Hi-Performance Protocol Identification Engine
HiPPIE
Home
About HiPPIE
Features
Protocols
Downloads
Documentation
Mailing Lists
Support
  

Protocols > Secure Shell (SSH)

HiPPIE Name: ssh
Protocol Category: Encrypted Protocols
Protocol Classification: Full

SSH is the defacto standard in remote unix system management in a secure manner, or for any type of console management for that matter.  SSH is an encrypted replacement to protocols such as telnet and rshell.  There were a couple options for classification of these packets, listed below, the latter of which was chosen.

SSH Version Identification Strings

One option that could be used (but wasn't) for identifying SSH traffic over the wire would be to identify based on SSH version strings.  When an SSH session is being established, the first thing that occurs is that the SSH server will send out it's version identification string, similar to below.

SSH-2.0-OpenSSH_4.4.

After this occurs, the SSH client will respond in kind with it's version identification string. 

SSH-2.0-PuTTY-Release-0.57

You could pattern match these strings pretty easily, but then they would also be extremely easy to spoof, and also extremely easy to incorrectly match upon. 

SSH Key Exchange Idenfitication

The other method which I decided upon for recognizing SSH traffic is to identify the protocol during key exchange.  After the server and client have exchanged their version information, they will begin key exchange.  This exchange is a very structured exchange and is readily identifiable.  The way these packets are shaped is diagrammed below. 

<4 bytes packet contents size><1 byte end contents padding size><1 byte operation code><Payload>

The way you can then work with these packets is to first inspect the data that should contain this content size.  The 32-bit integer that is contained within these first 4 bytes of the packet should be equivalent to the size of the TCP data section minus 4 (the four bytes specifying the size).  This is also equivalent to the size specified in the IP header for the packet length minus the size of the IP header, minus the size of the TCP header, minus 4.  If your packet doesn't match this, it's not the beginnings of an SSH key exchange.  If it does, what can then be judged is whether this operation code falls into a known range.  The one that always starts key exchange is 0x14.  The list that is currently accepted as valid in HiPPIE for identification is listed below.  If at this point the operation code byte agrees with this list, then at this time, this is enough to determine that the coming session is an encrypted SSH session.

0x14

Back to Protocol List.
Copyright © Josh Ballard, oofle.com Security 2001-2008. Some Rights Reserved.
File hosting and other features supplied by:
SourceForge Logo