Today I was curious. I set up an RSA key for SSH connections to another computer. I became bored after and asked my self something. How many packets did I generate? What did I do? I spun up 2 VM’s, one being Kali and the Other being CentOS. I spun up Wireshark on Kali and listened on my interface but first filtering only the host and target IP with the filter below.
After ensuring there was no traffic appearing I opened another terminal and connected to the CentOS computer using
You see the command was basic and the RSA key I used does not require a passphrase. 19 out of 20 times I did this The connection required 45 Packets. I have provided a screenshot
After doing a deep dive on each packet I learned a lot. I became more aware of the behavior I used to setup my environment for SSH. I was able to watch the key exchange, client-server and server-client initial communications. This appeared to be a simple random experiment on a basic communication method but how familiar are you with your network. Now, next time when someone asks me what the answer is? I will be happy to scream 45.
I encourage everyone to take the time to do similar exercises on you network being at work (under approved and legal circumstances) or at home. This not only helps your understanding of protocols, your network, and other behavior between the two, you will be able to make very well written rules for firewall’s, IDS’s and IPS’s. It would be delightful to tell someone you actually baselined your network because you really do know how it behaves and can with strong confidence identify an outlier.
I have provided the pcap and the associate video of my mini experiment for you to use or review it.
Comments