Tutorial: Secure Shell (SSH)

This tutorial discusses the plugin sshDecode. It extracts certain tokens including the hashes. Yes, it is encrypted, but you can still learn a lot, helping you when proceeding with Encrypted Traffic Mining.

Preparation

Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$

Then compile the following plugins

$ t2build tranalyzer2 basicFlow ssHDecode txtSink
...
BUILD SUCCESSFUL

$

If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:

$ mkdir ~/data ~/results
$

Download the sample pcap here: ssh_succ.dmp. Now you’re all set.

sslDecode

Let’s look at the plugin configuration first:

$ sshDecode
$ vi src/sshDecode.h

You can configure the operations of the plugin how it should detect or decode SSH and how the hashes should be coded. We leave everything as default.

Now run t2 on the supplied pcap.

$ t2 -r ~/data/ -w ~/results/
t2 -r ~/test_data/data/ssh/ssh_succ.dmp -w ~/results/ -s
================================================================================
Tranalyzer 0.8.11 (Anteater), Tarantula. PID: 47439
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.11
    02: sshDecode, 0.8.11
    03: txtSink, 0.8.11
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406208 (406.21 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51196 (51.20 K)
[INF] sshDecode: 49 HASSH fingerprints loaded
Processing file: /home/wurst/data/ssh_succ.dmp
Link layer type: Ethernet [EN10MB/1]
Dump start: 1450627994.669582 sec (Sun 20 Dec 2015 16:13:14 GMT)
Dump stop : 1450628048.881344 sec (Sun 20 Dec 2015 16:14:08 GMT)
Total dump duration: 54.211762 sec
Finished processing. Elapsed time: 0.005777 sec
Finished unloading flow memory. Time: 0.006480 sec
Percentage completed: 100.00%
Number of processed packets: 625
Number of processed bytes: 88924 (88.92 K)
Number of raw bytes: 88924 (88.92 K)
Number of pad bytes: 340
Number of pcap bytes: 98948 (98.95 K)
Number of IPv4 packets: 542 [86.72%]
Number of IPv6 packets: 39 [6.24%]
Number of A packets: 470 [75.20%]
Number of B packets: 155 [24.80%]
Number of A bytes: 58218 (58.22 K) [65.47%]
Number of B bytes: 30706 (30.71 K) [34.53%]
Average A packet load: 123.87
Average B packet load: 198.10
--------------------------------------------------------------------------------
sshDecode: Aggregated sshStat=0x103b
sshDecode: Number of SSH flows: 8 [9.30%]
--------------------------------------------------------------------------------
Headers count: min: 2, max: 4, average: 3.03
Number of LLC packets: 27 [4.32%]
Number of GRE packets: 44 [7.04%]
Number of IGMP packets: 10 [1.60%]
Number of ICMPv6 packets: 18 [2.88%]
Number of TCP packets: 365 [58.40%]
Number of TCP bytes: 59122 (59.12 K) [66.49%]
Number of UDP packets: 166 [26.56%]
Number of UDP bytes: 22408 (22.41 K) [25.20%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 86
Number of processed A flows: 82 [95.35%]
Number of processed B flows: 4 [4.65%]
Number of request     flows: 82 [95.35%]
Number of reply       flows: 4 [4.65%]
Total   A/B    flow asymmetry: 0.91
Total req/rply flow asymmetry: 0.91
Number of processed   packets/flows: 7.27
Number of processed A packets/flows: 5.73
Number of processed B packets/flows: 38.75
Number of processed total packets/s: 11.53
Number of processed A+B   packets/s: 11.53
Number of processed A     packets/s: 8.67
Number of processed   B   packets/s: 2.86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 1.59
Average full raw bandwidth: 13122 b/s (13.12 Kb/s)
Average full bandwidth : 12620 b/s (12.62 Kb/s)
Max number of flows in memory: 86 [0.03%]
Memory usage: 0.02 GB [0.02%]
Aggregated flowStat=0x0c0000000200c064
[INF] Ethernet flows
[INF] IPv4 flows
[INF] IPv6 flows
[INF] ARP
[INF] LLDP
[INF] SSDP/UPnP
$

So we have eight flows and the aggregated sshStat tells us that there is a Diffie-Hellman involved.

$ tawk -V sshStat=0x103b

The sshStat column with value 0x103b is to be interpreted as follows:

   bit | sshStat | Description
   =============================================================================
     0 | 0x0001  | Flow contains SSH protocol
     1 | 0x0002  | Keeps track of who sent the SSH banner first
     3 | 0x0008  | Key Exchange Init message seen
     4 | 0x0010  | Diffie-Hellman Key Exchange Init message seen
     5 | 0x0020  | Diffie-Hellman Key Exchange Reply message seen
    12 | 0x1000  | New Keys message seen

If we select the ssh flows we learn that Openssh 6.0 / 7.1 is involved.

$ cd ~/results
$ tawk 'bitsanyset($sshStat, 0x0001)' ssh_succ_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP        srcIPCC  srcIPOrg           srcPort  dstIP        dstIPCC  dstIPOrg           dstPort  l4Proto  sshStat  sshVersion                               sshHostKeyType       sshFingerprint                                   sshCookie                         sshKEX              sshSrvHKeyAlgo  sshEncCS    sshEncSC    sshMacCS  sshMacSC  sshCompCS  sshCompSC  sshLangCS  sshLangSC  sshHassh                          sshHasshDesc
A     26       0x0400000000004000  1450628004.529458  1450628016.088016  11.558558  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.233  04       "Private network"  37332    10.20.0.171  04       "Private network"  22       6        0x101b   "SSH-2.0-OpenSSH_7.1"                                                                                          e97458497c02f134bcadf82e24888724  ecdh-sha2-nistp256  ssh-rsa         aes128-ctr  aes128-ctr  hmac-md5                                                        de75d6191ba48aa3b1ea4577b1604dfb  
B     26       0x0400000000004001  1450628004.529832  1450628016.087998  11.558166  1           3        eth:ipv4:tcp  90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800              10.20.0.171  04       "Private network"  22       10.20.6.233  04       "Private network"  37332    6        0x1029   "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2"  ecdsa-sha2-nistp256  e6:fc:f1:4c:1f:0c:eb:ec:32:1d:7c:83:90:ae:07:70  0cb234edd1fc4624fef696ed213c615b                                                                                                                              ce3c327f37ea2ec21f317fbc3fd1ea43  
A     55       0x0400000000004000  1450628020.480513  1450628028.810340  8.329827   1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.233  04       "Private network"  37334    10.20.0.171  04       "Private network"  22       6        0x101b   "SSH-2.0-OpenSSH_7.1"                                                                                          b46519eb5e83864a379628a9ce5dd9b6  ecdh-sha2-nistp256  ssh-rsa         aes128-ctr  aes128-ctr  hmac-md5                                                        de75d6191ba48aa3b1ea4577b1604dfb  
B     55       0x0400000000004001  1450628020.480748  1450628028.810304  8.329556   1           3        eth:ipv4:tcp  90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800              10.20.0.171  04       "Private network"  22       10.20.6.233  04       "Private network"  37334    6        0x1029   "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2"  ecdsa-sha2-nistp256  e6:fc:f1:4c:1f:0c:eb:ec:32:1d:7c:83:90:ae:07:70  3f06443da53fc7bda8c79616b8b70455                                                                                                                              ce3c327f37ea2ec21f317fbc3fd1ea43  
A     66       0x0400000000004000  1450628031.531563  1450628040.205273  8.673710   1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.233  04       "Private network"  37336    10.20.0.171  04       "Private network"  22       6        0x101b   "SSH-2.0-OpenSSH_7.1"                                                                                          f8960a89ec0a725f247b17164cbb5639  ecdh-sha2-nistp256  ssh-rsa         aes128-ctr  aes128-ctr  hmac-md5                                                        de75d6191ba48aa3b1ea4577b1604dfb  
B     66       0x0400000000004001  1450628031.531825  1450628040.205236  8.673411   1           3        eth:ipv4:tcp  90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800              10.20.0.171  04       "Private network"  22       10.20.6.233  04       "Private network"  37336    6        0x1029   "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2"  ecdsa-sha2-nistp256  e6:fc:f1:4c:1f:0c:eb:ec:32:1d:7c:83:90:ae:07:70  f05ae7bcdd283d561f2e588e3fd48f62                                                                                                                              ce3c327f37ea2ec21f317fbc3fd1ea43  
A     76       0x0400000000004000  1450628041.583747  1450628047.913554  6.329807   1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800              10.20.6.233  04       "Private network"  37338    10.20.0.171  04       "Private network"  22       6        0x101b   "SSH-2.0-OpenSSH_7.1"                                                                                          d4538ff7ed01147ab232886ff6ae8c47  ecdh-sha2-nistp256  ssh-rsa         aes128-ctr  aes128-ctr  hmac-md5                                                        de75d6191ba48aa3b1ea4577b1604dfb  
B     76       0x0400000000004001  1450628041.583991  1450628047.913518  6.329527   1           3        eth:ipv4:tcp  90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800              10.20.0.171  04       "Private network"  22       10.20.6.233  04       "Private network"  37338    6        0x1029   "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2"  ecdsa-sha2-nistp256  e6:fc:f1:4c:1f:0c:eb:ec:32:1d:7c:83:90:ae:07:70  eb2a508b905c141d31d4fd4182f2bc1d                                                                                                                              ce3c327f37ea2ec21f317fbc3fd1ea43  

In the packet file all the ssh flows show in the l7Content the detailed information of the packet.

$ tawk 'bitsanyset($sshStat, 0x0001)' ssh_succ_packets.txt | tcol
%pktNo  flowInd  flowStat            time               pktIAT    flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP        srcIPCC  srcIPOrg         srcPort  dstIP        dstIPCC  dstIPOrg         dstPort  l4Proto  sshStat  l7Content
67      26       0x0400000000004000  1450628004.530052  0.000192  0.000594      3        eth:ipv4:tcp             e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       Private network  37332    10.20.0.171  04       Private network  22       6        0x0003   SSH-2.0-OpenSSH_7.1\r\n
69      26       0x0400000000004001  1450628004.537638  0.007434  0.007806      3        eth:ipv4:tcp             90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800   10.20.0.171  04       Private network  22       10.20.6.233  04       Private network  37332    6        0x0001   SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2\r\n
70      26       0x0400000000004000  1450628004.537710  0.007658  0.008252      3        eth:ipv4:tcp             e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       Private network  37332    10.20.0.171  04       Private network  22       6        0x0003   
71      26       0x0400000000004000  1450628004.538022  0.000312  0.008564      3        eth:ipv4:tcp             e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       Private network  37332    10.20.0.171  04       Private network  22       6        0x000b   ...4\n..tXI|..4....$..$....curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1....ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa....chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-s
72      26       0x0400000000004000  1450628004.538192  0.000170  0.008734      3        eth:ipv4:tcp             e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       Private network  37332    10.20.0.171  04       Private network  22       6        0x000b   ha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....none,zlib@openssh.com,zlib....none,zlib@openssh.com,zlib.......................
73      26       0x0400000000004001  1450628004.538581  0.000943  0.008749      3        eth:ipv4:tcp             90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800   10.20.0.171  04       Private network  22       10.20.6.233  04       Private network  37332    6        0x0009   ....\t...4...F$....!<a[....ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1...#ssh-rsa,ssh-dss,ecdsa-sha2-nistp256....aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....none,zlib@openssh.com....none,zlib@openssh.com......................
74      26       0x0400000000004000  1450628004.576643  0.038451  0.047185      3        eth:ipv4:tcp             e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       Private network  37332    10.20.0.171  04       Private network  22       6        0x000b   
75      26       0x0400000000004001  1450628004.576877  0.038296  0.047045      3        eth:ipv4:tcp             90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800   10.20.0.171  04       Private network  22       10.20.6.233  04       Private network  37332    6        0x0009   
76      26       0x0400000000004000  1450628004.576893  0.000250  0.047435      3        eth:ipv4:tcp             e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       Private network  37332    10.20.0.171  04       Private network  22       6        0x001b   ...L.....A...[."..I.:."@W...?..k@..C).I.&...Q.z_9<..^...eZ...........Y...g......
77      26       0x0400000000004001  1450628004.579220  0.002343  0.049388      3        eth:ipv4:tcp             90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800   10.20.0.171  04       Private network  22       10.20.6.233  04       Private network  37332    6        0x1029   ...$.....h....ecdsa-sha2-nistp256....nistp256...A.n...z....+4.3....H.A..b.!^._.8Rjl.n...TF..@.ZK....e0.i......^.m....A.y|....{.b.;.3f~S.Z9D.".\..0A-7.zn+%63.l..^....c.}..s..g...g........e....ecdsa-sha2-nistp256...J...!...[...J.....<....\r;B..!............!..2.yH.{.wVW...y..65.;..?...3dz..............\n...........
78      26       0x0400000000004000  1450628004.579253  0.002360  0.049795      3        eth:ipv4:tcp             e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       Private network  37332    10.20.0.171  04       Private network  22       6        0x001b   
79      26       0x0400000000004000  1450628004.580089  0.000836  0.050631      3        eth:ipv4:tcp             e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       Private network  37332    10.20.0.171  04       Private network  22       6        0x101b   ....\n...........
80      26       0x0400000000004001  1450628004.617691  0.038471  0.087859      3        eth:ipv4:tcp             90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800   10.20.0.171  04       Private network  22       10.20.6.233  04       Private network  37332    6        0x1029   
...

Don’t forget to reset the plugin configuration for the next tutorial.

$ t2conf sshDecode --reset && t2build sshDecode
...
$

Have fun analyzing.