packetStrider – A Network Packet Forensics Tool For SSH

From kitploit.com

packetStrider for SSH is a packet forensics tool that aims to provide valuable insight into the nature of SSH traffic, shining a light into the corners of SSH network traffic where golden nuggets of information previously lay in the dark.
The problem that packet strider aims to help with (AKA Why?)

SSH is obviously encrypted, yet valuable contextual information still exists within the network traffic that can go towards TTP’s, intent, success and magnitude of actions on objectives. There may even exist situations where valuable context is not available or deleted from hosts, and so having an immutable and un-alterable passive network capture gives additional forensic context. “Packets don’t lie”.

Separately to the forensic context, packet strider predictions could also be used in an active fashion, for example to shun/RST forward connections if a tunneled reverse SSH session initiation feature is predicted within, even before reverse authentication is offered.

Read more…