Possible to re-connect to a remote host using previously recorded SSH traffic?

retag add tags

Hi all,

This is a theoretical question, but I'm curious if I remote into a host using SSH and successfully authenticate in, while recording the traffic, is it possible to re-authenticate in using only the SSH traffic recorded by wireshark?

i.e. using a traffic replay system and feed it the SSH traffic to successfully connect to a remote host. I'm trying to find a way to record & replay cyber attacks as a hobby and curious if you guys know of any software that does this.

I hope not.

The client has the private key and the server holds the public partner of the key and they are used to sign random data to ensure each end is legitimate. The use of random data prevents replays.

23.8k

grahamb

answered 2021-07-07 17:07:01 +0000

edit flag offensive 0 remove flag delete link

Comments

Interesting, I'm curious what the attraction is to record & replay systems that utilize .pcap's for the replay architecture. It seems there are multiple protocols (SSHv2, SMTP, etc.) that make it very difficult to replay deterministically.

apolonie (2021-07-07 17:10:27 +0000) edit

SMTP is certainly vulnerable to replay, the nature of the protocol requires no authentication at all when receiving email from outside sources. The sender can be verified by such things as SPF and DKIM, but the SMTP server simply has to receive everything not directly blocked.

grahamb (2021-07-07 17:31:17 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Possible to re-connect to a remote host using previously recorded SSH traffic? edit

Comments

1 Answer

Comments