sudo su

This is another easy one. The pcap contains a single ssh session.

The user authenticated with a public key. The user was then provided a pseudo-terminal on the server. The user entered the "sudo su" command. The user then typed their passowrd and successfully elevated to root. The user then pressed CTL+D twice which exited first the root and then the user's ssh session.

All we want to know is the length of the user's password. It's a number. YOU ONLY GET 2 ATTEMPTS. DON'T WASTE THEM.

So the talk about ssh introspection planted the idea that it must be possible. So on the hunt for more info.

https://corelight.blog/2019/11/19/corelight-ssh-inference-package/corelight.blog

https://corelight.blog/2019/05/07/how-zeek-can-provide-insights-despite-encrypted-communications/

How does SSH defend against keystroke-timing attacks?Information Security Stack Exchange

And then found a demo example.

hmm encrypted packet counting function, interesting

@load base/protocols/rdp
@load base/protocols/ssh
@load base/protocols/ssl
@load base/frameworks/notice

redef exit_only_after_terminate = F;

redef SSH::disable_analyzer_after_detection = F;

event ssh_encrypted_packet (c: connection, orig: bool, len: count) {
    print orig ? len : len * -1;
}

event zeek_init() {

}

44
-44
68
-52
372
-332
652
-28
112
-500
-44
460
-108
-100
-36
-36
-76
-36
-84
-36
-84
-36
-36
-108
-36
-108
-36
-36
-60
-36
-36
-92
-36
-108
-36
-68
-36
-36
-68
-36
-68
-36
-36
-92
-36
-100


s       36
       -36
u       36
       -36
d       36
       -36
o       36
       -36
space   36
       -36
s       36
       -36
u       36
       -36
enter   36
       -36
       -68

?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
enter   36

-36
-92



^d      36
       -100
^d      36
       -44
       -36
       -176
        36
        60

The solution!

6