Ad

Why There Are Some Random Bytes From The Openssh Server While Responding Kex-neogitation?

I am writing a simple ssh-client in python following the specs specified here. While parsing the list of preferred kex_algorithms there are some random bytes at the start of the list, which should not be there?

I am following the structure defined over here for parsing the server response.

Here is the python code for the client which I am discussing.

import os
import socket
import io
import struct

HOST = 'localhost'
PORT = 22

MSG_KEXINIT = 20

_preferred_ciphers = (
    "aes128-ctr-random-str",
    "aes192-ctr-random-str",
    "aes256-ctr-random-str",
    "aes128-cbc-random-str",
    "aes192-cbc-random-str",
    "aes256-cbc-random-str",
    "blowfish-cbc-random-str",
    "3des-cbc-random-str",
)


_preferred_macs = (
    "hmac-sha2-256",
    "hmac-sha2-512",
    "hmac-sha1",
    "hmac-md5",
    "hmac-sha1-96",
    "hmac-md5-96",
)

_preferred_keys = (
    "ssh-ed25519",
    "ecdsa-sha2-nistp256",
    "ecdsa-sha2-nistp384",
    "ecdsa-sha2-nistp521",
    "ssh-rsa",
    "ssh-dss",
)
_preferred_kex = (
    "ecdh-sha2-nistp256",
    "ecdh-sha2-nistp384",
    "ecdh-sha2-nistp521",
    "diffie-hellman-group-exchange-sha256",
    "diffie-hellman-group-exchange-sha1",
    "diffie-hellman-group14-sha1",
    "diffie-hellman-group1-sha1",
)

_preferred_compression = ("none",)


def to_name_list(namelist):
    namelist_bytes = ",".join(namelist).encode('utf-8')
    namelist_size = struct.pack(">I", len(namelist_bytes))
    return namelist_size + namelist_bytes


sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((HOST, PORT))

# Version exchange
local_version = b'SSH-2.0-MYSSH\r\n'
sock.sendall(local_version)
print("SENT      : {}".format(local_version))

data = sock.recv(1024)
print("RECEIVED  : {}".format(data))
print("-"*20)

# Key negotiation
kex_msg = io.BytesIO()

kex_msg.write(struct.pack("B", MSG_KEXINIT))
kex_msg.write(os.urandom(16))
kex_msg.write(to_name_list(_preferred_kex))
kex_msg.write(to_name_list(_preferred_keys))
kex_msg.write(to_name_list(_preferred_ciphers))
kex_msg.write(to_name_list(_preferred_ciphers))
kex_msg.write(to_name_list(_preferred_macs))
kex_msg.write(to_name_list(_preferred_macs))
kex_msg.write(to_name_list(_preferred_compression))
kex_msg.write(to_name_list(_preferred_compression))
kex_msg.write(bytes())
kex_msg.write(bytes())
kex_msg.write(struct.pack("B", 0))
kex_msg.write(struct.pack(">I", 0))

sock.sendall(kex_msg.getvalue())
print("SENT      : {}".format(kex_msg.getvalue()))

data = sock.recv(1024*4)
print("RECEIVED  : {}".format(data))
server_kex_bytes = io.BytesIO(data)

print("Parsing server response")

flag = struct.unpack(">B", server_kex_bytes.read(1))[0]
print("flag : {}".format(flag))

cookie = server_kex_bytes.read(16)
print("cookie : {}".format(cookie))

kex_algo_list_len = struct.unpack(">I", server_kex_bytes.read(4))[0]
print("length of kex algo list: {}".format(kex_algo_list_len))

kex_algo_list = server_kex_bytes.read(kex_algo_list_len)
print("kex_algo_list: {}".format(kex_algo_list))

The code mentioned above generates the following output.

SENT      : b'SSH-2.0-MYSSH\r\n'
RECEIVED  : b'SSH-2.0-OpenSSH_8.0\r\n'
--------------------
SENT      : b'\x14\xc6\xff\x10r/W2c+\xf3\x15w\x93`\x92\xf5\x00\x00\x00\xb7ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\x00\x00\x00Wssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss\x00\x00\x00\xafaes128-ctr-random-str,aes192-ctr-random-str,aes256-ctr-random-str,aes128-cbc-random-str,aes192-cbc-random-str,aes256-cbc-random-str,blowfish-cbc-random-str,3des-cbc-random-str\x00\x00\x00\xafaes128-ctr-random-str,aes192-ctr-random-str,aes256-ctr-random-str,aes128-cbc-random-str,aes192-cbc-random-str,aes256-cbc-random-str,blowfish-cbc-random-str,3des-cbc-random-str\x00\x00\x00Ghmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96\x00\x00\x00Ghmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96\x00\x00\x00\x04none\x00\x00\x00\x04none\x00\x00\x00\x00\x00'
RECEIVED  : b'\x00\x00\x044\x06\x14\x18!\xfa\xea\xc4Vv\xd2\xe6\xe5pg\xbc\x08\x8a\xa3\x00\x00\x01\x02curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1\x00\x00\x00Arsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519\x00\x00\[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]\x00\x00\[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]\x00\x00\x00\[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1\x00\x00\x00\[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1\x00\x00\x00\x15none,[email protected]\x00\x00\x00\x15none,[email protected]\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
Parsing server response
flag : 0
cookie : b'\x00\x044\x06\x14\x18!\xfa\xea\xc4Vv\xd2\xe6\xe5p'
length of kex algo list: 1740376202
kex_algo_list: b'\xa3\x00\x00\x01\x02curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1\x00\x00\x00Arsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519\x00\x00\[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]\x00\x00\[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]\x00\x00\x00\[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1\x00\x00\x00\[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1\x00\x00\x00\x15none,[email protected]\x00\x00\x00\x15none,[email protected]\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

Why there are some extra bytes \xa3\x00\x00\x01\x02 at the beginning of the kex-list? Is server leaking those extra bytes or I have made a mistake to understand the protocol?

Ad

Answer

It looks like this parsing has skipped some of the fields and reordered others.

\x00\x044\x06 looks like the binary packet fields:

  uint32    packet_length
  byte      padding_length

(I think sequences like \00\x044 make this a pretty difficult representation to count bytes in.)

The cookie contents end up with this and the kex message number which I think is \x14 where they should be the 16 bytes after the message type right up to the name-lists that included \xa3\x00\x00\x01\x02. Also the size as parsed looks impossibly high.

Ad
source: stackoverflow.com
Ad