Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

SSH has a problem where a passive observer is able to deduce some information via the metadata, which violates most cryptographic principles. By default, each keystroke is clearly identified and timestamped. To combat this, SSH started obfuscating the keystrokes some.

The obfuscation veils the keystroke packets among a wave a fake packets that should look the same. When a keystroke is made, a bunch of these chaff packets start flooding out to hide all real keystrokes.

The author decided to do some analysis on the sizes of these packets to see if the protection actually worked. While analyzing, they noticed that some packets were substantially larger than the rest! The chaff packets should be the same as the keystroke packets in size in order to mask them but this doesn't appear to be the case. What's going on?

After reviewing the source code, wireshark captures and SSH verbose mode logs, they understood what was going on... SSH can group multiple requests together into a single packet. On the second keyboard stroke, this starts happening. The real keystrokes are packaged up with a PING packet, creating a packet twice the size as a normal keystroke and two server-side responses.

Using this knowledge, it's possible to get the same information as before - how many keystrokes were made at what intervals. They create a tool for doing this that is pretty cool! Typing out certain commands have a specific rhythm (such as sudo apt upgrade) making the analysis possible to get the actual sent command out of the packet. Overall, good post on side channel analysis and how easy it is to mess up these types of protections.