Hacker Time
Presented by: Evan Johnson
Originally aired on September 19, 2023 @ 2:30 PM - 3:00 PM EDT
Join Evan Johnson as he speaks with security professionals about recent security news!
English
Security
News
Transcript (Beta)
Hello and welcome to another episode of Hacker Time, the number one security show anywhere in the world.
I'm your host Evan Johnson today from the Cloudflare product security team and today we are going to do something a lot of fun.
It's more of a speed run, programming speed run.
I've got my cat here who is very talkative this morning.
Let me make sure she's on camera here and we're going to be trying to build an SSH server as part of our honeypot that we've been working on for the last few weeks and I think we can get most of the way through without much problem.
I've never used these APIs.
I've never used this go package. I'm just gonna give it a go and do some copy pasting and we'll see how it goes.
So where we left off in our program, we had built out a honeypot on HTTP on port 8080 and that is sending us notifications when someone connects to it via Twilio.
That's all fine and but HTTP is kind of boring.
It's a ubiquitous protocol but if we're going to have a honeypot framework, we're going to need a lot more than just support for 8080 HTTP.
So we are set up to start adding SSH here so we get notified whenever anybody tries to SSH into our honeypot.
So the go package we're going to be needing to use, oh there's my Twilio information, is calling SSH server.
There's a very helpful go package that I showed off just last week and they have a listen algorithm.
They have a function in here for listening to a server as a server.
Let's try to find it.
So come on, please calm down.
Where are the examples here?
Here we go. Examples, new server con. So based on the research I did previously for just a little bit, it looked like the best way to create a SSH server was just this big copy, this big function here that they have and let's just copy and paste it and into a separate program, separate from our honeypot thing and see if we can understand what it does and dissect it a little bit and do something, make it useful.
So let us go here. This cat's really annoying me.
She's very talkative today.
Okay. We want to save this file, can go anywhere.
It's going to be a main program. Let's create a new folder here.
SSH save.
Okay, so we want to pump main here and we want to save it as I'm not sure why it hasn't saved.
And this should and so there's a bunch of stuff going on here, a bunch of red underlines.
I'm not sure why. I wonder if this is a go package we have to go get.
It looks like a Xcrypto SSH package, which might not come standard.
So let's try to go get this and I bet that will help us quite a bit.
All right.
Is it still angry?
No. Okay. Red lines disappeared. That's good. That's a good sign.
Some of them.
We also need this terminal thing. Okay, we can go get that as well. And so I haven't gotten to talk too much about what SSH actually is, if you're not familiar, but it's kind of a protocol that's used by everyone to administer a lot of their systems.
When you connect to and you connect remotely to a Linux machine, the red line didn't go away.
Now it did. You're probably using SSH.
It's a very secure protocol that everyone basically uses out there.
And it's existed for a long time, 20 some years. It's been the main way that people administer their remote systems.
And you usually don't want to leave it open to the Internet, but you can find a lot of SSH servers out there that are.
Okay. So I have no idea what this is going to do. I know that if we're going to run it, it's going to break because there's a lot of files here that it's reading.
There's these, this looks okay.
There's a lot of just files that it's relying on existing. It still seems a little angry about terminal here, not having terminal.
I'm not sure why we definitely go get at it.
But I'm going to suggest we just run this and then start working through each one of the problems.
That's probably the most, the way we can get through this quickest.
So let's go to print.
I think that, what directory is this in? It is in, oh, it's F1.
And then it's going to break.
Why though? Okay. So the first thing I noticed is it failed to run authorized keys, which means the program actually compiled, which means this being angry about the terminal is just not a real problem.
I think that it wouldn't compile if it was actually angry about this.
So that's okay. So the first problem is there's no authorized key file.
And so I am going to SSH key gen, just some junk.
We're going to make a authorized key folder. Wow. Authorized keys here.
And then we want to run catco.
She's, wants to contribute to Cloudflare TV as well. We're going to copy the SSH directory.
It's live on TV.
This is my cat, catco, and she is very talkative and I love her very much.
But she doesn't want to sit with me while I program and she just wants to make a lot of noise.
Okay. We have, I think this is my public key.
We have added it to authorized keys. And so that part of the program will, we'll get past that previous spot that we're trying to load.
Now let's copy. Okay. We were able to load that file. We are going to copy the, all of those SSH keys we just generated to the current working directory.
We brought the authorized key file it needs.
We've got the IDRSA thing and wow. It's actually wanting to run and bind to a port.
Okay. Is it running? Let's actually look at what this thing is doing.
Let's go step-by -step. We just ran the program. We don't really know what it does, but we can dissect it.
So the first thing it's doing is it's reading this authorized key file.
It is parsing each line in there as a public key.
And we know that the format is right, because otherwise the program would have crashed by now if it wasn't.
So it's actually parsing the public keys that's in the authorized key folder line by line.
And then it is turning them into an SSH key.
Next it is creating a new SSH server config with this password callback thing. So this is like how the actual SSH server is configured.
Then we have a, there's a few functions in here.
Then it reads this private key thing. I guess this is the server private key.
So not the client public key or not the client private key. This is when you connect to an SSH server, both the client and the server has some cryptographic material.
As a client, the server's public key ends up in your host keys file.
But as a server, all the client's public keys end up in the authorized key file.
So this IDRSA key is the server's private key. Next, they're parsing that, adding it as the host key, listening on port 2022.
And then it looks like they're doing a bunch of SSH like connection-y stuff.
And then they're even opening up a new terminal, doing all that stuff.
So I think this will just work. I think I'm just able to SSHN to my own local server.
It's listening. So let's try it.
Local host 2022. As who though?
I don't know what user, let me find. I guess it'd be logged in as E. Let's try that.
I don't know. I don't know what it's actually going to be. And then we want to use my IDRSA key.
This is probably not the best way to do this because ideally the client and the server won't use the same public-private key pair.
And that's what's happening right now. But for testing, this is fine. Okay. Could not resolve hosting local host 2022.
Okay.
Why is that?
It's listening on 0.0.0.0. I don't know why. I won't use local host though.
Why is this angry?
Identity file. Okay. So first of all, the first problem I'm noticing, I'm in the wrong directory.
So it's not even finding my key. Let's try this again and see if...
Okay. Now the only problem is this cannot resolve hosting 127.0.0.1.2022.
I think one of the problems is I use the dash P in SSH, not the colon format.
I think in order to specify a port, you don't do that with the SSH command line.
Oh my gosh. It's just working. Wow.
Okay. Looks like this is an echo server.
I'm amazed that we got this working so quickly in such a a loud environment with my cat going crazy, distractions.
We got this working so quickly.
And it's just a testament to how good the Godox actually are and how helpful they are.
We just copy pasted an example, made three files and we're off to the races.
This is amazing. So we see here in our SSH server, we logged in with a key.
We can see the key that was logged in with. And then we have this echo server where whatever I type, when I press enter, it'll come right back at us.
So a bunch of KDs, a bunch of KDs get piped back to us. Okay. That's all cool.
That's probably a problem. It needs to gracefully continue listening for multiple connections.
It needs to survive multiple SSH connections. And that's worth us figuring out.
But first things first, what I'd like to do is, what's the first thing that we want to do with this?
Oh, I wanted to try without a key because as an attacker, you're going to try with keys.
You're going to try password-based authentication and default passwords.
So let's try it without a key. User test user pass is tiger.
Okay. So let's try first key at, oh, it's not running.
We've got to run the server. We actually used the key.
Let's rerun it and not specify a key.
This is weird.
I might be using a key anyways. Like if I have an SSH agent or something.
I don't think I have an SSH agent.
It seems like it's letting anybody in, which I mean, for a honeypot, that's not a problem, but I'm not really understanding why it's doing that.
So let's SSH to localhost 20.
And come on.
Okay.
It seems like, yeah, it's just consistently letting in anybody into the server.
I definitely don't have an SSH agent set up. I have an SSH off sock.
Maybe I do. Oh, I totally have an SSH agent set up and that is probably why I'm, there's a, okay.
Okay.
I bet this is a little more restrictive about who they let log in. So I had an SSH agent running, which will automatically present a key.
And the server is, the server is receiving that public key from me.
And it's going through the whole handshake without any problems because I still had a key that I was connecting to the server with.
I want to try that SSH localhost.
I'll do E app.
Huh? It's still says logged in with a key. I wonder if it's, I have another, wait, I did the kill all here.
My SSH agent restarted.
Where's this thing coming from? Okay.
I don't have the SSH agent. I might've killed it in the wrong place maybe.
But when I run SSH, I have no idea what's happening on my system because whenever I kill the SSH agent, I SSH into something and then, oh, my cat wants to leave now.
She's been very good. I killed the, I killed that agent. I SSH into something.
It is recreating that SSH agent.
And it's really peculiar. I've never seen something like this.
And I don't know why that would be. Cause I don't, I don't have any like crazy set up with my SSH agent.
So I'm a little surprised. And so what I'm going to do instead of trying to figure this out, I'm just going to port this into our honeypot program in the next couple of minutes and try to get this finished.
So we can say that we added support for SSH. So I'm just going to copy paste all of this.
And what we will do is we will create a new command. This is run command, but we want a new SSH command.
Let's just do, this is HTTP. Httpcmv, httpcmv, ssh, run a ssh honeypot, run an HTTP honeypot.
And so ideally there'll be a lot more ability to configure these.
So your HTTP honeypot shouldn't just be on port 8080 and your SSH honeypot shouldn't just be on 2022.
So that'll be a future feature request to add.
And then we want to, then we want to take all of this code here and copy it into here.
New file, ssh.co. We're going to do package ssh.
And then we really just need a function here.
Just a run function is all we need because what's happening here is in HTTP and in the main program, what's happening is it will just call, it will just call, it will just create a honeypot here and then call run.
And, but H here is an HTTP honeypot.
How is that working? It's an HTTP pot here, and we need to have a more general, um, we need to create a more general honeypot for all of these.
So I'm not sure how H is getting called.
What is H? Oh, oh, H is up here. Okay. Uh, this is not great design, but it'll work for now.
Um, it will work and get this finished in the next five minutes with the howling cat behind me.
Uh, it will get done. Okay. We're just going to copy this entire thing from S HTTP, put it in SSH, change HTTP pot to SSH pot everywhere.
And then in here, we just replace the code with our previously working SSH honeypot.
And I think we're going to have to change this to be from the port.
Um, worry about that later.
Um, but this should like actually run, I think if it doesn't go imports, but there seems to be a lot of issues.
Why is that undeclared name SSH? I might rename.
Um, so we're going to do this a safe pot. There's, there's multiple SSH packages.
And I think that we're going to run into problems having them all named the same.
So I'm giving this a new name, SSH pot. Oh, not as safe. We want a safe pot.
And then S it should actually be happy with this. And then lastly, I'm not sure what it's angry about.
Let's try to run it. So we want to go run CMD.
That's safe. And it's angry about, Oh, it's SSH pot HTTP. I have an HTTP in there.
That's not supposed to be there. Where is it? Sure.
Told me honeypot d.co mine 18. Why is this happening?
Line 18.
I'm not even seeing what they're saying.
This is very peculiar. I'm seeing online 18 SSH pot SSH pop.
Oh, you know what the issue is? This is the issue. That should get rid of the first problem.
So I had the wrong package here that I was aliasing with us.
That should work. And then last SSH line one 24, we're missing a very important curly brace or something.
I look like it worked.
Okay. Now there should be a bunch of problems with this when we run it because the files aren't where they need to be.
135. It's missing a return.
Return nil speed, run programming two minutes.
It doesn't have to work right. It just has to work kind of by the end of this.
Okay. 62 in honeypot d line 62. We are just rapid fire debugging and it is amazing.
Okay. This is no longer run commanded as HTTP command and SSH command.
And this isn't going to work properly, but it'll work well enough.
And we'll get it. We'll get all the details ironed out next week on the show.
And with one fewer howling cat, but it ran, it actually ran.
And I think if I stage to port 2022, it should work.
Well, connection closed by remote host.
Great. That's actually what the behavior I would expect.
And, Oh, you know what?
This thing doesn't have any keys. There's a bunch of problems and it's not really printing it out.
So we kind of actually need all of those keys.
However, alas, we did get an SSH server working in just like nine minutes, which is pretty good.
What we need to do is get that SSH server working next week, get it working such that we can handle multiple connections in a row.
We can then handle both key based off and password based off. We need to figure out that SSH agent issue.
And then lastly, we'll need to get the ergonomics of this function, right?
So that you can pass in the special port and everything, but thank you so much for joining me.
I'll see you next week to finish this.