:


force one :

ssh -c aes192-ctr log@host

firefox & NSS
INFO:abouchet:found instance <class 'ctypes_nss_generated.CERTCertificateStr'> @ 0xbfe12c20 => sur la stack

INFO:abouchet:Looking at 0x85f00000-0x86000000 (rw-p)
INFO:abouchet:processed 6465536 bytes
ptrace.debugger.process_error.ProcessError: readBytes(0x84d28ae4, 392) error: [Errno 5] Input/output error
## weird ....


Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for sslsnoop, version 0.2
Filename, size File type Python version Upload date Hashes
Filename, size sslsnoop-0.2.tar.gz (236.1 kB) File type Source Python version None Upload date Hashes View hashes

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page