HOWTO:
------
works if scapy doesn't drop packets. using pcap instead of SOCK_RAW  helps a lot now.
works better on interactive traffic with slow traffic.
Dumps one file by fd in outputs/
Attaching a process is quickier with --addr 0xb788aa98 as provided by abouchet.py
    INFO:abouchet:found instance <class 'ctypes_openssh.session_state'> @ 0xb788aa98

  $ mkdir outputs

You really have to. Please.
  
  $ sudo sslsnoop    # try ssh, sshd and ssh-agent... for various things
  $ sudo sslsnoop-openssh `pgrep ssh`     # dumps decrypted traffic in outputs/
  $ sudo sslsnoop-openssl `pgrep ssh-agent` # dump RSA and DSA keys

and go and check outputs/.


not so FAQ :
============

What does it do, really ?:
--------------------------
It dumps live session keys from an openssh , and decrypts the traffic on the fly.
Not all ciphers are implemented. 
Workings ciphers : aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc
Partially workings ciphers (INBOUND only ?!): aes128-cbc,  aes192-cbc, aes256-cbc
Non workings ciphers : 3des-cbc, 3des, ssh1-blowfish, arcfour, arcfour1280

It can also dump DSA and RSA keys from ssh-agent or sshd ( or others ).

How do it knows that the structures is valid ? :
------------------------------------------------
You add some constraints ( expectedValues ) on the fields. Pointers are also a good start.

Yeah, but you have to be root, so what's the use ? :
----------------------------------------------------
Monitoring ssh traffic on honeypots ?
Monitoring encrypted traffic on honeypots ?
Monitoring encrypted traffic on ... somewhere your are root ?

 
Where does the idea comes from ? :
-----------------------------------
use http://www.hsc.fr/ressources/breves/passe-partout.html.fr  to get keys
use http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html  
 or http://www.rtfm.com/ssldump/ to read streams
use scapy, because it's fun ? but we need IP reassembly . 
pynids could be more useful...
dsniff is now in python ?
flowgrep
use python.


What are the dependencies ? :
----------------------------
python-haystack (same author)
python-ptrace
scapy
python-pcap / python-xxxpcap ( recommended for perf issues )
paramiko (for ssh decryption) [ TODO, extract & kill dep. we only need Message and Packetizer ]
python-psutil 

Conclusion :
------------
poc done.
Next, `pgrep firefox`. 


Biblio
-------

Bringing volatility to Linux
http://dfsforensics.blogspot.com/2011/03/bringing-linux-support-to-volatility.html

Extracting truecrypt keys from memory
http://jessekornblum.com/tools/volatility/cryptoscan.py

python-ptrace ( hey, haypo again)
https://bitbucket.org/haypo/python-ptrace/wiki/Home
https://bitbucket.org/haypo/python-ptrace/wiki/Documentation

from ptrace.debugger.memory_mapping import readProcessMappings

openssl.py is passe-partout.py - OK - 04/03/2011

OpenSSH, testing ciphers
========================
     Ciphers
             Specifies the ciphers allowed for protocol version 2 in order of preference.  Multiple ciphers must be comma-separated.  The supported ciphers
             are “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”, “arcfour”,
             “blowfish-cbc”, and “cast128-cbc”.  The default is:

                aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
                aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
                aes256-cbc,arcfour

force one :

ssh -c aes192-ctr log@host


firefox & NSS
=============
INFO:abouchet:found instance <class 'ctypes_nss_generated.CERTCertificateStr'> @ 0xbfe12c20   => sur la stack

INFO:abouchet:Looking at 0x85f00000-0x86000000 (rw-p)
INFO:abouchet:processed 6465536 bytes
ptrace.debugger.process_error.ProcessError: readBytes(0x84d28ae4, 392) error: [Errno 5] Input/output error
## weird ....

4894720


Architecture
============


openssh creates a OpenSSHLiveDecryptatator which inherits a OpenSSHKeysFinder
OpenSSHLiveDecryptatator :
 * connects to/launch a network.Sniffer. (scapy)
 * OpenSSHKeysFinder calls haystack to fetch the session_state
   - memory capture/ptrace is done in a subprocess
   - target process is not under ptrace anymore when openssh runs. 
   - keys are acquired
 * SessionCiphers are created from pickled values from haystack
   - one for inbound traffic
   - one for outbound traffic
 * each SessionCipher is coupled with :
   - a socket given by a TCPStream ( Inbound and Outbound TCPstate)
   - a paramiko Packetizer which is a ssh protocol handler.
 * a cipher engine is used by the paramiko.Packetizer to decrypt data from the TCPStream socket
 * the Packetizer uses :
   - the socket to read it's data from the 'network'.
   - the cipher to decrypt the data
 * a SSHStreamToFile is created for each stream and is given the packetizer and the overall context ( cipher, socket )
   - the SSHStreamToFile try to process the packetizer's outputs into a file.
 * a Supervisor is created to handle traffic ( select on socket )
   - both SSHStreamToFile are given to the Supervisor with their respective socket


TODO:

SSHStream uses the packets is orderedQueue and the cipher, to try to find a SSH packet
 - algo 1 : copy original cipher state, decrypt first block of packet [0], 
              if not valid, drop packet and loop to next one (for x packets) 
              if valid, switch to go-trough mode and queue current + all packets data to socket 

 - algo 2 : try to find a valid packet, block per block/long by long
              if valid, switch to go-trough mode and queue current + all packets data to socket 









