SSH-2.0-OpenSSH_5.6p1
and there is a similar banner from the client side.
They both stand out quite a bit and are easy to spot and/or kill, example:
ngrep -K 3 '-OpenSSH_' port not 22
or snort with flexresp can do this also in a very nice and efficient way
My idea was to first hide the SSH server and then hide the communication. This is not perfect of course any one curious enough looking at the pcaps will spot something fishy, but probably this will fly pass 99% of people - any one doing real traffic analysis ? ;)
The server (sammael) acts similar to stunnel (of course sammael does much less) - it is able to terminate SSL connections and then send unencrypted traffic to a different service. When a special pass phrase is in the first packet after SSL handshake it connects to local SSH server instead of the default which is HTTP. When you point your browser to the host on which sammael is running you will see a normal HTTPS webpage.
The client (nisroc) does most of the work, it connects (can pass through HTTP proxy, and is able to use basic authentication) to the host and port on which sammael is running using SSL, checks digest of the cert to prevent MITM and if everything is correct sends the pass phrase and verifies that the connection to the SSH server was established.
Both server and client have TCP_CORK set on the sockets, so there is a bit less packet exchange between the hosts.
No comments:
Post a Comment