Sshkeydata
Description
Sshkeydata is a command line SSH content analysis tool. This program analyses keydata files created by chaosreader, and can estimate the original commands typed during SSH sessions.
Here is the typical scenario: You have captured some SSH and some telnet sessions in tcpdump or snoop files, originating from the same user. Sshkeydata compares details from the known telnet session with details from the unknown SSH session to estimate the commands typed. First, chaosreader is executed on the dump files which generates keydata files - these contain keystroke delays and other details from the sessions. Then sshkeydata is run on the keydata files and estimates of the original commands within the SSH session are given.
Installation
$ cd ~/src/ $ wget http://downloads.sourceforge.net/project/chaosreader/sshkeydata/0.20/sshkeydata0.20 $ chmod +x sshkeydata0.20
Usage
./sshkeydata plaintext.keydata[...] ssh.keydata
Example
Sniff a SSH session and a telnet session
In this example, we will show how sshkeydata is able to decrypt keystrokes from 2 files: telnet keydata file and ssh keydata file, both created by chaosreader.
We need 2 capture files (tcpdump will be used to save the pcap files):
- Sniff a SSH session:
sudo tcpdump -nS -s1515 -i eth1 -w ssh.pcap
- Sniff a telnet session:
sudo tcpdump -nS -s1515 -i eth1 -w telnet.pcap
Analyze ssh.pcap with Chaosreader
Once done, we run chaosreader against ssh.pcap:
$ ./chaosreader0.94 ssh.pcap Chaosreader ver 0.94 Opening, ../ssh.pcap Reading file contents, 100% (20416/20416) Reassembling packets, 100% (136/136) Creating files... Num Session (host:port <=> host:port) Service 0001 192.168.1.18:58644,192.168.1.16:22 ssh index.html created.
It will create a *.keydata file:
$ ll total 44 drwxrwxr-x 2 pilou pilou 4096 août 12 17:17 ./ drwxrwxr-x 3 pilou pilou 4096 août 12 17:12 ../ -rw-rw-r-- 1 pilou pilou 323 août 12 17:17 getpost.html -rw-rw-r-- 1 pilou pilou 0 août 12 17:17 httplog.text -rw-rw-r-- 1 pilou pilou 304 août 12 17:17 image.html -rw-rw-r-- 1 pilou pilou 1785 août 12 17:17 index.html -rw-rw-r-- 1 pilou pilou 403 août 12 17:17 index.text -rw-rw-r-- 1 pilou pilou 5434 août 12 17:17 session_0001.textSSH.html -rw-rw-r-- 1 pilou pilou 564 août 12 17:17 session_0001.textSSH.keydata -rwxr-xr-x 1 pilou pilou 5951 août 12 17:17 session_0001.textSSH.replay*
Analyze telnet.pcap with Chaosreader
Next, we use chaosreader to parse the telnet.pcap file and use the --keydata option:
$ ./chaosreader0.94 --keydata telnet.pcap Chaosreader ver 0.94 Opening, ../telnet.pcap Reading file contents, 100% (14892/14892) Reassembling packets, 100% (167/167) Creating files... Num Session (host:port <=> host:port) Service 0001 192.168.1.18:46031,192.168.1.16:23 telnet index.html created.
A second *.keydata file is created:
$ ll total 56 drwxrwxr-x 2 pilou pilou 4096 août 12 17:18 ./ drwxrwxr-x 3 pilou pilou 4096 août 12 17:12 ../ -rw-rw-r-- 1 pilou pilou 323 août 12 17:18 getpost.html -rw-rw-r-- 1 pilou pilou 0 août 12 17:18 httplog.text -rw-rw-r-- 1 pilou pilou 304 août 12 17:18 image.html -rw-rw-r-- 1 pilou pilou 1807 août 12 17:18 index.html -rw-rw-r-- 1 pilou pilou 400 août 12 17:18 index.text -rw-rw-r-- 1 pilou pilou 3802 août 12 17:18 session_0001.telnet.html -rw-rw-r-- 1 pilou pilou 1059 août 12 17:18 session_0001.telnet.keydata -rwxr-xr-x 1 pilou pilou 3557 août 12 17:18 session_0001.telnet.replay* -rw-rw-r-- 1 pilou pilou 5434 août 12 17:17 session_0001.textSSH.html -rw-rw-r-- 1 pilou pilou 564 août 12 17:17 session_0001.textSSH.keydata -rwxr-xr-x 1 pilou pilou 5951 août 12 17:17 session_0001.textSSH.replay*
Use sshkeydata
Now, let's use sshkeydata to decrypt the keystrokes:
$ ./sshkeydata0.20 session_0001.telnet.keydata session_0001.telnet.keydata Analysis of Target Data, Examining 1, keys 9, response 1, argv oopsoops 1 0.709865 37.21 oopsoops 2 3.242430 1.78 oopsoops Examining 9, keys 11, response 1, argv pilou\n 1 0.709865 37.21 pilou Examining 10, keys 9, response 1, argv oopsoops\n 1 0.709865 37.21 oopsoops 2 3.133954 1.91 oopsoops Examining 11, keys 5, response 1, argv cd /\n 1 0.709865 37.21 cd / Examining 12, keys 3, response 1, argv ls\n 1 0.709865 37.21 ls Examining 13, keys 6, response 1, argv cd ..\n 1 0.709865 37.21 cd .. Final Report, Num Score Percent Command 1 0.709865 37.21 oopsoops 9 0.709865 37.21 pilou 10 0.709865 37.21 oopsoops 11 0.709865 37.21 cd / 12 0.709865 37.21 ls 13 0.709865 37.21 cd ..