SSH Keystroke Obfuscation Bypass

14 min read June 24, 2024 2873 words
Introduction OpenSSH version 9.5 introduced measures to mitigate a keystroke timing attack via traffic analysis. The patch involved adding keystroke timing obfuscation to the SSH client. As per the release notes, this feature “attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent”. Additionally, fake chaff packets are sent after the last real keystroke, significantly complicating traffic analysis by shrouding the real keystrokes in a stream of impostors.

SSHniff

11 min read June 24, 2024 2331 words
SSHniff: An SSH Metadata Analyser As part of my final-year bachelor research project, I took a stab at determining how feasible a metadata-based attack on the SSH protocol is nowadays. This type of attack was first introduced in 2001, in a paper called “Timing Analysis of Keystrokes and Timing Attacks on SSH”. It is based on the fact that interactive SSH sessions leak significant metadata. Keystrokes, while encrypted, are sent to and echoed by the server individually.

This is a writeup for my 2024 Hack The Box Business CTF FullPwn Machine, Swarm. While I was not initially planning on creating a dedicated writeup for the machine, it was brought to my attention that many players regarded the privilege escalation as ungodly. As such, I felt a responsibility to provide the traumatised players with a thorough explanation for my creation.