codezen.fr code hacking, zen coding

26Sep/11Off

CSAW 2011 PatchManagement Write-Up

In this Networking challenge, we get a short tcpdump capture file with a SSH session.

Given the capture is really short, we immediately focus on this SSH session. Decrypting SSH without prior knowledge of the private keys is not an easy feat' except in one particular case: if one of the client or server key was generated on a Debian machine during the OpenSSL fiasco.

In 2008, Debian shipped with a flawed openssl package that resulted in keys with very weak entropy, in other words, predictable keys: http://www.debian.org/security/2008/dsa-1571

Let see if this is the case. First we split this capture file in session file that can be used by our bruteforcer tool. For this job, we use tcpick (available as Debian package)

$ tcpick -wRC -wRS -r capture.pcap
Starting tcpick 0.2.1 at 2011-09-24 03:13 UTC
Timeout for connections is 600
tcpick: reading from capture.pcap
1      SYN-SENT       192.168.0.119:58214 > 192.168.0.222:ssh
1      SYN-RECEIVED   192.168.0.119:58214 > 192.168.0.222:ssh
1      ESTABLISHED    192.168.0.119:58214 > 192.168.0.222:ssh
1      FIN-WAIT-1     192.168.0.119:58214 > 192.168.0.222:ssh
1      TIME-WAIT      192.168.0.119:58214 > 192.168.0.222:ssh
1      CLOSED         192.168.0.119:58214 > 192.168.0.222:ssh
tcpick: done reading from capture.pcap

74 packets captured
1 tcp sessions detected

Now we can use one of the SSH bruteforcer specially designed to handle those weak keys. I choose the client mode (-c) because in the capture file you can see that the client's OpenSSH version is much older than the server.

$ ruby ssh_decoder.rb -c -n2 ../tcpick_192.168.0.119_192.168.0.222_ssh.*
* read handshake
cipher: aes128-cbc, mac: hmac-md5, kex_hash: sha1, compr: none
* bruteforce DH
DH shared secret : 028b79a7ee617e11fe3cc5600b93b9423e75c494dcc5e12fed2d99864dd940838c09f77f62356d600c32a37c9e585b21fa0f9c11dc97f7bac6a9a8864fe55a210048c149ae9bf3c6399a8c162bb7cbf1cf7678b34ffe7c118ee34a1239fb4b9d960b6746e60a456a0284c0e2210b837c554c9ef857b6f25ea106422c881c08aa
* derive keys
* decipher streams
* successful authentication packet
{:key=>
{:g=>
"l\232\203\271\265$'\003g\000\317\335\003\222\304\f\357h\f^\016\311\261\023\001JR\352\363\262\3556\251\227$FB\307\344\370\277u\362\017d\003\222\227v\305\034\363\220Sz<"\232\003\235\025\210B\240%\3114\021Cu\017\340\317\306\221\306\241\217\025O\254\230\004\212\311\204\263\206\224\004\317\035{\271\262\027J\373\350\325P\201\226\364K{\242\2747"\274\243\257\002D\2743\231`wc\b\312\276D\3614\022",
:type=>"ssh-dss",
:p=>
"\000\207\364\bvQR\300$U\371\317`
`\322\021\037X\235P\032\261\244\277\352\327\277\247O\020\253\b\250z#3\004\223\022\021\256\237\203\253*mh;\311\323\031\302\005\025\204o6\270"
*\256\244\027s\242Q\020j\nb\234"\252\372\2415x\273?U1\bj\237\270J\a6\350\246n\027\322"6\022\311\310\374F\346P<\261A\266*\320\333C\304\004X\300\217\241g\267\334}\005\026\345}\223aXD\255",
:q=>"
\000\260~\350\024\215\231t\206>\233\324\212_\206\322Q\0066(\225",
:y=>
"
\016\371O\332\bw\276\300\367\373\350\3223XX\205\340W\267r\246\f\265\0349}1Q>\245r\021\262\244\004\3437"\377\247\257\344\304\344EP\250\021k'\261$N\346\230\321\273hTq?O\274\335\260)\266[<L \231\b%\367\262\353\307\002\b\026\20148\004\352\036\a]\025\204\300\210W{\035YML>\311\274\024I\307N:\375\264\340\000\346\331\023\301N\002\327\263\026\217p\233\300\230@\351\333"},
:testic=>1,
:username=>"mosdef",
:keytype=>"ssh-dss",
:nextservice=>"ssh-connection",
:auth_method=>"publickey"}
* deciphered streams saved to "sshdecrypt.0.client.dat" & "sshdecrypt.0.server.dat"

We have deciphered the SSH exchange and we can know see what the user typed into this SSH terminal:

$ strings sshdecrypt.0.server.dat | grep key

publickey,password
key{you_broke_ssh_im_calling_teh_cops}
Share

Posted by aXs

Tagged as: , , , Comments Off
Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.