Home

Awesome

Packet Strider (v0.21)

alt text

Summary

packetStrider for SSH is a packet forensics tool that aims to provide valuable insight into the nature of SSH traffic, shining a light into the corners of SSH network traffic where golden nuggets of information previously lay in the dark.

The problem that packet strider aims to help with (AKA Why?)

SSH is obviously encrypted, yet valuable contextual information still exists within the network traffic that can go towards TTP's, intent, success and magnitude of actions on objectives. There may even exist situations where valuable context is not available or deleted from hosts, and so having an immutable and un-alterable passive network capture gives additional forensic context. "Packets don't lie".

Separately to the forensic context, packet strider predictions could also be used in an active fashion, for example to shun/RST forward connections if a tunneled reverse SSH session initiation feature is predicted within, even before reverse authentication is offered.

The broad techniques of packet strider (AKA How?)

Getting started

Python3 has been used, and you will need the following modules (YMMV on python2)

pip3 install pandas matplotlib pyshark

Usage:

python3 packetStrider-ssh.py -h

Output:

usage: packetStrider-ssh.py [-h] [-f FILE] [-n NSTREAM] [-m] [-k] [-p]
                             [-z ZOOM] [-d DIRECTION] [-o OUTPUT_DIR]
                             [-w WINDOW] [-s STRIDE]

packetStrider-ssh is a packet forensics tool for SSH. It creates a rich
feature set from packet metadata such SSH Protocol message content, direction,
size, latency and sequencing. It performs pattern matching on these features,
using statistical analysis, and sliding windows to predict session initiation,
keystrokes, human/script behavior, password length, use of client
certificates, context into the historic nature of client/server contact and
exfil/infil data movement characteristics in both Forward and Reverse sessions

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  pcap file to analyze
  -n NSTREAM, --nstream NSTREAM
                        Perform analysis only on stream n
  -m, --metaonly        Display stream metadata only
  -k, --keystrokes      Perform keystroke prediction
  -p, --predict_plot    Plot data movement and keystrokes
  -z ZOOM, --zoom ZOOM  Narrow down/zoom the analysis and plotting to only
                        packets "x-y"
  -d DIRECTION, --direction DIRECTION
                        Perform analysis on SSH direction : "forward",
                        "reverse" OR "both"
  -o OUTPUT_DIR, --output_dir OUTPUT_DIR
                        Directory to output plots
  -w WINDOW, --window WINDOW
                        Sliding window size, # of packets to side of window
                        center packet, default is 2
  -s STRIDE, --stride STRIDE
                        Stride between sliding windows, default is 1

Example

The pcap "forward_reverse.pcap" is from a common TTP of a Reverse SSH shell, a favorite of red teams everywhere. Specifically the following commands were used, to highlight the capabilities of packet strider in a simple way:

Network traffic from this activity is saved to tcpdump.pcap and now it's time to run Packet Strider.

python3 packetStrider-ssh.py -f tcpdump.pcap -k -p -o out

alt text

This plot shows a timeline of key predictions (image has been annotated here) alt text

This plot shows some window statistics, useful for a deep dive and experimenting with features.
alt text

This plot shows a simple histogram alt text

Inspiration

This project was done as a personal Proof of Concept, as a way for me to practice with some data science libraries in Python, it was heavily inspired by my Coursera studies in Machine Learning and Data Science, in particular the pandas library and the way in which Convolutional Neural Networks (CNN) "stride" through image pixel sets using sliding windows to detect certain features within.

Tips

Packet Strider does a vast amount of "striding" in full capacity mode. This can result in some substantial resource usage if the pcap is large, or more precisely if there are many packets in the pcap. Here are some speed up tips, these are particularly useful as an initial run for example just to see if there was reverse SSH activity predicted, and then adding functionality if you desire.

TODO

Disclaimer

Use at your own risk. See License terms.