Ask Your Question

Possible to re-connect to a remote host using previously recorded SSH traffic?

asked 2021-07-07 15:31:35 +0000

apolonie gravatar image

Hi all,

This is a theoretical question, but I'm curious if I remote into a host using SSH and successfully authenticate in, while recording the traffic, is it possible to re-authenticate in using only the SSH traffic recorded by wireshark?

i.e. using a traffic replay system and feed it the SSH traffic to successfully connect to a remote host. I'm trying to find a way to record & replay cyber attacks as a hobby and curious if you guys know of any software that does this.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2021-07-07 17:07:01 +0000

grahamb gravatar image

I hope not.

The client has the private key and the server holds the public partner of the key and they are used to sign random data to ensure each end is legitimate. The use of random data prevents replays.

edit flag offensive delete link more


Interesting, I'm curious what the attraction is to record & replay systems that utilize .pcap's for the replay architecture. It seems there are multiple protocols (SSHv2, SMTP, etc.) that make it very difficult to replay deterministically.

apolonie gravatar imageapolonie ( 2021-07-07 17:10:27 +0000 )edit

SMTP is certainly vulnerable to replay, the nature of the protocol requires no authentication at all when receiving email from outside sources. The sender can be verified by such things as SPF and DKIM, but the SMTP server simply has to receive everything not directly blocked.

grahamb gravatar imagegrahamb ( 2021-07-07 17:31:17 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-07-07 15:31:35 +0000

Seen: 146 times

Last updated: Jul 07 '21