obfuscate six stucked hogs

https://github.com/aligo/obfuscated-openssh

这是去年斯巴达期间我改了用来翻「那个不能说的东西」的openssh,因为「那个不能言说之物」升级了某些特性可以模糊识别协议的内容并且进行阻断,其中就包括S(ix) S(tucked) H(ogs)协议。six stucked hogs其实一开始并不是为了-D出一个socket用来翻「说了就会被和谐之物」,只不过有这样的附加功能,但是一旦被X我很多正常工作都不能进行。于是才有了obfuscate six stucked hogs协议来迷惑「被我找到了之后我要用一根棒球棍使劲把它砸碎的那个东西」。

obfuscate six stucked hogs的协议最早出自brl(https://github.com/brl/obfuscated-openssh),不过基于是5.2版本的openssh。因为那个版本不能在最新的ML(应该是从Lion开始就不行了)下编译了,于是我拿了最新的6.1p1比照着改了一份,所用协议格式和原来相同,可以互相连接。

包含客户端和服务端。

服务端可以在sshd_config里设置ObfuscatedPort和ObfuscateKeyword,分别即是混淆的端口号和混淆用的字符串。其中混淆的端口号默认和原来ssh指定的相同,或者可以另外配置。混淆用的字符串要与客户端设置相同。然后照常配置ssh剩下的部分即可。

客户端连接通过参数-Z后面加上混淆用的字符串。也可以在配置文件里使用

ObfuscateHandshake yes

ObfuscateKeyword 混淆用的字符串
关于协议具体格式可以参考brl的README,除了混淆消息内容,还在tcp包中加了迷惑性的random padding用于防止流量分析识别,应该算是一种比较可持续使用的方式。

我喜欢通过openssh客户端直接登入。Mac下可以选择的客户端还有secret-socks,支持相同的混淆协议,Win下也有x-wall可用 。

之前很多人一直问这个,还是不敢把这事说得太细,最近被「那个神经病一样阻挠我正常工作的东西」惹烦了,顶风作案一回。要河蟹就来吧。Fuck。

10 Comments

  1. Hdi
    Posted 2013/03/18 at 21:04 | Permalink

    Hi
    Thanks for this but i have problem on login. After install, when i want to login i get this error “Server’s host key did not match the signature supplied”. I use Potty for login. Can you please explain what i should do exactly!? For quckly i did:
    #./configure
    #make
    #make install
    #echo “ObfuscatedPort 2222″ >> /usr/local/etc/sshd_config
    #echo “ObfuscateKeyword keyword” >> /usr/local/etc/sshd_config
    #/usr/local/sbin/sshd -f /usr/local/etc/sshd_config

    Everything went ok and sshd ran without problem
    Thanks

  2. aligo
    Posted 2013/03/19 at 11:21 | Permalink

    Hi Hdi
    I can’t try potty to login cause i dont have a windows now.
    Could you try the patched openssh client to login, if you complied it from my code, `/usr/local/bin/ssh -Z keyword …` should works. Also you can pass `-v` to get more debug info.
    Thx for your comment, waiting for your message.

  3. Hdi
    Posted 2013/03/19 at 17:17 | Permalink

    Thaks for reply
    Ok. I installed the obf ssh on another server and did as you told:
    # /usr/local/bin/ssh -Z mykeyword root@xx.xx.xxx.xxx -p 6200
    The authenticity of host ‘[xx.xx.xxx.xxx]:6200 ([xx.xx.xxx.xxx]:6200)’ can’t be established.
    ECDSA key fingerprint is e7:15:14:51:b9:8f:fa:89:08:41:c3:b2:83:f8:d8:68.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added ‘[xx.xx.xxx.xxx]:6200′ (ECDSA) to the list of known hosts.
    key_verify failed for server_host_key
    #

    This error seems that is look like the same error that happened in Potty

  4. Hdi
    Posted 2013/03/19 at 17:57 | Permalink

    And with -v arg:

    # /usr/local/bin/ssh -v -Z mykeyword root@xx.xx.xxx.xxx -p 6200
    OpenSSH_6.1p1, OpenSSL 1.0.1e 11 Feb 2013
    debug1: Reading configuration data /usr/local/etc/ssh_config
    debug1: Connecting to xx.xx.xxx.xxx [xx.xx.xxx.xxx] port 6200.
    debug1: Connection established.
    debug1: Obfuscation enabled
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/id_rsa type -1
    debug1: identity file /root/.ssh/id_rsa-cert type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: identity file /root/.ssh/id_dsa-cert type -1
    debug1: identity file /root/.ssh/id_ecdsa type -1
    debug1: identity file /root/.ssh/id_ecdsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
    debug1: match: OpenSSH_6.1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.1
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: sending SSH2_MSG_KEX_ECDH_INIT
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ECDSA e7:15:14:51:b9:8f:fa:89:08:41:c3:b2:83:f8:d8:68
    debug1: checking without port identifier
    The authenticity of host ‘[xx.xx.xxx.xxx]:6200 ([xx.xx.xxx.xxx]:6200)’ can’t be established.
    ECDSA key fingerprint is e7:15:14:51:b9:8f:fa:89:08:41:c3:b2:83:f8:d8:68.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added ‘[xx.xx.xxx.xxx]:6200′ (ECDSA) to the list of known hosts.
    debug1: ssh_ecdsa_verify: signature incorrect
    key_verify failed for server_host_key

  5. Posted 2013/03/20 at 12:52 | Permalink

    Thanks very much for your reply.
    Sorry for the silly mistake i made, it is fixed now, please repull it from github, and let me know the result.

  6. Hdi
    Posted 2013/03/20 at 14:22 | Permalink

    I built it again and yes, it works know
    I tested with PoTTY and it ran too
    Thanks for fixing the problem

  7. Posted 2013/03/20 at 17:14 | Permalink

    : D

  8. Hdi
    Posted 2013/08/08 at 01:22 | Permalink

    Hello aligo
    Whats up man ;)
    I saw that openssh is updated to 6.2. You don’t want to update this package to the new version?

    Thank you

    • Posted 2013/10/26 at 10:42 | Permalink

      Hi Hdi,
      Has been busy and snifu last few months, sorry for reply you so late.
      No chance to follow up new version yet, and now 6.3 is out,I will just up it direct to 6.3 soon. T_T
      And if you use obfuscated ssh for setting a tunnel proxy, there is shadowsocks(www.shadowsocks.org) you may intrest,

  9. JCxingchi
    Posted 2015/03/03 at 14:46 | Permalink

    Hi, Aligo,
    There is a mistake during connecting the openssh server compiled with the sshd_ofc v6.7p, and the message is as follows: Error class: LocalSshDisconn, code: HostKeyNotVerifiable.
    For the detail, please check the Issue in your Github project.
    Thanks ;)

Post a Reply to Hdi Cancel reply

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>