通过使用wireshark,对ssh流量进行简要分析。
以下为ssh流量各数据包截图:
wireshark抓取的ssh协议流量

0x01 TCP三次握手

ssh属于应用层协议,所以要经过传输层TCP三次握手,NO3~NO5。

0x02 Client: Protocol

No6,客户端版本协议,这里表明ssh2.0,使用openssh8.4,debian3。

0x03 Server: Protocol

No8,服务端版本协议,这里表明ssh2.0,使用openssh7.4。

0x04 Client: Key Exchange Init

No11,客户端发送支持的各种加密算法。
kex_algorithms:密钥交换算法,里边即包含我们使用的D-H算法,用于生成会话密钥
server_host_key_algorithms:服务器主机密钥算法,有公私钥之分
encryption_algorithms:对称加密算法
mac_algorithms:MAC算法,主要用于保证数据完整性
compression_algorithms:压缩算法
Client: Key Exchange Init

0x05 Server: Key Exchange Init

No12,与客户端发送的类似,这里就不再复述了。

0x06 Client: Diffie-Hellman Key Exchange Init

No15,这里客户端发送dh密钥协商算法的DH client e。dh算法可以看此文章
客户端发送dh密钥协商算法的e

0x07 Server: Diffie-Hellman Key Exchange Reply

No16,服务器发送验证公钥ECDSA public key,该公钥发送到客户端,如果是第一次发送,客户端会询问用户是否信任此公钥:

The authenticity of host '192.168.1.122 (192.168.1.122)' can't be established.
ECDSA key fingerprint is SHA256:Ob8J9OQZcDimTatBwTz2aqvLdVI5SQwnMBZKYz9rMJg.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

这是为了防止dh算法中的中间人攻击,所以要验证服务器公钥。该记录会保存在~/.ssh/known_hosts文件中,如果该IP服务器重装系统,公钥改变后即会验证登录失败。这里的SHA256值是ECDSA key经过摘要算法sha256再经过base64编码过的,并且省略了最后一个=号。ECDSA key为从Host key type length + Host key type + ECDSA elliptic curve identifier length + ECDSA elliptic curve identifier + ECDSA public key length + ECDSA public key字段的总和。
服务器发送dh密钥协商算法的DH server f

0x08 客户端发送加密后的用户名和密码

No20~No24,Encrypted packet即为DH算法协商共享密钥进行AES加密后的数据,两次Client Encrypted packet即分别为发送用户名和密码。
Server: Diffie-Hellman Key Exchange Reply

0x09 hydra爆破ssh协议

使用九头蛇爆破ssh协议:

hydra -l root -P pass.txt ssh://192.168.1.122 -V

经过分析,使用九头蛇爆破会不断进行DH密钥协商交换,并且会新建多个TCP会话,分别进行用户名和密码认证。
DH密钥协商交换

0x09 medusa爆破ssh协议

medusa -h 192.168.1.122 -u root -P pass.txt -M ssh

美杜莎DH密钥交换次数
经过分析,使用美杜莎爆破ssh,出现DH密钥协商交换的次数小于爆破的次数,说明在medusa会重复使用一个会话的DH key进行爆破,直到服务器发送RST标志断开TCP会话。

0x10 msf爆破ssh协议

进入msf后,利用auxiliary/scanner/ssh/ssh_login模块进行ssh爆破

msf6 > search ssh_login
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > show options
msf6 auxiliary(scanner/ssh/ssh_login) > set rhost 192.168.1.122
rhost => 192.168.1.122
msf6 auxiliary(scanner/ssh/ssh_login) > set username root
username => root
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /home/coco/pass.txt
pass_file => /home/coco/pass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > run

经过分析,使用msf的ssh爆破模块会不断进行ECDH密钥协商交换,并且会新建多个TCP会话,分别进行用户名和密码认证。
ECDH密钥交换

0x11 ssh连接日志

在centos7中,ssh连接日志在/var/log/secure

Jan 18 14:04:05 localhost sshd[1833]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1833]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1830]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1830]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1838]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1838]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1836]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1836]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1832]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1832]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1835]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1835]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1840]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1840]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1837]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1837]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1831]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.22  user=root
Jan 18 14:04:05 localhost sshd[1831]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 18 14:04:05 localhost sshd[1839]: Accepted password for root from 192.168.1.22 port 56962 ssh2
Jan 18 14:04:05 localhost sshd[1839]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 18 14:04:05 localhost sshd[1839]: pam_unix(sshd:session): session closed for user root
Jan 18 14:04:07 localhost sshd[1833]: Failed password for root from 192.168.1.22 port 56952 ssh2
Jan 18 14:04:07 localhost sshd[1830]: Failed password for root from 192.168.1.22 port 56944 ssh2
Jan 18 14:04:07 localhost sshd[1838]: Failed password for root from 192.168.1.22 port 56960 ssh2
Jan 18 14:04:07 localhost sshd[1836]: Failed password for root from 192.168.1.22 port 56958 ssh2
Jan 18 14:04:07 localhost sshd[1832]: Failed password for root from 192.168.1.22 port 56948 ssh2
Jan 18 14:04:07 localhost sshd[1835]: Failed password for root from 192.168.1.22 port 56954 ssh2
Jan 18 14:04:07 localhost sshd[1840]: Failed password for root from 192.168.1.22 port 56964 ssh2
Jan 18 14:04:07 localhost sshd[1837]: Failed password for root from 192.168.1.22 port 56956 ssh2
Jan 18 14:04:07 localhost sshd[1831]: Failed password for root from 192.168.1.22 port 56946 ssh2
Jan 18 14:04:08 localhost sshd[1838]: Connection closed by 192.168.1.22 port 56960 [preauth]
Jan 18 14:04:08 localhost sshd[1832]: Connection closed by 192.168.1.22 port 56948 [preauth]
Jan 18 14:04:08 localhost sshd[1831]: Connection closed by 192.168.1.22 port 56946 [preauth]

在ssh爆破时,/var/log/secure日志会出现pam_unix(sshd:auth): authentication failureFailed password for root from提示登录失败的字段,当有成功ssh登录的,则会有Accepted password for root from字样。

参考文章:
https://juejin.cn/post/6844903685047189512
https://www.dazhuanlan.com/2019/12/12/5df1934b3e26c/?__cf_chl_jschl_tk__=6b1d89dafb15ce3e1c3a92274caf6e44a851789e-1610894257-0-ASeo2c3IaLWxnCR5cVLF-kBWgNZhSdQlbrfGt0J8Poqs9UT0pvtD0vSJ7C6F3i1lZt0DvOcESLYkmEApC98kMBl1IfP0jJm0zzdibWRFi46pTxK8e3jwehA0cqvy2Zt0q3aH4Ce4pEQ_B14-KLqz0ldyYgGLV2LtpaceUNCmRhdUITuQ02y3mipw2an_RsNnIc-ahDNMRZ4Y2aH9nKJTI1URjmSQQJEIB5eXeawaTulXOAulc1Ol9lrWFvuAGhGKsZtRxB4IloPBYWlBlkjghryyv8sg0_S84xPVVwwxbVzOrO0e_x7gGn_DtO0Nme22dYA0KuysdlNV0YFLcB-dDLk
Last modification:January 18th, 2021 at 02:10 pm