obfuscator

package
v2.0.5+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 9, 2019 License: GPL-3.0 Imports: 10 Imported by: 61

Documentation

Index

Constants

View Source
const (
	SSH_MAX_SERVER_LINE_LENGTH = 1024
	SSH_PACKET_PREFIX_LENGTH   = 5          // uint32 + byte
	SSH_MAX_PACKET_LENGTH      = 256 * 1024 // OpenSSH max packet length
	SSH_MSG_NEWKEYS            = 21
	SSH_MAX_PADDING_LENGTH     = 255 // RFC 4253 sec. 6
	SSH_PADDING_MULTIPLE       = 16  // Default cipher block size
)
View Source
const (
	OBFUSCATION_CONN_MODE_CLIENT = iota
	OBFUSCATION_CONN_MODE_SERVER
)
View Source
const (
	OBFUSCATION_READ_STATE_IDENTIFICATION_LINES = iota
	OBFUSCATION_READ_STATE_KEX_PACKETS
	OBFUSCATION_READ_STATE_FLUSH
	OBFUSCATION_READ_STATE_FINISHED
)
View Source
const (
	OBFUSCATION_WRITE_STATE_CLIENT_SEND_SEED_MESSAGE = iota
	OBFUSCATION_WRITE_STATE_SERVER_SEND_IDENTIFICATION_LINE_PADDING
	OBFUSCATION_WRITE_STATE_IDENTIFICATION_LINE
	OBFUSCATION_WRITE_STATE_KEX_PACKETS
	OBFUSCATION_WRITE_STATE_FINISHED
)
View Source
const (
	OBFUSCATE_SEED_LENGTH         = 16
	OBFUSCATE_KEY_LENGTH          = 16
	OBFUSCATE_HASH_ITERATIONS     = 6000
	OBFUSCATE_MAX_PADDING         = 8192
	OBFUSCATE_MAGIC_VALUE         = 0x0BF5CA7E
	OBFUSCATE_CLIENT_TO_SERVER_IV = "client_to_server"
	OBFUSCATE_SERVER_TO_CLIENT_IV = "server_to_client"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type ObfuscatedSSHConn added in v1.0.9

type ObfuscatedSSHConn struct {
	net.Conn
	// contains filtered or unexported fields
}

ObfuscatedSSHConn wraps a Conn and applies the obfuscated SSH protocol to the traffic on the connection: https://github.com/brl/obfuscated-openssh/blob/master/README.obfuscation

ObfuscatedSSHConn is used to add obfuscation to golang's stock "ssh" client and server without modification to that standard library code. The underlying connection must be used for SSH traffic. This code injects the obfuscated seed message, applies obfuscated stream cipher transformations, and performs minimal parsing of the SSH protocol to determine when to stop obfuscation (after the first SSH_MSG_NEWKEYS is sent and received).

WARNING: doesn't fully conform to net.Conn concurrency semantics: there's no synchronization of access to the read/writeBuffers, so concurrent calls to one of Read or Write will result in undefined behavior.

func NewObfuscatedSSHConn added in v1.0.9

func NewObfuscatedSSHConn(
	mode ObfuscatedSSHConnMode,
	conn net.Conn,
	obfuscationKeyword string,
	obfuscationPaddingPRNGSeed *prng.Seed,
	minPadding, maxPadding *int) (*ObfuscatedSSHConn, error)

NewObfuscatedSSHConn creates a new ObfuscatedSSHConn. The underlying conn must be used for SSH traffic and must have transferred no traffic.

In client mode, NewObfuscatedSSHConn does not block or initiate network I/O. The obfuscation seed message is sent when Write() is first called.

In server mode, NewObfuscatedSSHConn cannot completely initialize itself without the seed message from the client to derive obfuscation keys. So NewObfuscatedSSHConn blocks on reading the client seed message from the underlying conn.

obfuscationPaddingPRNGSeed is required and used only in OBFUSCATION_CONN_MODE_CLIENT mode and allows for optional replay of the same padding: both in the initial obfuscator message and in the SSH KEX sequence. In OBFUSCATION_CONN_MODE_SERVER mode, the server obtains its PRNG seed from the client's initial obfuscator message, resulting in the server replaying its padding as well.

func (*ObfuscatedSSHConn) GetDerivedPRNG added in v1.0.10

func (conn *ObfuscatedSSHConn) GetDerivedPRNG(salt string) (*prng.PRNG, error)

GetDerivedPRNG creates a new PRNG with a seed derived from the ObfuscatedSSHConn padding seed and distinguished by the salt, which should be a unique identifier for each usage context.

In OBFUSCATION_CONN_MODE_SERVER mode, the ObfuscatedSSHConn padding seed is obtained from the client, so derived PRNGs may be used to replay sequences post-initial obfuscator message.

func (*ObfuscatedSSHConn) GetMetrics added in v1.0.9

func (conn *ObfuscatedSSHConn) GetMetrics() common.LogFields

GetMetrics implements the common.MetricsSource interface.

func (*ObfuscatedSSHConn) Read added in v1.0.9

func (conn *ObfuscatedSSHConn) Read(buffer []byte) (int, error)

Read wraps standard Read, transparently applying the obfuscation transformations.

func (*ObfuscatedSSHConn) Write added in v1.0.9

func (conn *ObfuscatedSSHConn) Write(buffer []byte) (int, error)

Write wraps standard Write, transparently applying the obfuscation transformations.

type ObfuscatedSSHConnMode added in v1.0.9

type ObfuscatedSSHConnMode int

type ObfuscatedSSHReadState added in v1.0.9

type ObfuscatedSSHReadState int

type ObfuscatedSSHWriteState added in v1.0.9

type ObfuscatedSSHWriteState int

type Obfuscator

type Obfuscator struct {
	// contains filtered or unexported fields
}

Obfuscator implements the seed message, key derivation, and stream ciphers for: https://github.com/brl/obfuscated-openssh/blob/master/README.obfuscation

Limitation: the RC4 cipher is vulnerable to ciphertext malleability and the "magic" value provides only weak authentication due to its small size. Increasing the size of the magic field will break compatibility with legacy clients. New protocols and schemes should not use this obfuscator.

func NewClientObfuscator

func NewClientObfuscator(
	config *ObfuscatorConfig) (obfuscator *Obfuscator, err error)

NewClientObfuscator creates a new Obfuscator, staging a seed message to be sent to the server (by the caller) and initializing stream ciphers to obfuscate data.

ObfuscatorConfig.PaddingPRNGSeed allows for optional replay of the obfuscator padding and must not be nil.

func NewServerObfuscator

func NewServerObfuscator(
	clientReader io.Reader, config *ObfuscatorConfig) (obfuscator *Obfuscator, err error)

NewServerObfuscator creates a new Obfuscator, reading a seed message directly from the clientReader and initializing stream ciphers to obfuscate data.

ObfuscatorConfig.PaddingPRNGSeed is not used, as the server obtains a PRNG seed from the client's initial obfuscator message; this scheme allows for optional replay of the downstream obfuscator padding.

func (*Obfuscator) GetDerivedPRNG added in v1.0.10

func (obfuscator *Obfuscator) GetDerivedPRNG(salt string) (*prng.PRNG, error)

GetDerivedPRNG creates a new PRNG with a seed derived from the obfuscator padding seed and distinguished by the salt, which should be a unique identifier for each usage context.

For NewServerObfuscator, the obfuscator padding seed is obtained from the client, so derived PRNGs may be used to replay sequences post-initial obfuscator message.

func (*Obfuscator) GetPaddingLength added in v1.0.9

func (obfuscator *Obfuscator) GetPaddingLength() int

GetPaddingLength returns the client seed message padding length. Only valid for NewClientObfuscator.

func (*Obfuscator) ObfuscateClientToServer

func (obfuscator *Obfuscator) ObfuscateClientToServer(buffer []byte)

ObfuscateClientToServer applies the client RC4 stream to the bytes in buffer.

func (*Obfuscator) ObfuscateServerToClient

func (obfuscator *Obfuscator) ObfuscateServerToClient(buffer []byte)

ObfuscateServerToClient applies the server RC4 stream to the bytes in buffer.

func (*Obfuscator) SendSeedMessage

func (obfuscator *Obfuscator) SendSeedMessage() []byte

SendSeedMessage returns the seed message created in NewObfuscatorClient, removing the reference so that it may be garbage collected.

type ObfuscatorConfig

type ObfuscatorConfig struct {
	Keyword         string
	PaddingPRNGSeed *prng.Seed
	MinPadding      *int
	MaxPadding      *int
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL