https://github.com/aligo/obfuscated-openssh
这是去年斯巴达期间我改了用来翻「那个不能说的东西」的openssh,因为「那个不能言说之物」升级了某些特性可以模糊识别协议的内容并且进行阻断,其中就包括S(ix) S(tucked) H(ogs)协议。six stucked hogs其实一开始并不是为了-D出一个socket用来翻「说了就会被和谐之物」,只不过有这样的附加功能,但是一旦被X我很多正常工作都不能进行。于是才有了obfuscate six stucked hogs协议来迷惑「被我找到了之后我要用一根棒球棍使劲把它砸碎的那个东西」。
obfuscate six stucked hogs的协议最早出自brl(https://github.com/brl/obfuscated-openssh),不过基于是5.2版本的openssh。因为那个版本不能在最新的ML(应该是从Lion开始就不行了)下编译了,于是我拿了最新的6.1p1比照着改了一份,所用协议格式和原来相同,可以互相连接。
包含客户端和服务端。
服务端可以在sshd_config里设置ObfuscatedPort和ObfuscateKeyword,分别即是混淆的端口号和混淆用的字符串。其中混淆的端口号默认和原来ssh指定的相同,或者可以另外配置。混淆用的字符串要与客户端设置相同。然后照常配置ssh剩下的部分即可。
客户端连接通过参数-Z后面加上混淆用的字符串。也可以在配置文件里使用
ObfuscateHandshake yes
ObfuscateKeyword 混淆用的字符串
关于协议具体格式可以参考brl的README,除了混淆消息内容,还在tcp包中加了迷惑性的random padding用于防止流量分析识别,应该算是一种比较可持续使用的方式。
我喜欢通过openssh客户端直接登入。Mac下可以选择的客户端还有secret-socks,支持相同的混淆协议,Win下也有x-wall可用 。
之前很多人一直问这个,还是不敢把这事说得太细,最近被「那个神经病一样阻挠我正常工作的东西」惹烦了,顶风作案一回。要河蟹就来吧。Fuck。
10 Comments
Hi
Thanks for this but i have problem on login. After install, when i want to login i get this error “Server’s host key did not match the signature supplied”. I use Potty for login. Can you please explain what i should do exactly!? For quckly i did:
#./configure
#make
#make install
#echo “ObfuscatedPort 2222″ >> /usr/local/etc/sshd_config
#echo “ObfuscateKeyword keyword” >> /usr/local/etc/sshd_config
#/usr/local/sbin/sshd -f /usr/local/etc/sshd_config
Everything went ok and sshd ran without problem
Thanks
Hi Hdi
I can’t try potty to login cause i dont have a windows now.
Could you try the patched openssh client to login, if you complied it from my code, `/usr/local/bin/ssh -Z keyword …` should works. Also you can pass `-v` to get more debug info.
Thx for your comment, waiting for your message.
Thaks for reply
Ok. I installed the obf ssh on another server and did as you told:
# /usr/local/bin/ssh -Z mykeyword root@xx.xx.xxx.xxx -p 6200
The authenticity of host ‘[xx.xx.xxx.xxx]:6200 ([xx.xx.xxx.xxx]:6200)’ can’t be established.
ECDSA key fingerprint is e7:15:14:51:b9:8f:fa:89:08:41:c3:b2:83:f8:d8:68.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[xx.xx.xxx.xxx]:6200′ (ECDSA) to the list of known hosts.
key_verify failed for server_host_key
#
This error seems that is look like the same error that happened in Potty
And with -v arg:
# /usr/local/bin/ssh -v -Z mykeyword root@xx.xx.xxx.xxx -p 6200
OpenSSH_6.1p1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to xx.xx.xxx.xxx [xx.xx.xxx.xxx] port 6200.
debug1: Connection established.
debug1: Obfuscation enabled
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA e7:15:14:51:b9:8f:fa:89:08:41:c3:b2:83:f8:d8:68
debug1: checking without port identifier
The authenticity of host ‘[xx.xx.xxx.xxx]:6200 ([xx.xx.xxx.xxx]:6200)’ can’t be established.
ECDSA key fingerprint is e7:15:14:51:b9:8f:fa:89:08:41:c3:b2:83:f8:d8:68.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[xx.xx.xxx.xxx]:6200′ (ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature incorrect
key_verify failed for server_host_key
Thanks very much for your reply.
Sorry for the silly mistake i made, it is fixed now, please repull it from github, and let me know the result.
I built it again and yes, it works know
I tested with PoTTY and it ran too
Thanks for fixing the problem
: D
Hello aligo
Whats up man
I saw that openssh is updated to 6.2. You don’t want to update this package to the new version?
Thank you
Hi Hdi,
Has been busy and snifu last few months, sorry for reply you so late.
No chance to follow up new version yet, and now 6.3 is out,I will just up it direct to 6.3 soon. T_T
And if you use obfuscated ssh for setting a tunnel proxy, there is shadowsocks(www.shadowsocks.org) you may intrest,
Hi, Aligo,
There is a mistake during connecting the openssh server compiled with the sshd_ofc v6.7p, and the message is as follows: Error class: LocalSshDisconn, code: HostKeyNotVerifiable.
For the detail, please check the Issue in your Github project.
Thanks
One Trackback
[…] http://aligo.me/2013/01/13/obfuscate-six-stucked-hogs/ […]