ssh协议简要分析与ssh爆破流量分析

Author： coco
发布时间：January 17, 2021
4145views
2 comments
8520 words
Categories：协议分析

通过使用wireshark，对ssh流量进行简要分析。
以下为ssh流量各数据包截图：
wireshark抓取的ssh协议流量

0x01 TCP三次握手

ssh属于应用层协议，所以要经过传输层TCP三次握手，NO3~NO5。

0x02 Client: Protocol

No6，客户端版本协议，这里表明ssh2.0，使用openssh8.4，debian3。

0x03 Server: Protocol

No8，服务端版本协议，这里表明ssh2.0，使用openssh7.4。

0x04 Client: Key Exchange Init

No11，客户端发送支持的各种加密算法。
kex_algorithms:密钥交换算法，里边即包含我们使用的D-H算法，用于生成会话密钥
server_host_key_algorithms:服务器主机密钥算法，有公私钥之分
encryption_algorithms:对称加密算法
mac_algorithms:MAC算法，主要用于保证数据完整性
compression_algorithms:压缩算法
Client: Key Exchange Init

0x05 Server: Key Exchange Init

No12，与客户端发送的类似，这里就不再复述了。

0x06 Client: Diffie-Hellman Key Exchange Init

No15，这里客户端发送dh密钥协商算法的DH client e。dh算法可以看此文章
客户端发送dh密钥协商算法的e

0x07 Server: Diffie-Hellman Key Exchange Reply

No16，服务器发送验证公钥ECDSA public key,该公钥发送到客户端，如果是第一次发送，客户端会询问用户是否信任此公钥：

The authenticity of host '192.168.1.122 (192.168.1.122)' can't be established.
ECDSA key fingerprint is SHA256:Ob8J9OQZcDimTatBwTz2aqvLdVI5SQwnMBZKYz9rMJg.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

这是为了防止dh算法中的中间人攻击，所以要验证服务器公钥。该记录会保存在~/.ssh/known_hosts文件中,如果该IP服务器重装系统，公钥改变后即会验证登录失败。这里的SHA256值是ECDSA key经过摘要算法sha256再经过base64编码过的，并且省略了最后一个=号。ECDSA key为从Host key type length + Host key type + ECDSA elliptic curve identifier length + ECDSA elliptic curve identifier + ECDSA public key length + ECDSA public key字段的总和。
服务器发送dh密钥协商算法的DH server f。

0x08 客户端发送加密后的用户名和密码

No20~No24，Encrypted packet即为DH算法协商共享密钥进行AES加密后的数据，两次Client Encrypted packet即分别为发送用户名和密码。
Server: Diffie-Hellman Key Exchange Reply

0x09 hydra爆破ssh协议

使用九头蛇爆破ssh协议：

hydra -l root -P pass.txt ssh://192.168.1.122 -V

经过分析，使用九头蛇爆破会不断进行DH密钥协商交换，并且会新建多个TCP会话，分别进行用户名和密码认证。

0x09 medusa爆破ssh协议

medusa -h 192.168.1.122 -u root -P pass.txt -M ssh

美杜莎DH密钥交换次数
经过分析，使用美杜莎爆破ssh，出现DH密钥协商交换的次数小于爆破的次数，说明在medusa会重复使用一个会话的DH key进行爆破，直到服务器发送RST标志断开TCP会话。

0x10 msf爆破ssh协议

进入msf后，利用auxiliary/scanner/ssh/ssh_login模块进行ssh爆破

msf6 > search ssh_login
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > show options
msf6 auxiliary(scanner/ssh/ssh_login) > set rhost 192.168.1.122
rhost => 192.168.1.122
msf6 auxiliary(scanner/ssh/ssh_login) > set username root
username => root
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /home/coco/pass.txt
pass_file => /home/coco/pass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > run

经过分析，使用msf的ssh爆破模块会不断进行ECDH密钥协商交换，并且会新建多个TCP会话，分别进行用户名和密码认证。
ECDH密钥交换

0x11 ssh连接日志

在centos7中，ssh连接日志在/var/log/secure中

Jan 18 14:04:05 localhost sshd[1833]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1833]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1830]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1830]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1838]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1838]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1836]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1836]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1832]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1832]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1835]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1835]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1840]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1840]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1837]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1837]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1831]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1831]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1839]: Accepted password for root from 192.168.1.22 port 56962 ssh2
Jan 18 14:04:05 localhost sshd[1839]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 18 14:04:05 localhost sshd[1839]: pam_unix(sshd:session): session closed for user root
Jan 18 14:04:07 localhost sshd[1833]: Failed password for root from 192.168.1.22 port 56952 ssh2
Jan 18 14:04:07 localhost sshd[1830]: Failed password for root from 192.168.1.22 port 56944 ssh2
Jan 18 14:04:07 localhost sshd[1838]: Failed password for root from 192.168.1.22 port 56960 ssh2
Jan 18 14:04:07 localhost sshd[1836]: Failed password for root from 192.168.1.22 port 56958 ssh2
Jan 18 14:04:07 localhost sshd[1832]: Failed password for root from 192.168.1.22 port 56948 ssh2
Jan 18 14:04:07 localhost sshd[1835]: Failed password for root from 192.168.1.22 port 56954 ssh2
Jan 18 14:04:07 localhost sshd[1840]: Failed password for root from 192.168.1.22 port 56964 ssh2
Jan 18 14:04:07 localhost sshd[1837]: Failed password for root from 192.168.1.22 port 56956 ssh2
Jan 18 14:04:07 localhost sshd[1831]: Failed password for root from 192.168.1.22 port 56946 ssh2
Jan 18 14:04:08 localhost sshd[1838]: Connection closed by 192.168.1.22 port 56960 [preauth]
Jan 18 14:04:08 localhost sshd[1832]: Connection closed by 192.168.1.22 port 56948 [preauth]
Jan 18 14:04:08 localhost sshd[1831]: Connection closed by 192.168.1.22 port 56946 [preauth]

在ssh爆破时，/var/log/secure日志会出现pam_unix(sshd:auth): authentication failure、Failed password for root from提示登录失败的字段，当有成功ssh登录的，则会有Accepted password for root from字样。

参考文章：
https://juejin.cn/post/6844903685047189512
https://www.dazhuanlan.com/2019/12/12/5df1934b3e26c/?__cf_chl_jschl_tk__=6b1d89dafb15ce3e1c3a92274caf6e44a851789e-1610894257-0-ASeo2c3IaLWxnCR5cVLF-kBWgNZhSdQlbrfGt0J8Poqs9UT0pvtD0vSJ7C6F3i1lZt0DvOcESLYkmEApC98kMBl1IfP0jJm0zzdibWRFi46pTxK8e3jwehA0cqvy2Zt0q3aH4Ce4pEQ_B14-KLqz0ldyYgGLV2LtpaceUNCmRhdUITuQ02y3mipw2an_RsNnIc-ahDNMRZ4Y2aH9nKJTI1URjmSQQJEIB5eXeawaTulXOAulc1Ol9lrWFvuAGhGKsZtRxB4IloPBYWlBlkjghryyv8sg0_S84xPVVwwxbVzOrO0e_x7gGn_DtO0Nme22dYA0KuysdlNV0YFLcB-dDLk

Last modification：January 18th, 2021 at 02:10 pm

2 comments

誉津
September 11th, 2023 at 05:37 pm

请教一个问题，从流量侧如何判断ssh爆破成功了

Reply
1. coco
  October 7th, 2023 at 08:09 pm
  
  @誉津
  
  由于ssh本身是加密协议，不太好判断是否爆破成功，这是流量类产品的本身的不足。
  
  Reply

ssh协议简要分析与ssh爆破流量分析

coco • 2021 年 01 月 17 日

通过使用wireshark，对ssh流量进行简要分析。
以下为ssh流量各数据包截图：
wireshark抓取的ssh协议流量

0x01 TCP三次握手

ssh属于应用层协议，所以要经过传输层TCP三次握手，NO3~NO5。

0x02 Client: Protocol

No6，客户端版本协议，这里表明ssh2.0，使用openssh8.4，debian3。

0x03 Server: Protocol

No8，服务端版本协议，这里表明ssh2.0，使用openssh7.4。

0x04 Client: Key Exchange Init

0x05 Server: Key Exchange Init

No12，与客户端发送的类似，这里就不再复述了。

0x06 Client: Diffie-Hellman Key Exchange Init

No15，这里客户端发送dh密钥协商算法的DH client e。dh算法可以看此文章
客户端发送dh密钥协商算法的e

0x07 Server: Diffie-Hellman Key Exchange Reply

No16，服务器发送验证公钥ECDSA public key,该公钥发送到客户端，如果是第一次发送，客户端会询问用户是否信任此公钥：

The authenticity of host '192.168.1.122 (192.168.1.122)' can't be established.
ECDSA key fingerprint is SHA256:Ob8J9OQZcDimTatBwTz2aqvLdVI5SQwnMBZKYz9rMJg.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

0x08 客户端发送加密后的用户名和密码

0x09 hydra爆破ssh协议

使用九头蛇爆破ssh协议：

hydra -l root -P pass.txt ssh://192.168.1.122 -V

经过分析，使用九头蛇爆破会不断进行DH密钥协商交换，并且会新建多个TCP会话，分别进行用户名和密码认证。

0x09 medusa爆破ssh协议

medusa -h 192.168.1.122 -u root -P pass.txt -M ssh

0x10 msf爆破ssh协议

进入msf后，利用auxiliary/scanner/ssh/ssh_login模块进行ssh爆破

msf6 > search ssh_login
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > show options
msf6 auxiliary(scanner/ssh/ssh_login) > set rhost 192.168.1.122
rhost => 192.168.1.122
msf6 auxiliary(scanner/ssh/ssh_login) > set username root
username => root
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /home/coco/pass.txt
pass_file => /home/coco/pass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > run

经过分析，使用msf的ssh爆破模块会不断进行ECDH密钥协商交换，并且会新建多个TCP会话，分别进行用户名和密码认证。
ECDH密钥交换

0x11 ssh连接日志

在centos7中，ssh连接日志在/var/log/secure中

Jan 18 14:04:05 localhost sshd[1833]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1833]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1830]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1830]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1838]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1838]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1836]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1836]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1832]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1832]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1835]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1835]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1840]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1840]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1837]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1837]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1831]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1831]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1839]: Accepted password for root from 192.168.1.22 port 56962 ssh2
Jan 18 14:04:05 localhost sshd[1839]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 18 14:04:05 localhost sshd[1839]: pam_unix(sshd:session): session closed for user root
Jan 18 14:04:07 localhost sshd[1833]: Failed password for root from 192.168.1.22 port 56952 ssh2
Jan 18 14:04:07 localhost sshd[1830]: Failed password for root from 192.168.1.22 port 56944 ssh2
Jan 18 14:04:07 localhost sshd[1838]: Failed password for root from 192.168.1.22 port 56960 ssh2
Jan 18 14:04:07 localhost sshd[1836]: Failed password for root from 192.168.1.22 port 56958 ssh2
Jan 18 14:04:07 localhost sshd[1832]: Failed password for root from 192.168.1.22 port 56948 ssh2
Jan 18 14:04:07 localhost sshd[1835]: Failed password for root from 192.168.1.22 port 56954 ssh2
Jan 18 14:04:07 localhost sshd[1840]: Failed password for root from 192.168.1.22 port 56964 ssh2
Jan 18 14:04:07 localhost sshd[1837]: Failed password for root from 192.168.1.22 port 56956 ssh2
Jan 18 14:04:07 localhost sshd[1831]: Failed password for root from 192.168.1.22 port 56946 ssh2
Jan 18 14:04:08 localhost sshd[1838]: Connection closed by 192.168.1.22 port 56960 [preauth]
Jan 18 14:04:08 localhost sshd[1832]: Connection closed by 192.168.1.22 port 56948 [preauth]
Jan 18 14:04:08 localhost sshd[1831]: Connection closed by 192.168.1.22 port 56946 [preauth]

参考文章：
https://juejin.cn/post/6844903685047189512
https://www.dazhuanlan.com/2019/12/12/5df1934b3e26c/?__cf_chl_jschl_tk__=6b1d89dafb15ce3e1c3a92274caf6e44a851789e-1610894257-0-ASeo2c3IaLWxnCR5cVLF-kBWgNZhSdQlbrfGt0J8Poqs9UT0pvtD0vSJ7C6F3i1lZt0DvOcESLYkmEApC98kMBl1IfP0jJm0zzdibWRFi46pTxK8e3jwehA0cqvy2Zt0q3aH4Ce4pEQ_B14-KLqz0ldyYgGLV2LtpaceUNCmRhdUITuQ02y3mipw2an_RsNnIc-ahDNMRZ4Y2aH9nKJTI1URjmSQQJEIB5eXeawaTulXOAulc1Ol9lrWFvuAGhGKsZtRxB4IloPBYWlBlkjghryyv8sg0_S84xPVVwwxbVzOrO0e_x7gGn_DtO0Nme22dYA0KuysdlNV0YFLcB-dDLk

ssh协议简要分析与ssh爆破流量分析

0x01 TCP三次握手

0x02 Client: Protocol

0x03 Server: Protocol

0x04 Client: Key Exchange Init

0x05 Server: Key Exchange Init

0x06 Client: Diffie-Hellman Key Exchange Init

0x07 Server: Diffie-Hellman Key Exchange Reply

0x08 客户端发送加密后的用户名和密码

0x09 hydra爆破ssh协议

0x09 medusa爆破ssh协议

0x10 msf爆破ssh协议

0x11 ssh连接日志

2 comments

Leave a Comment Cancel reply

ICMP隧道技术与搭建实验

VCSA7.0u1解决no healthy upstream问题

移动硬盘内（或U盘）安装win10+kali（或其他linux）双系统，实现移动化办公

解决kali开机后无法进入桌面，卡死在该页面

跨网段主机通过中间双网卡主机进行通讯实验

用lnmp脚本编译安装搭建linux+nginx+php7.2+mariadb5.5环境（手把手教你建站系列一）

我的家用虚拟化硬件与软件方案（基于i9 10900es打造esxi7.0u1与vcsa7.0平台）

https协议简要分析与解密

使用DenyHosts工具防止主机ssh密码被暴力破解（手把手教你建站系列二）

fofahubkey钓鱼文档之canarytokens docx文件技术分析及实现

ssh协议简要分析与ssh爆破流量分析

0x01 TCP三次握手

0x02 Client: Protocol

0x03 Server: Protocol

0x04 Client: Key Exchange Init

0x05 Server: Key Exchange Init

0x06 Client: Diffie-Hellman Key Exchange Init

0x07 Server: Diffie-Hellman Key Exchange Reply

0x08 客户端发送加密后的用户名和密码

0x09 hydra爆破ssh协议

0x09 medusa爆破ssh协议

0x10 msf爆破ssh协议

0x11 ssh连接日志