Attack script using SSH-2.0-libssh-0.2 bad packet length

[ghost]

From keinflughafen on June 05, 2011 14:23:57

What steps will reproduce the problem? running kippo, waiting for an attacker using an unknown script based on SSH-2.0-libssh-0.2 What version of the product are you using? On what operating system? kippo svn Please provide any additional information below. 2011-06-05 12:59:51+0200 [HoneyPotTransport,31,202.121.49.62] connection lost 2011-06-05 13:08:21+0200 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 202.121.X.X:56950 (X.X.X.X:2222) [session: 32] 2011-06-05 13:08:22+0200 [HoneyPotTransport,32,202.121.X.X] Remote SSH version: SSH-2.0-libssh-0.2 2011-06-05 13:08:22+0200 [HoneyPotTransport,32,202.121.X.X] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2011-06-05 13:08:22+0200 [HoneyPotTransport,32,202.121.X.X] outgoing: aes256-cbc hmac-sha1 none 2011-06-05 13:08:22+0200 [HoneyPotTransport,32,202.121.X.X] incoming: aes256-cbc hmac-sha1 none 2011-06-05 13:08:23+0200 [HoneyPotTransport,32,202.121.X.X] NEW KEYS 2011-06-05 13:08:24+0200 [HoneyPotTransport,32,202.121.X.X] Disconnecting with error, code 2 reason: bad packet length 1562045508 2011-06-05 13:08:24+0200 [HoneyPotTransport,32,202.121.X.X] connection lost

Original issue: http://code.google.com/p/kippo/issues/detail?id=43

[ghost]

From kenneth.buckler on September 28, 2011 04:17:35

Also receiving this. See log below.

2011-09-28 07:05:59-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 92.46.53.223:58122 (X.X.X.X:22) [session: 0] 2011-09-28 07:06:00-0400 [HoneyPotTransport,0,92.46.53.223] Remote SSH version: SSH-2.0-libssh-0.2 2011-09-28 07:06:00-0400 [HoneyPotTransport,0,92.46.53.223] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2011-09-28 07:06:00-0400 [HoneyPotTransport,0,92.46.53.223] outgoing: aes256-cbc hmac-sha1 none 2011-09-28 07:06:00-0400 [HoneyPotTransport,0,92.46.53.223] incoming: aes256-cbc hmac-sha1 none 2011-09-28 07:06:00-0400 [HoneyPotTransport,0,92.46.53.223] NEW KEYS 2011-09-28 07:06:01-0400 [HoneyPotTransport,0,92.46.53.223] Disconnecting with error, code 2 reason: bad packet length 1186740564 2011-09-28 07:06:01-0400 [HoneyPotTransport,0,92.46.53.223] connection lost

[ghost]

From florian.streibelt on April 01, 2012 14:14:11

I have a tcpdump from a host I could provide if this is still an active project?

[ghost]

From desaster on April 10, 2012 02:19:32

If you can e-mail me the tcpdump, I can take a look.

I suspect this is not a legitimate client connection, though, but worth checking out.

[ghost]

From florian.streibelt on April 10, 2012 06:29:49

Hey, I just sent you the pcap file.

The connections are login attempts, I use denyhosts and then redirect to kippo when more than 3 login attempts have been made, and ssh logs usernames from that IP.

Florian

[ghost]

From desaster on April 13, 2012 07:19:30

I didn't get an e-mail from you yet.

[ghost]

From florian.streibelt on April 13, 2012 09:35:03

I sent it to your gmail address desaster - just resent it again, this time also to the kippo-address.

[ghost]

From desaster on April 13, 2012 10:04:36

hmm strange, maybe some mail server is blocking it due to bad content or size...

(i did check the spam folder, not there either)

[ghost]

From florian.streibelt on April 13, 2012 10:36:14

Sory, it was totally my fault - it hung in a local mailqueue -.-

Florian

[ghost]

From tobisworld on May 03, 2012 14:24:28

I have the same issue with some ips from Taiwan and China. they fill the kippo.log with messages about "bad packet length" Do you still need a tcpdump? Is anything knew about what they might want to achieve? Do they want to exploit something in ssh-lib or do they might know it's kippo and try to attack kippo?

[ghost]

From florian.streibelt on June 18, 2012 05:07:58

any progress on this issue?

[ghost]

From desaster on June 20, 2012 01:45:08

sorry, not yet.

[ghost]

From pommesspezial on July 05, 2012 00:02:31

I think the problem is described here: https://blogs.oracle.com/janp/entry/ssh_messages_code_bad_packet It seems to be a crypto problem. Perhaps it is possible to let kippo use another encryption algorithm (just for experimenting and bug finding) ?

[ghost]

From pommesspezial on July 06, 2012 06:49:05

I fiddled around a bit and managed to avoid the "bad packet length" problem by not allowing aes192 and aes256. Requests coming from outside that previously failed are now getting through. Here's the (ugly) workaround:

Index: honeypot.py

--- honeypot.py ( revision 219 ) +++ honeypot.py (working copy) @@ -630,6 +630,12 @@ ske = t.supportedKeyExchanges[:] ske.remove('diffie-hellman-group-exchange-sha1') t.supportedKeyExchanges = ske

• bla = t.supportedCiphers[:]
• bla.remove("aes256-cbc")
• bla.remove("aes256-ctr")
• bla.remove("aes192-ctr")
• bla.remove("aes192-cbc")
• t.supportedCiphers = bla t.factory = self return t

[ghost]

From desaster on July 08, 2012 09:02:35

Good find! I'll run this internally for a while to see the effects myself.

Ideas are welcome for what might the best way to handle the ciphers. Should they be easily configurable, from fingerprinting point of view?

Status: Accepted

[ghost]

From pommesspezial on July 16, 2012 02:46:10

I'm not really familiar about the methods to distinguish kippo from a real sshd from outside (just read that it's possible with for example metasploit). However if it's not too much effort I find it reasonable to have the list of supported ciphers configurable in kippo.cfg.

[ghost]

From cronos586 on February 16, 2014 16:58:53

I'm seeing something similar, only the connection is dropped immediately after the banners:

2014-02-17 00:54:17+0000 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 202.120.X.X:55672 (X.X.X.X:2222) [session: 45] 2014-02-17 00:54:22+0000 [HoneyPotTransport,45,202.120.X.X] connection lost

tcpdump: IP 202.120.X.X.52931 > X.X.X.X.22: Flags [S], seq 2805234626, win 14600, options [mss 1304,sackOK,TS val 148694648 ecr 0,nop,wscale 6], length 0 E..<..@.'....x. ........4{.......9.#.......... ...x........ IP X.X.X.X.22 > 202.120.X.X.52931: Flags [S.], seq 1174327718, ack 2805234627, win 14480, options [mss 1460,sackOK,TS val 1272392055 ecr 148694648,nop,wscale 6], length 0 E..<..@.@.0A ....E....4{...8. .......... K.)w...x.... IP 202.120.X.X.52931 > X.X.X.X.22: Flags [.], ack 1, win 229, options [nop,nop,TS val 148694716 ecr 1272392055], length 0 E..4..@.'....x. ........4{.E.............. ....K.)w IP X.X.X.X.22 > 202.120.X.X.52931: Flags [P.], seq 1:33, ack 1, win 227, options [nop,nop,TS val 1272392123 ecr 148694716], length 32 E..T..@.@.8. ....E....4{............ K.).....SSH-2.0-OpenSSH_6.0p1 Debian-4

IP 202.120.X.X.52931 > X.X.X.X.22: Flags [.], ack 33, win 229, options [nop,nop,TS val 148694785 ecr 1272392123], length 0 E..4..@.'....x. ........4{.E........T..... ....K.). IP 202.120.X.X.52931 > X.X.X.X.22: Flags [P.], seq 1:21, ack 33, win 229, options [nop,nop,TS val 148694785 ecr 1272392123], length 20 E..H..@.'..w.x. ........4{.E.......S...... ....K.).SSH-2.0-libssh-0.2

IP X.X.X>X.22 > 202.120.X.X.52931: Flags [.], ack 21, win 227, options [nop,nop,TS val 1272392192 ecr 148694785], length 0 E..4..@.@.8+ ....E....4{..... ...... K...... IP 202.120.X.X.52931 > X.X.X.X.22: Flags [F.], seq 21, ack 33, win 229, options [nop,nop,TS val 148695898 ecr 1272392192], length 0 E..4..@.'....x. ........4{.E.............. ...ZK..

I am confused by the client dropping the connection after it sends its banner. libssh 0.2 was released in 2008. Maybe the banner is fake?

[ghost]

From cronos586 on February 16, 2014 17:06:15

Hmm.. looks like OpenSSH sshd sends something after client banner:

$ telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_5.9gg10 SSH-2.0-libssh-0.2 | vzE�<VJ��_s<W��0gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1ssh-rsa,ssh-dss>aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc>aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc�hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96�hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96none,zlib@openssh.comnone,zlib@openssh.com^]quit

...but kippo does not: $ telnet X.X.X.X 22 Trying X.X.X.X... Connected to X.X.X.X. Escape character is '^]'. SSH-2.0-OpenSSH_6.0p1 Debian-4 SSH-2.0-libssh-0.2

[ghost]

From cronos586 on February 16, 2014 17:33:43

Ok, I removed the version check on sending server KEXINIT and libssh-0.2 can connect: diff --git a/kippo/core/honeypot.py b/kippo/core/honeypot.py index f4047d6..512b73c 100644 --- a/kippo/core/honeypot.py +++ b/kippo/core/honeypot.py @@ -520,9 +520,7 @@ class HoneyPotTransport(transport.SSHServerTransport):

 def dataReceived(self, data):
     transport.SSHServerTransport.dataReceived(self, data)

• later versions seem to call sendKexInit again on their own

• if twisted.version.major < 11 and \
• not self.hadVersion and self.gotVersion:
• if not self.hadVersion and self.gotVersion: self.sendKexInit() self.hadVersion = True

$ ./samplessh root@localhost -p 2222 The server is unknown. Do you trust the host key ? Public key hash : cb:XX..... yes This new key will be written on disk for further usage. do you agree ? yes Authenticating with pubkey: did not receive SERVICE_ACCEPT

And now I get the original error of this bug: 2014-02-16 20:33:20-0500 [HoneyPotTransport,0,127.0.0.1] Remote SSH version: SSH-2.0-libssh-0.2 2014-02-16 20:33:20-0500 [HoneyPotTransport,0,127.0.0.1] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2014-02-16 20:33:20-0500 [HoneyPotTransport,0,127.0.0.1] outgoing: aes256-cbc hmac-sha1 none 2014-02-16 20:33:20-0500 [HoneyPotTransport,0,127.0.0.1] incoming: aes256-cbc hmac-sha1 none 2014-02-16 20:33:20-0500 [HoneyPotTransport,0,127.0.0.1] NEW KEYS 2014-02-16 20:33:20-0500 [HoneyPotTransport,0,127.0.0.1] Disconnecting with error, code 2 reason: bad packet length 1404178 2014-02-16 20:33:20-0500 [HoneyPotTransport,0,127.0.0.1] connection lost

[ghost]

From cronos586 on February 16, 2014 18:03:02

Yep, this coupled with disabling certain ciphers ( https://code.google.com/p/kippo/issues/detail?id=43#c14 ) got the attempts from libssh-0.2 working. So it's really libssh 0.2:

2014-02-17 02:02:15+0000 [HoneyPotTransport,2,202.120.X.X] Remote SSH version: SSH-2.0-libssh-0.2 2014-02-17 02:02:16+0000 [HoneyPotTransport,2,202.120.X.X] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2014-02-17 02:02:16+0000 [HoneyPotTransport,2,202.120.X.X] outgoing: blowfish-cbc hmac-sha1 none 2014-02-17 02:02:16+0000 [HoneyPotTransport,2,202.120.X.X] incoming: blowfish-cbc hmac-sha1 none 2014-02-17 02:02:16+0000 [HoneyPotTransport,2,202.120.X.X] NEW KEYS 2014-02-17 02:02:17+0000 [HoneyPotTransport,2,202.120.X.X] starting service ssh-userauth 2014-02-17 02:02:18+0000 [SSHService ssh-userauth on HoneyPotTransport,2,202.120.X.X] ami trying auth password 2014-02-17 02:02:18+0000 [SSHService ssh-userauth on HoneyPotTransport,2,202.120.X.X] login attempt [ami/123456] failed 2014-02-17 02:02:19+0000 [-] ami failed auth password

[Locmap99]

Hello ghost,

Please let me know how to disable certain ciphers. Still now I get the error connection lost when I using Kippo.

Thanks