Authors: Stewart Sentanoe, Hans P. Reiser
DFRWS EU 2022
Nowadays, many users are using an encrypted channel to communicate with a remote resource server. Such a channel provides a high degree of privacy and confidentiality. Secure Shell (SSH) is one of the most commonly used methods to connect to a server remotely. SSH provides privacy and confidentiality by encrypting network traffic between the client and the server. The encryption makes the learning process of malicious activities over SSH is challenging, especially by just analyzing the network traffic. To overcome the problem, we can leverage Virtual machine introspection (VMI). VMI allows direct memory access of a virtual machine (VM) including accessing data of an SSH process. However, the current prototype suffers from high overhead since it extracts every single plain text SSH network payload from memory and the extraction process requires the virtual machine (VM) to be momentarily paused. In this paper, we introduce SSHkex, a tool that also leverages VMI to extracts SSH’s session keys from a server’s memory. Our approach only needs to pause the VM twice to extract the session keys for each SSH session and does passive network monitoring where does not have any noticeable impact on the ongoing connection. To use SSHkex, zero modification needs to be done to the server. Thus, it is suitable for intrusion detection systems and high-interaction honeypot where the server shall not be modified.