I love SSH.
A cool protocol to learn about and to analyze crypto protocols and implementations
as well as authentication issues. There are also a lot of implementations like
OpenSSH or FreeSSH and SSH just asks for writing apropriate tools
to learn about certain attacks such man in the middle or fallback attacks.
From time to time certain features are added or discussed such as hashing
the known_hosts file so attackers cannot use password symetries to break into
related systems. What a protection!
Another protection often enabled is the so called PrivSep feature which lets
the SSH daemon handle risky task as unprivileged user. Beside that this introduces
new difficulties (check the ChangeLogs) it also offers a direct way to locally sniff
whole SSH sessions as well as login/password tokens. This would probably also
possible without PrivSep but its just trivial if its enabled because any user-data passes
system calls which match an exact pattern.
The original tool for x86 systems can be found here and the x86-64 port is available here.
The screenshots show a SSH session and how it is captured. Even ssh logins from the compromised machine to outside machines can be recorded (applies recursively :) with whole login/password tokens, su etc.
BTW, this all may sounds like bashing, but it is not. Deep respect to the OpenSSH developers,
the code quality is good, it is fun to read it. The complexity is within the nature of such a product,
even though the amount of additional processes and exec's looks not correct to me.
Posts
5 Kommentare:
Tools like strace/ltrace could be used for the same purpose :)
Indeed, but its a bit of fumbling to
puzzle all the one byte reads together
into the apropriate command-line especially if you have a dozen sessions.
But true nevertheless :-)
known_host file hashes can be viewed by guessing or inferring the hostnames with ssh-keygen -F hostname
it seems to be only for linux 2.6.x.
doesn't compile on openbsd
BSD ptrace API is different
Kommentar veröffentlichen