sudo su

This is another easy one. The pcap contains a single ssh session.
The user authenticated with a public key. The user was then provided a pseudo-terminal on the server. The user entered the "sudo su" command. The user then typed their passowrd and successfully elevated to root. The user then pressed CTL+D twice which exited first the root and then the user's ssh session.
All we want to know is the length of the user's password. It's a number. YOU ONLY GET 2 ATTEMPTS. DON'T WASTE THEM.
So the talk about ssh introspection planted the idea that it must be possible. So on the hunt for more info.
https://corelight.blog/2019/05/07/how-zeek-can-provide-insights-despite-encrypted-communications/
And then found a demo example.
hmm encrypted packet counting function, interesting
@load base/protocols/rdp
@load base/protocols/ssh
@load base/protocols/ssl
@load base/frameworks/notice
​
redef exit_only_after_terminate = F;
​
redef SSH::disable_analyzer_after_detection = F;
​
event ssh_encrypted_packet (c: connection, orig: bool, len: count) {
print orig ? len : len * -1;
}
​
event zeek_init() {
​
}
44
-44
68
-52
372
-332
652
-28
112
-500
-44
460
-108
-100
-36
-36
-76
-36
-84
-36
-84
-36
-36
-108
-36
-108
-36
-36
-60
-36
-36
-92
-36
-108
-36
-68
-36
-36
-68
-36
-68
-36
-36
-92
-36
-100
​
​
s 36
-36
u 36
-36
d 36
-36
o 36
-36
space 36
-36
s 36
-36
u 36
-36
enter 36
-36
-68
​
? 36
-36
? 36
-36
? 36
-36
? 36
-36
? 36
-36
? 36
-36
enter 36
​
-36
-92
​
​
​
^d 36
-100
^d 36
-44
-36
-176
36
60
The solution!
6