www.storm.net.nz
[ / ] [ Metlstorm ] [ Projects ] [ ice.storm.net.nz ] [ \m/ ]

Projects
[ Security: SSH 'Jack Hai2IVR MAFL-Load Firewire, DMA & Windows Asterisk Remote Root Metl-o-UnNetCrypt ] [ Wireless: Metl Kismet GPS Plotter - Google Earth Edition Metl War Tri Pod Metl Kismet Client Metlstorms Kismet GPS Plott0r Metl Helix Wireless Grapher Metl Network Recon Visualizer ] [ Home: Rotoseat Noise Weblstorm Viewtron CharGrill ] [ Abandonware: Obscured By Clouds ]

SSH 'Jack
Updated (v2.04) now way, way faster, due to improvements in my python gdbmi interface from other projects. Like, runtime dropped from 36s on my workstation to 6s. I guess six times faster is good, right?
Updated (v2.03) for my Linux.conf.au 2008 release, which adds runtime symbol caching which decreases the time for subsequent runs to sub one second. I wrote this during Damien Miller's talk on OpenSSH's security, and released it during my talk after his. Heh. :)
Updated for the Kiwicon 2k7 release of SSH-Jack II: The Masterjack0r. This version adds support for OpenSSH v4.x - more details in the presentation slides from my lightning-talk at Kiwicon. The download link below will go live during my talk.
"A Party Trick with a Debugger", or "How I went to Blackhat/Defcon 2005".

In 2005, I submitted a presentation "Trust Transience: Post Intrusion SSH Hijacking" to Blackhat Las Vegas, Defcon and Ruxcon. I was accepted for all three, to present my technique for hijacking running SSH sessions transparently to the user.

All the details are in the presentation, but basically the story is that after you've authenticated an SSH connection, there is a transient trust relationship between the client and the server which a sufficiently sneaky attacker can use to compromise any host you're logged into in the event that they own your workstation.

Yes, this is just a party trick with a debugger. Yes, there's nothing you didn't already know here; if you get pwned, Sucks To Be You. But the presentations on the con circuit went down well, and everyone seemed to like it, despite some of my Kiwi idioms being lost on .us audiences. 		Last Update: 2008-04-10 19:31:12
State: Finished
Distribution: Public
Tags: Security
Images:
Queue around the building in ~42 degree Vegas heat to get into the Apollo room for the presentation. Metlstorm, in the hizzous at Defcon 13's Apollo room. Uh, me. On the defcon stage. Woot. Wearing a <a href="http://www.dawnofazazel.com/">Dawn of Azazel</a> tshirt \m/! Diagram of the basic operation of the SSH-Jackor, from the slides.
Releases:
metlstorms_sshjack-v1.03.tar.gz (751kB) Ver: 1.03

As released at Ruxcon, with working SCP hijacking.

metlstorms_sshjack-1.02.tar.gz (746kB) Ver: 1.02

As released on the Blackhat Vegas 05 and Defcon 13 CDs.

aucklug-2005-10-ConferencesRoundup.pdf (2312kB) Ver: As presented at Aucklug

Presentation given to the Auckland Linux Users Group wrapping up Blackhat/Defcon/Ruxcon.

defcon0x0d-v1.pdf (1235kB) Ver: As used at Defcon

PDF of the presentation slides as given at Defcon

metlstorms_sshjack2_v2.02.tar.gz (399kB) Ver: 2.02

First public release of SSH-Jack2, supports OpenSSH v4.x, released at Kiwicon 2k7

metlstorms_sshjack2_v2.04.tar.gz (399kB) Ver: 2.04

Improved speed by about 600%

metlstorms_sshjack2_v2.03.tar.gz (399kB) Ver: 2.03

As released at Linux.conf.au 2008 in Melbourne - symbol caching improves speed.

kiwicon_sshjack.pdf (395kB) Ver: As presented at Kiwicon

Slides from my "SSH-Jack Redux: And Jack0rs for All" talk at Kiwicon 2k7.