{ "info": { "author": "Loic Jaquemet", "author_email": "loic.jaquemet+python@gmail.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 5 - Production/Stable", "Environment :: Console", "Intended Audience :: Developers", "License :: OSI Approved :: GNU General Public License (GPL)", "Programming Language :: Python", "Topic :: Security", "Topic :: System :: Networking" ], "description": "HOWTO:\n------\nhttps://github.com/trolldbois/sslsnoop/wiki/Screencast\n\n $ sudo easy_install sslsnoop\n $ mkdir outputs\n\nYou really have to. Please.\n \n $ sudo sslsnoop # try ssh, sshd and ssh-agent... for various things\n $ sudo sslsnoop-openssh live `pgrep ssh` # dumps SSH decrypted traffic in outputs/\n $ sudo sslsnoop-openssh offline --help # dumps SSH decrypted traffic in outputs/ from a pcap file\n $ sudo sslsnoop-openssl `pgrep ssh-agent` # dumps RSA and DSA keys\n\nand go and check outputs/.\n\nhints :\n-------\na) works if scapy doesn't drop packets. using pcap instead of SOCK_RAW helps a lot now.\nb) works better on interactive traffic with no traffic at the time of the ptrace. It follows the flow, after that.\nc) Dumps one file by fd in outputs/\nd) Attaching a process is quickier with --addr 0xb788aa98 as provided by haystack\n INFO:abouchet:found instance @ 0xb788aa98\ne) how to get a pickled session_state file :\n $ sudo haystack --pid `pgrep ssh` sslsnoop.ctypes_openssh.session_state search > ss.pickled\n\n\nnot so FAQ :\n============\n\nWhat does it do, really ?:\n--------------------------\nIt dumps live session keys from an openssh , and decrypts the traffic on the fly.\nNot all ciphers are implemented. \n\nWorkings ciphers : aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc\nPartially workings ciphers (INBOUND only ?!): aes128-cbc, aes192-cbc, aes256-cbc\nNon workings ciphers : 3des-cbc, 3des, ssh1-blowfish, arcfour, arcfour1280\n\nIt can also dump DSA and RSA keys from ssh-agent or sshd ( or others ).\n\nHow do it knows that the structures is valid ? :\n------------------------------------------------\nYou add some constraints ( expectedValues ) on the fields. Pointers are also a good start.\n\nYeah, but you have to be root, so what's the use ? :\n----------------------------------------------------\nMonitoring ssh traffic on honeypots ?\nMonitoring encrypted traffic on honeypots ?\nMonitoring encrypted traffic on ... somewhere your are root ?\n\nIt does not work on my openssh ? :\n-----------------------------------\ntested on OpenSSH 5.5.\nShould work on most recent version.. I didn't check for structure modification. but that would explain a lot.\nIt work really good on intereactive session with no traffic at the time of execution. (clean cipher state in memory)\nIt can work on a busy ssh stream, *IF* a) the cipher state is clean, b) scapy doesn't loose packets (CPU ?).\n-> yeah the GIL really sucks\n\nHow can i decrypt a pcap file ? :\n----------------------------------\nUse the offline mode.\n \nWhere does the idea comes from ? :\n-----------------------------------\nuse http://www.hsc.fr/ressources/breves/passe-partout.html.fr to get keys\nuse http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html \n or http://www.rtfm.com/ssldump/ to read streams\nuse scapy, because it's fun ? but we need IP reassembly . \npynids could be more useful...\ndsniff is now in python ?\nflowgrep\nuse python.\n\n\nWhat are the dependencies ? :\n----------------------------\npython-haystack (same author)\npython-ptrace\nscapy\npython-pcap / python-xxxpcap ( recommended for perf issues )\nparamiko (for ssh decryption) [ TODO, extract & kill dep. we only need Message and Packetizer ]\npython-psutil \n\nConclusion :\n------------\npoc done.\nNext, `pgrep firefox`. \n\n\nBiblio\n-------\n\nBringing volatility to Linux\nhttp://dfsforensics.blogspot.com/2011/03/bringing-linux-support-to-volatility.html\n\nExtracting truecrypt keys from memory\nhttp://jessekornblum.com/tools/volatility/cryptoscan.py\n\npython-ptrace ( hey, haypo again)\nhttps://bitbucket.org/haypo/python-ptrace/wiki/Home\nhttps://bitbucket.org/haypo/python-ptrace/wiki/Documentation\n\nfrom ptrace.debugger.memory_mapping import readProcessMappings\n\nopenssl.py is passe-partout.py - OK - 04/03/2011\n\nOpenSSH, testing ciphers\n========================\n Ciphers\n Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The supported ciphers\n are \u201c3des-cbc\u201d, \u201caes128-cbc\u201d, \u201caes192-cbc\u201d, \u201caes256-cbc\u201d, \u201caes128-ctr\u201d, \u201caes192-ctr\u201d, \u201caes256-ctr\u201d, \u201carcfour128\u201d, \u201carcfour256\u201d, \u201carcfour\u201d,\n \u201cblowfish-cbc\u201d, and \u201ccast128-cbc\u201d. The default is:\n\n aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,\n aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,\n aes256-cbc,arcfour\n\nforce one :\n\nssh -c aes192-ctr log@host\n\n\nfirefox & NSS\n=============\nINFO:abouchet:found instance @ 0xbfe12c20 => sur la stack\n\nINFO:abouchet:Looking at 0x85f00000-0x86000000 (rw-p)\nINFO:abouchet:processed 6465536 bytes\nptrace.debugger.process_error.ProcessError: readBytes(0x84d28ae4, 392) error: [Errno 5] Input/output error\n## weird ....\n\n4894720\n\n\nArchitecture\n============\n\n\nopenssh creates a OpenSSHLiveDecryptatator which inherits a OpenSSHKeysFinder\nOpenSSHLiveDecryptatator :\n * connects to/launch a network.Sniffer. (scapy)\n * OpenSSHKeysFinder calls haystack to fetch the session_state\n - memory capture/ptrace is done in a subprocess\n - target process is not under ptrace anymore when openssh runs. \n - keys are acquired\n * SessionCiphers are created from pickled values from haystack\n - one for inbound traffic\n - one for outbound traffic\n * each SessionCipher is coupled with :\n - a socket given by a TCPStream ( Inbound and Outbound TCPstate)\n - a paramiko Packetizer which is a ssh protocol handler.\n * a cipher engine is used by the paramiko.Packetizer to decrypt data from the TCPStream socket\n * the Packetizer uses :\n - the socket to read it's data from the 'network'.\n - the cipher to decrypt the data\n * a SSHStreamToFile is created for each stream and is given the packetizer and the overall context ( cipher, socket )\n - the SSHStreamToFile try to process the packetizer's outputs into a file.\n * a Supervisor is created to handle traffic ( select on socket )\n - both SSHStreamToFile are given to the Supervisor with their respective socket\n\n\nTODO:\n\nSSHStream uses the packets is orderedQueue and the cipher, to try to find a SSH packet\n - algo 1 : copy original cipher state, decrypt first block of packet [0], \n if not valid, drop packet and loop to next one (for x packets) \n if valid, switch to go-trough mode and queue current + all packets data to socket \n\n - algo 2 : try to find a valid packet, block per block/long by long\n if valid, switch to go-trough mode and queue current + all packets data to socket", "description_content_type": null, "docs_url": null, "download_url": "http://github.com/trolldbois/sslsnoop/tree/master", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://packages.python.org/sslsnoop/", "keywords": "memory,analysis,forensics,struct,ptrace,openssh,openssl,decrypt", "license": "GPL", "maintainer": null, "maintainer_email": null, "name": "sslsnoop", "package_url": "https://pypi.org/project/sslsnoop/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/sslsnoop/", "project_urls": { "Download": "http://github.com/trolldbois/sslsnoop/tree/master", "Homepage": "http://packages.python.org/sslsnoop/" }, "release_url": "https://pypi.org/project/sslsnoop/0.11/", "requires_dist": null, "requires_python": null, "summary": "Dumps the live traffic of an ssl-encrypted stream.", "version": "0.11" }, "last_serial": 800048, "releases": { "0.1": [ { "comment_text": "", "digests": { "md5": "b360005c08f0ca93c77b59de7c3ab5c6", "sha256": "05a4ceffd5eb6be670ec6819829e04da823208a83d0cc91415be50d68d95f108" }, "downloads": -1, "filename": "sslsnoop-0.1.tar.gz", "has_sig": false, "md5_digest": "b360005c08f0ca93c77b59de7c3ab5c6", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 236085, "upload_time": "2011-03-31T02:22:18", "url": "https://files.pythonhosted.org/packages/63/9f/7351050ca4584fd76f9ea9f74ffd73e0e7ddb34f8d43c1093788f9276e04/sslsnoop-0.1.tar.gz" } ], "0.11": [ { "comment_text": "", "digests": { "md5": "b87f2ea641c797dc51c377aacf1e8502", "sha256": "c2ac910acb6d4cfdc05700f43a685ccf0134dc8062f070abbe5a13fe2c75f4e4" }, "downloads": -1, "filename": "sslsnoop-0.11.tar.gz", "has_sig": false, "md5_digest": "b87f2ea641c797dc51c377aacf1e8502", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 321783, "upload_time": "2011-08-23T03:10:19", "url": "https://files.pythonhosted.org/packages/7c/f8/4db1a6c9d7568bd70b5d6d1b20adec360495ab1f81dc14d3b06248e443dd/sslsnoop-0.11.tar.gz" } ], "0.2": [ { "comment_text": "", "digests": { "md5": "6d7fadaf9a3c4d8e83e867c41390e0d6", "sha256": "6cd0b81e4eef1885a29720a803aa88421f7f797e2a09a54dbcba625b58ea913e" }, "downloads": -1, "filename": "sslsnoop-0.2.tar.gz", "has_sig": false, "md5_digest": "6d7fadaf9a3c4d8e83e867c41390e0d6", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 236083, "upload_time": "2011-03-31T02:25:04", "url": "https://files.pythonhosted.org/packages/9f/5f/2480c593ca84ad1dccff945e7dd8a8696ffcc5348f35e55e9abf911ff00f/sslsnoop-0.2.tar.gz" } ], "0.4": [ { "comment_text": "", "digests": { "md5": "6cd6cd5d049049fcabe3a6392bd475b4", "sha256": "ae99ded308cb9cddb41acb325067bd1ffaa097c56f19069a9538cb0f99862362" }, "downloads": -1, "filename": "sslsnoop-0.4.tar.gz", "has_sig": false, "md5_digest": "6cd6cd5d049049fcabe3a6392bd475b4", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 126307, "upload_time": "2011-04-01T23:11:25", "url": "https://files.pythonhosted.org/packages/46/2b/3e5b84edf70125d6f10def6210ce71b87e50c570d4443b46ef8d98aef8ab/sslsnoop-0.4.tar.gz" } ], "0.5": [ { "comment_text": "", "digests": { "md5": "b502e363c95f83b144cb534522b806de", "sha256": "1bcdeccfbe3e806cb0563d03b19ad427b28339607c44edf28dd08c0680112336" }, "downloads": -1, "filename": "sslsnoop-0.5.tar.gz", "has_sig": false, "md5_digest": "b502e363c95f83b144cb534522b806de", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 129342, "upload_time": "2011-04-05T03:47:28", "url": "https://files.pythonhosted.org/packages/f7/c1/5508b6a6ec034426385354c260991288d7e112a35f91399dd14b7c5d7319/sslsnoop-0.5.tar.gz" } ], "0.6": [ { "comment_text": "", "digests": { "md5": "811b7753d5fceb2ec0306441c009ac53", "sha256": "f7489c5c0b6bb11962b840f70d79c500f2be731c658d4910a94fd6d8f2bf125f" }, "downloads": -1, "filename": "sslsnoop-0.6.tar.gz", "has_sig": false, "md5_digest": "811b7753d5fceb2ec0306441c009ac53", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 305795, "upload_time": "2011-04-08T18:30:27", "url": "https://files.pythonhosted.org/packages/78/6e/81ab84fb653359ee204a751efb7c904c5c6846dec32393179289795b04df/sslsnoop-0.6.tar.gz" } ], "0.7": [ { "comment_text": "", "digests": { "md5": "815aa9aee443649b5698bc1dd30a6067", "sha256": "80c3d99586a2c3cf13317cee25fca4e9fdf75cf3a35f3cae92c7e6f7de61f2dd" }, "downloads": -1, "filename": "sslsnoop-0.7.tar.gz", "has_sig": false, "md5_digest": "815aa9aee443649b5698bc1dd30a6067", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 309583, "upload_time": "2011-04-14T13:22:52", "url": "https://files.pythonhosted.org/packages/ee/14/4f3bed037b59a2268223f43ca43eeb21af372fe6061649e3f342efb5fa0f/sslsnoop-0.7.tar.gz" } ], "0.7.1": [ { "comment_text": "", "digests": { "md5": "adc7101ea9313f0fa35e2ab2b1563dc8", "sha256": "189d4225670d73c4d4c2eb60b14d8bb58822b12fde7f1a1764592c7bb749fac2" }, "downloads": -1, "filename": "sslsnoop-0.7.1.tar.gz", "has_sig": false, "md5_digest": "adc7101ea9313f0fa35e2ab2b1563dc8", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 308392, "upload_time": "2011-05-07T03:36:40", "url": "https://files.pythonhosted.org/packages/5b/28/6bf967af7cb470b4dd8092e5a6c9ed1e4f339bfb5bf613f337e23591766d/sslsnoop-0.7.1.tar.gz" } ], "0.8": [ { "comment_text": "", "digests": { "md5": "709e69a850e216d437a89c18642c4ee8", "sha256": "4a6d5f3c52b6161d2f3b7031ac58484b46d17f8714525610167d852555accf53" }, "downloads": -1, "filename": "sslsnoop-0.8.tar.gz", "has_sig": false, "md5_digest": "709e69a850e216d437a89c18642c4ee8", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 308735, "upload_time": "2011-07-08T11:37:25", "url": "https://files.pythonhosted.org/packages/d0/cb/2bddd2075dabb21a997e283588889c7bfbf9a11f026695e633b6297904c1/sslsnoop-0.8.tar.gz" } ], "0.9.1": [ { "comment_text": "", "digests": { "md5": "e656c13a937f0d8788a44d67775d4327", "sha256": "d8b1134f22b53b5cad45ba3d743529b32a8caa4e667531519a6709483813109f" }, "downloads": -1, "filename": "sslsnoop-0.9.1.tar.gz", "has_sig": false, "md5_digest": "e656c13a937f0d8788a44d67775d4327", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 310458, "upload_time": "2011-07-30T02:20:59", "url": "https://files.pythonhosted.org/packages/30/43/11e4e1576c0383396a50ec43774755be4976639ce4826b8a09adef0ef884/sslsnoop-0.9.1.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "b87f2ea641c797dc51c377aacf1e8502", "sha256": "c2ac910acb6d4cfdc05700f43a685ccf0134dc8062f070abbe5a13fe2c75f4e4" }, "downloads": -1, "filename": "sslsnoop-0.11.tar.gz", "has_sig": false, "md5_digest": "b87f2ea641c797dc51c377aacf1e8502", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 321783, "upload_time": "2011-08-23T03:10:19", "url": "https://files.pythonhosted.org/packages/7c/f8/4db1a6c9d7568bd70b5d6d1b20adec360495ab1f81dc14d3b06248e443dd/sslsnoop-0.11.tar.gz" } ] }