Well documented in the RFC "The SSH (Secure Shell) Remote Login Protocol", SSH provides strong authentication and secure communications over insecure networks.

APR-SSH-1 uses the Man-in-the-Middle condition imposed by Cain's APR to capture and decrypt SSH (Secure Shell) traffic between hosts.

How it works

The SSH protocol is composed by several phases that can be summarized as follow:


The client connects to the SSH port (usually TCP port 22) of the server.


The server sends to the client an identification string of the form "SSH-<protocolmajor>.<protocolminor>-<version>"; the client parses the server's string, and sends a corresponding string with its own information in response. Here APR-SSH-1 automatically replaces the version specified by the server in the first packet in order to downgrade the communication to SSH protocol v1.51.


During this phase the server sends its asymmetric encryption keys and other parameters to the client. Cain collects server's keys and replace them with new ones generated locally so that the client will use the Cain's keys instead of the server's ones.


The client selects the symmetric cipher to use, and sends the encrypted session key to the server. At this point the session key has been encrypted by the client using the Cain's keys, not the server keys; for this reason the program can now decrypt and store the session key before send it back to the server. The session key is really important because it is used to decrypt all packets that follows.  


The server and the client start the secure communication using the specified symmetric cipher and the session key. Now Cain can use the session key to decrypt encrypted traffic capture on the network.



APR-SSH-1 works in FULL-DUPLEX mode processing both client and server SSH-1 traffic. Because of the use of APR (Arp Poison Routing), the attacker's IP and MAC addresses can be totally spoofed and never sent across the network. The sniffer supports tree symmetric encryption algorithms: DES, 3DES, Blowfish.


This feature needs APR to be enabled and a Man-in-the-Middle condition between the SSH server and the victim host.


Zlib compression is not supported in this version. Because of the usage of the Winpcap driver it cannot decrypt SSH1 sessions initiated from the local host.



An example of the output file produced by the sniffer from the capture of an SSH-1 session to a Cisco PIX firewall in my test environment is available here.