This page demonstrates analysing a captured command line SSH session to estimate original commands typed. This is not a flaw in SSH - SSH is a great protocol regardless of these techniques; rather this is a demonstration on what can possibly be deduced from the analysis of encrypted traffic.
The technique follows the following steps,
The plaintext capture is necessary for the analysis program to compare unknown commands from the SSH capture with known commands from the plaintext capture.
sshkeydata is the analysis program for the *.keydata files. It currently uses a customised distance vector algorithm to rank potential command matches, and at best achieves a 90% accuracy (this is when used on ideal data sets, where we would want this to be very close to 100%). This is the first release of sshkeydata. Future versions may include fuzzy or Bayesian analysis to achieve much higher accuracies.
Factors used to determine the original command are (in order from most
to least important),
mars:> ./sshkeydata 1/session_0001.telnet.keydata 2/session_0001.textSSH.keydata Analysis of Target Data, Examining 1, keys 6, response 2, argv 1 0.227007 94.85 ls -l 2 0.358182 87.17 ls -l 3 0.789034 30.12 cd .. 4 0.811321 28.48 id -a 5 0.845444 26.23 id -a Examining 2, keys 6, response 2, argv 1 0.268309 92.80 ls -l 2 0.394178 84.46 ls -l [...] Final Report, Num Score Percent Command 1 0.227007 94.85 ls -l 2 0.268309 92.80 ls -l 3 0.355045 87.39 pwd 4 0.415685 82.72 cd .. 5 0.471051 77.81 cd .. 6 0.405145 83.59 uname -a 7 0.311840 90.28 cd .. 8 0.581321 55.48 cd /etc 9 0.947826 20.87 ls -l 10 0.617564 49.16 cd / 11 0.307313 90.56 df -k 12 1.036179 17.46 find / 20 0.949534 20.80 exit |
The above example had a 92% accuracy (command number 7 is wrong, it should be "id -a").
Full Example
# snoop -o out1 port 22 Using device /dev/hme (promiscuous mode) 793 ^C |
# snoop -o out2 port 23 Using device /dev/hme (promiscuous mode) 3353 ^C |
# mkdir 1 # cd 1 # ../chaosreader ../out1 Chaosreader ver 0.94 Opening, ../out1 Reading file contents, 100% (357408/357408) Reassembling packets, 100% (793/793) Creating files... Num Session (host:port <=> host:port) Service 0001 192.168.1.5:38015,192.168.1.1:22 ssh index.html created. # ls -l total 92 -rw-r--r-- 1 brendan other 321 May 2 14:02 getpost.html -rw-r--r-- 1 brendan other 0 May 2 14:02 httplog.text -rw-r--r-- 1 brendan other 302 May 2 14:02 image.html -rw-r--r-- 1 brendan other 1801 May 2 14:02 index.html -rw-r--r-- 1 brendan other 410 May 2 14:02 index.text -rw-r--r-- 1 brendan other 16584 May 2 14:02 session_0001.textSSH.html -rw-r--r-- 1 brendan other 1739 May 2 14:02 session_0001.textSSH.keydata -rwxr-xr-x 1 brendan other 21543 May 2 14:02 session_0001.textSSH.replay* # cd .. |
# mkdir 2 # cd 2 # ../chaosreader --keydata ../out2 Chaosreader ver 0.94 Opening, ../out2 Reading file contents, 100% (514888/514888) Reassembling packets, 100% (3353/3353) Creating files... Num Session (host:port <=> host:port) Service 0001 192.168.1.5:38008,192.168.1.1:23 telnet index.html created. # ls -l total 1056 -rw-r--r-- 1 brendan other 321 May 2 14:03 getpost.html -rw-r--r-- 1 brendan other 0 May 2 14:03 httplog.text -rw-r--r-- 1 brendan other 302 May 2 14:03 image.html -rw-r--r-- 1 brendan other 1802 May 2 14:03 index.html -rw-r--r-- 1 brendan other 410 May 2 14:03 index.text -rw-r--r-- 1 brendan other 252535 May 2 14:03 session_0001.telnet.html -rw-r--r-- 1 brendan other 17538 May 2 14:03 session_0001.telnet.keydata -rwxr-xr-x 1 brendan other 239086 May 2 14:03 session_0001.telnet.replay* # cd .. |
# ./sshkeydata 2/session_0001.telnet.keydata 1/session_0001.textSSH.keydata Analysis of Target Data, Examining 1, keys 6, response 2, argv 1 0.217407 95.27 ls -l 2 0.350440 87.72 ls -l 3 0.791097 29.96 cd .. 4 0.814101 28.29 id -a 5 0.848431 26.05 id -a Examining 2, keys 6, response 2, argv 1 0.258708 93.31 ls -l 2 0.386436 85.07 ls -l 3 0.825179 27.54 cd .. 4 0.848254 26.06 id -a 5 0.879767 24.23 id -a Examining 3, keys 4, response 2, argv 1 0.349191 87.81 pwd 2 0.353578 87.50 pwd 3 0.360816 86.98 pwd 4 0.367347 86.51 pwd 5 0.391699 84.66 pwd Examining 4, keys 6, response 2, argv 1 0.411267 83.09 cd .. 2 0.523171 68.50 cd .. 3 0.569110 57.89 cd .. 4 0.580465 55.65 cd .. 5 0.582380 55.28 cd .. Examining 5, keys 6, response 2, argv 1 0.466633 78.23 cd .. 2 0.481139 76.85 cd .. 3 0.495392 75.46 cd .. 4 0.541069 64.05 cd .. 5 0.547180 62.62 cd .. Examining 6, keys 9, response 2, argv 1 0.397566 84.19 uname -a 2 0.419075 82.44 uname -a 3 0.494614 75.54 uname -a 4 0.566842 58.35 ps -p $$ 5 0.597208 52.57 uname -a Examining 7, keys 6, response 2, argv 1 0.311840 90.28 cd .. 2 0.326230 89.36 cd .. 3 0.392215 84.62 cd .. 4 0.395715 84.34 cd .. 5 0.482735 76.70 cd .. Examining 8, keys 8, response 2, argv 1 0.576904 56.34 cd /etc 2 0.645676 44.98 cd /etc 3 0.698256 38.46 cd /etc 4 1.486374 8.49 fred123 5 2.985009 2.10 prtconf Examining 9, keys 6, response 2, argv 1 0.947826 20.87 ls -l 2 2.324769 3.47 ls -l 3 2.424682 3.19 ls -l 4 2.453353 3.12 ls -l 5 2.460909 3.10 ls -l Examining 10, keys 5, response 2, argv 1 0.613147 49.87 cd / 2 0.648149 44.63 exit 3 0.680691 40.47 cd / 4 0.718651 36.30 cd / 5 0.768472 31.75 cd / Examining 11, keys 6, response 2, argv 1 0.307313 90.56 df -k 2 0.316423 89.99 df -k 3 0.378033 85.71 df -k 4 0.446855 80.03 df -k 5 0.449468 79.80 ls -l Examining 12, keys 7, response 2, argv 1 1.036179 17.46 find / 2 1.074653 16.24 find / 3 1.157942 13.98 find / 4 2.453980 3.11 cd etc 5 2.473254 3.07 finger Examining 20, keys 5, response 2, argv 1 0.945420 20.98 exit 2 0.973990 19.76 cd / 3 1.005654 18.54 cd / 4 1.018094 18.09 cd / 5 1.023561 17.90 cd / Final Report, Num Score Percent Command 1 0.217407 95.27 ls -l 2 0.258708 93.31 ls -l 3 0.349191 87.81 pwd 4 0.411267 83.09 cd .. 5 0.466633 78.23 cd .. 6 0.397566 84.19 uname -a 7 0.311840 90.28 cd .. 8 0.576904 56.34 cd /etc 9 0.947826 20.87 ls -l 10 0.613147 49.87 cd / 11 0.307313 90.56 df -k 12 1.036179 17.46 find / 20 0.945420 20.98 exit |
Back to Brendan Gregg's Homepage