There was one person I met in blackhat mentioned that SSH login failure can be seen at packet level because the SSH protocol will indicate whether login is a success or failure.
I think the login process is considered as normal data by ssh protocol and hence it's transparent to ssh protocol itself. There is no indication in the packets whether ssh login is successful or not.
Can anyone confirm this?
Thanks.
Before the password is sent, an encryption layer is added to the connection.
Also the encryption fingerprint is compared to the last time you signed in successfully. If there is an MITM inserting its own encryption layer then you will be alerted of the changed fingerprint. (assuming you have not already accepted the incorrect fingerprint by accident)
While the password, and the response from the server cannot be seen directly, it is likely that you can tell by the packet size and timing, and how long until the connection was closed, whether the login attempt was successful.
For example, this would be a single chunk of data with a predictable size.
Invalid username/password, please try again.
On the other hand, a successful login is several lines
Welcome! It's a great day at XYZ server!
Your last login was yesterday at
And depending on your server, there may be a delay between lines, which is sent in separate TCP packets as it comes in.
You have new mail.
you@xyz:~$
So yes, you can tell by monitoring packet size/count/timing whether the sign-in was successful. You cannot tell what password was attempted or exactly wad data was transferred.
