Metadata-Version: 1.0
Name: sslsnoop
Version: 0.5
Summary: Dumps the live traffic of an ssl-encrypted stream.
Home-page: http://packages.python.org/sslsnoop/
Author: Loic Jaquemet
Author-email: loic.jaquemet+python@gmail.com
License: GPL
Download-URL: http://github.com/trolldbois/sslsnoop/tree/master
Description: HOWTO:
        ------
        works if scapy doesn't drop packets. using pcap instead of SOCK_RAW  helps a lot now.
        works better on interactive traffic with slow traffic.
        Dumps one file by fd in outputs/
        Attaching a process is quickier with --addr 0xb788aa98 as provided by abouchet.py
            INFO:abouchet:found instance <class 'ctypes_openssh.session_state'> @ 0xb788aa98
        
          $ mkdir outputs
        
        You really have to. Please.
          
          $ sudo sslsnoop    # try ssh, sshd and ssh-agent... for various things
          $ sudo sslsnoop-openssh `pgrep ssh`     # dumps decrypted traffic in outputs/
          $ sudo sslsnoop-openssl `pgrep ssh-agent` # dump RSA and DSA keys
        
        and go and check outputs/.
        
        
        not so FAQ :
        ============
        
        What does it do, really ?:
        --------------------------
        It dumps live session keys from an openssh , and decrypts the traffic on the fly.
        Not all ciphers are implemented. 
        Workings ciphers : aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc
        Partially workings ciphers (INBOUND only ?!): aes128-cbc,  aes192-cbc, aes256-cbc
        Non workings ciphers : 3des-cbc, 3des, ssh1-blowfish, arcfour, arcfour1280
        
        It can also dump DSA and RSA keys from ssh-agent or sshd ( or others ).
        
        How do it knows that the structures is valid ? :
        ------------------------------------------------
        You add some constraints ( expectedValues ) on the fields. Pointers are also a good start.
        
        Yeah, but you have to be root, so what's the use ? :
        ----------------------------------------------------
        Monitoring ssh traffic on honeypots ?
        Monitoring encrypted traffic on honeypots ?
        Monitoring encrypted traffic on ... somewhere your are root ?
        
         
        Where does the idea comes from ? :
        -----------------------------------
        use http://www.hsc.fr/ressources/breves/passe-partout.html.fr  to get keys
        use http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html  
         or http://www.rtfm.com/ssldump/ to read streams
        use scapy, because it's fun ? but we need IP reassembly . 
        pynids could be more useful...
        dsniff is now in python ?
        flowgrep
        use python.
        
        
        What are the dependencies ? :
        ----------------------------
        python-haystack (same author)
        python-ptrace
        scapy
        python-pcap / python-xxxpcap ( recommended for perf issues )
        paramiko (for ssh decryption) [ TODO, extract & kill dep. we only need Message and Packetizer ]
        python-psutil 
        
        Conclusion :
        ------------
        poc done.
        Next, `pgrep firefox`. 
        
        
        Biblio
        -------
        
        Bringing volatility to Linux
        http://dfsforensics.blogspot.com/2011/03/bringing-linux-support-to-volatility.html
        
        Extracting truecrypt keys from memory
        http://jessekornblum.com/tools/volatility/cryptoscan.py
        
        python-ptrace ( hey, haypo again)
        https://bitbucket.org/haypo/python-ptrace/wiki/Home
        https://bitbucket.org/haypo/python-ptrace/wiki/Documentation
        
        from ptrace.debugger.memory_mapping import readProcessMappings
        
        openssl.py is passe-partout.py - OK - 04/03/2011
        
        OpenSSH, testing ciphers
        ========================
             Ciphers
                     Specifies the ciphers allowed for protocol version 2 in order of preference.  Multiple ciphers must be comma-separated.  The supported ciphers
                     are “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”, “arcfour”,
                     “blowfish-cbc”, and “cast128-cbc”.  The default is:
        
                        aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
                        aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
                        aes256-cbc,arcfour
        
        force one :
        
        ssh -c aes192-ctr log@host
        
        
        firefox & NSS
        =============
        INFO:abouchet:found instance <class 'ctypes_nss_generated.CERTCertificateStr'> @ 0xbfe12c20   => sur la stack
        
        INFO:abouchet:Looking at 0x85f00000-0x86000000 (rw-p)
        INFO:abouchet:processed 6465536 bytes
        ptrace.debugger.process_error.ProcessError: readBytes(0x84d28ae4, 392) error: [Errno 5] Input/output error
        ## weird ....
        
        4894720
        
        
        Architecture
        ============
        
        
        openssh creates a OpenSSHLiveDecryptatator which inherits a OpenSSHKeysFinder
        OpenSSHLiveDecryptatator :
         * connects to/launch a network.Sniffer. (scapy)
         * OpenSSHKeysFinder calls haystack to fetch the session_state
           - memory capture/ptrace is done in a subprocess
           - target process is not under ptrace anymore when openssh runs. 
           - keys are acquired
         * SessionCiphers are created from pickled values from haystack
           - one for inbound traffic
           - one for outbound traffic
         * each SessionCipher is coupled with :
           - a socket given by a TCPStream ( Inbound and Outbound TCPstate)
           - a paramiko Packetizer which is a ssh protocol handler.
         * a cipher engine is used by the paramiko.Packetizer to decrypt data from the TCPStream socket
         * the Packetizer uses :
           - the socket to read it's data from the 'network'.
           - the cipher to decrypt the data
         * a SSHStreamToFile is created for each stream and is given the packetizer and the overall context ( cipher, socket )
           - the SSHStreamToFile try to process the packetizer's outputs into a file.
         * a Supervisor is created to handle traffic ( select on socket )
           - both SSHStreamToFile are given to the Supervisor with their respective socket
        
        
        TODO:
        
        SSHStream uses the packets is orderedQueue and the cipher, to try to find a SSH packet
         - algo 1 : copy original cipher state, decrypt first block of packet [0], 
                      if not valid, drop packet and loop to next one (for x packets) 
                      if valid, switch to go-trough mode and queue current + all packets data to socket 
        
         - algo 2 : try to find a valid packet, block per block/long by long
                      if valid, switch to go-trough mode and queue current + all packets data to socket 
        
        
        
        
        
        
        
        
        
        
Keywords: memory,analysis,forensics,struct,ptrace,openssh,openssl,decrypt
Platform: UNKNOWN
Classifier: Topic :: System :: Networking
Classifier: Topic :: Security
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: GNU General Public License (GPL)
Classifier: Programming Language :: Python
Classifier: Development Status :: 5 - Production/Stable
