sudo su

This is another easy one. The pcap contains a single ssh session.
The user authenticated with a public key. The user was then provided a pseudo-terminal on the server. The user entered the "sudo su" command. The user then typed their passowrd and successfully elevated to root. The user then pressed CTL+D twice which exited first the root and then the user's ssh session.
All we want to know is the length of the user's password. It's a number. YOU ONLY GET 2 ATTEMPTS. DON'T WASTE THEM.
So the talk about ssh introspection planted the idea that it must be possible. So on the hunt for more info.
Introducing the Corelight SSH Inference package
https://corelight.blog/2019/05/07/how-zeek-can-provide-insights-despite-encrypted-communications/
How does SSH defend against keystroke-timing attacks?
Information Security Stack Exchange
And then found a demo example.
hmm encrypted packet counting function, interesting
@load base/protocols/rdp
@load base/protocols/ssh
@load base/protocols/ssl
@load base/frameworks/notice
​
redef exit_only_after_terminate = F;
​
redef SSH::disable_analyzer_after_detection = F;
​
event ssh_encrypted_packet (c: connection, orig: bool, len: count) {
    print orig ? len : len * -1;
}
​
event zeek_init() {
​
}
44
-44
68
-52
372
-332
652
-28
112
-500
-44
460
-108
-100
-36
-36
-76
-36
-84
-36
-84
-36
-36
-108
-36
-108
-36
-36
-60
-36
-36
-92
-36
-108
-36
-68
-36
-36
-68
-36
-68
-36
-36
-92
-36
-100
​
​
s       36
       -36
u       36
       -36
d       36
       -36
o       36
       -36
space   36
       -36
s       36
       -36
u       36
       -36
enter   36
       -36
       -68
​
?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
enter   36
​
-36
-92
​
​
​
^d      36
       -100
^d      36
       -44
       -36
       -176
        36
        60
The solution!
6
Last modified 2yr ago