SSH Analysis

This page demonstrates analysing a captured command line SSH session to estimate original commands typed. This is not a flaw in SSH - SSH is a great protocol regardless of these techniques; rather this is a demonstration on what can possibly be deduced from the analysis of encrypted traffic.

The technique follows the following steps,

  1. An SSH session is captured using tcpdump or snoop
  2. A plaintext session such as telnet is captured using tcpdump or snoop
  3. chaosreader is executed on the SSH dump. this creates a *.textSSH.keydata file
  4. chaosreader is executed on the plaintext dump with the "--keydata" option. this creates a *.keydata file
  5. An analysis program, sshkeydata is executed on both the keydata files to look for similarities.

The plaintext capture is necessary for the analysis program to compare unknown commands from the SSH capture with known commands from the plaintext capture.

sshkeydata is the analysis program for the *.keydata files. It currently uses a customised distance vector algorithm to rank potential command matches, and at best achieves a 90% accuracy (this is when used on ideal data sets, where we would want this to be very close to 100%). This is the first release of sshkeydata. Future versions may include fuzzy or Bayesian analysis to achieve much higher accuracies.

Factors used to determine the original command are (in order from most to least important),

Another factor can be used depending on the SSH session,

Full Example

Back to Brendan Gregg's Homepage

Last updated: 02-May-2004