sslsnoop dumps live session keys from openssh and can also decrypt the traffic on the fly.
- Works if scapy doesn’t drop packets. using pcap instead of SOCK_RAW helps a lot now.
- Works better on interactive traffic with no traffic at the time of the ptrace. It follows the flow, after that.
- Dumps one file by fd in outputs/
- Attaching a process is quickier with –addr 0xb788aa98 as provided by haystack INFO:abouchet:found instance @ 0xb788aa98
- how to get a pickled session_state file : $ sudo haystack –pid `pgrep ssh` sslsnoop.ctypes_openssh.session_state search > ss.pickled
Not all ciphers are implemented.
Workings ciphers: aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc
Partially workings ciphers (INBOUND only ?!): aes128-cbc, aes192-cbc, aes256-cbc
Non workings ciphers: 3des-cbc, 3des, ssh1-blowfish, arcfour, arcfour1280
It can also dump DSA and RSA keys from ssh-agent or sshd ( or others ).
You can download sslsnoop here:
Or read more here.
