sslsnoop dumps live session keys from openssh and can also decrypt the traffic on the fly.
Works if scapy doesn’t drop packets. using pcap instead of SOCK_RAW helps a lot now.
Works better on interactive traffic with no traffic at the time of the ptrace. It follows the flow, after that.
Dumps one file by fd in outputs/
Attaching a process is quickier with –addr 0xb788aa98 as provided by haystack INFO:abouchet:found instance @ 0xb788aa98
how to get a pickled session_state file : $ sudo haystack –pid `pgrep ssh` sslsnoop.ctypes_openssh.session_state search > ss.pickled
Not all ciphers are implemented.
Workings ciphers: aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc
Partially workings ciphers (INBOUND only ?!): aes128-cbc, aes192-cbc, aes256-cbc
Non workings ciphers: 3des-cbc, 3des, ssh1-blowfish, arcfour, arcfour1280
Read more: DarkNet.org.uk