sslsnoop 0.5

Dumps the live traffic of an ssl-encrypted stream.

HOWTO:
------
works if scapy doesn't drop packets. using pcap instead of SOCK_RAW helps a lot now.
works better on interactive traffic with slow traffic.
Dumps one file by fd in outputs/
Attaching a process is quickier with --addr 0xb788aa98 as provided by abouchet.py
INFO:abouchet:found instance <class 'ctypes_openssh.session_state'> @ 0xb788aa98

$ mkdir outputs

You really have to. Please.

$ sudo sslsnoop # try ssh, sshd and ssh-agent... for various things
$ sudo sslsnoop-openssh `pgrep ssh` # dumps decrypted traffic in outputs/
$ sudo sslsnoop-openssl `pgrep ssh-agent` # dump RSA and DSA keys

and go and check outputs/.


not so FAQ :
============

What does it do, really ?:
--------------------------
It dumps live session keys from an openssh , and decrypts the traffic on the fly.
Not all ciphers are implemented.
Workings ciphers : aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc
Partially workings ciphers (INBOUND only ?!): aes128-cbc, aes192-cbc, aes256-cbc
Non workings ciphers : 3des-cbc, 3des, ssh1-blowfish, arcfour, arcfour1280

It can also dump DSA and RSA keys from ssh-agent or sshd ( or others ).

How do it knows that the structures is valid ? :
------------------------------------------------
You add some constraints ( expectedValues ) on the fields. Pointers are also a good start.

Yeah, but you have to be root, so what's the use ? :
----------------------------------------------------
Monitoring ssh traffic on honeypots ?
Monitoring encrypted traffic on honeypots ?
Monitoring encrypted traffic on ... somewhere your are root ?


Where does the idea comes from ? :
-----------------------------------
use http://www.hsc.fr/ressources/breves/passe-partout.html.fr to get keys
use http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html
or http://www.rtfm.com/ssldump/ to read streams
use scapy, because it's fun ? but we need IP reassembly .
pynids could be more useful...
dsniff is now in python ?
flowgrep
use python.


What are the dependencies ? :
----------------------------
python-haystack (same author)
python-ptrace
scapy
python-pcap / python-xxxpcap ( recommended for perf issues )
paramiko (for ssh decryption) [ TODO, extract & kill dep. we only need Message and Packetizer ]
python-psutil

Conclusion :
------------
poc done.
Next, `pgrep firefox`.


Biblio
-------

Bringing volatility to Linux
http://dfsforensics.blogspot.com/2011/03/bringing-linux-support-to-volatility.html

Extracting truecrypt keys from memory
http://jessekornblum.com/tools/volatility/cryptoscan.py

python-ptrace ( hey, haypo again)
https://bitbucket.org/haypo/python-ptrace/wiki/Home
https://bitbucket.org/haypo/python-ptrace/wiki/Documentation

from ptrace.debugger.memory_mapping import readProcessMappings

openssl.py is passe-partout.py - OK - 04/03/2011

OpenSSH, testing ciphers
========================
Ciphers
Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The supported ciphers
are “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”, “arcfour”,
“blowfish-cbc”, and “cast128-cbc”. The default is:

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour

force one :

ssh -c aes192-ctr log@host


firefox & NSS
=============
INFO:abouchet:found instance <class 'ctypes_nss_generated.CERTCertificateStr'> @ 0xbfe12c20 => sur la stack

INFO:abouchet:Looking at 0x85f00000-0x86000000 (rw-p)
INFO:abouchet:processed 6465536 bytes
ptrace.debugger.process_error.ProcessError: readBytes(0x84d28ae4, 392) error: [Errno 5] Input/output error
## weird ....

4894720


Architecture
============


openssh creates a OpenSSHLiveDecryptatator which inherits a OpenSSHKeysFinder
OpenSSHLiveDecryptatator :
* connects to/launch a network.Sniffer. (scapy)
* OpenSSHKeysFinder calls haystack to fetch the session_state
- memory capture/ptrace is done in a subprocess
- target process is not under ptrace anymore when openssh runs.
- keys are acquired
* SessionCiphers are created from pickled values from haystack
- one for inbound traffic
- one for outbound traffic
* each SessionCipher is coupled with :
- a socket given by a TCPStream ( Inbound and Outbound TCPstate)
- a paramiko Packetizer which is a ssh protocol handler.
* a cipher engine is used by the paramiko.Packetizer to decrypt data from the TCPStream socket
* the Packetizer uses :
- the socket to read it's data from the 'network'.
- the cipher to decrypt the data
* a SSHStreamToFile is created for each stream and is given the packetizer and the overall context ( cipher, socket )
- the SSHStreamToFile try to process the packetizer's outputs into a file.
* a Supervisor is created to handle traffic ( select on socket )
- both SSHStreamToFile are given to the Supervisor with their respective socket


TODO:

SSHStream uses the packets is orderedQueue and the cipher, to try to find a SSH packet
- algo 1 : copy original cipher state, decrypt first block of packet [0],
if not valid, drop packet and loop to next one (for x packets)
if valid, switch to go-trough mode and queue current + all packets data to socket

- algo 2 : try to find a valid packet, block per block/long by long
if valid, switch to go-trough mode and queue current + all packets data to socket