Wireshark-users: Re: [Wireshark-users] Malformed packet within Putty's 0.52 SSH
From: LDB <thesource@xxxxxxxxxxx>
Date: Sat, 07 Oct 2006 10:11:37 -0400
Andrew Hood wrote:
LDB wrote:Within Ethereal I am detecting a malformed packet coming from a Putty SSH Client using version 0.52. Could my users have downloaded a tainted version of Putty?Does PuTTY think it is malformed? My observation is that this usually happens tunnelling an X client. PuTTY pops up an error dialog, closes the connection and the X client then proceeds to crash. What version of Windows is this? I see it quite often on NT, but not on XP with the same binaries compiled with MSVC7. (To add some options not included in the standard version.)
XP
Also, why does Ethereal consider it a malformed packet from SSH?Because it might be malformed, or contains encodings Ethereal/WireShark does not expect.
sshd2[30327]: WARNING: DNS lookup failed for "10.10.11.2"
SSH-2.0-3.2.9 SSH Secure Shell
SSH-2.0-PuTTY-Release-0.52
..........5G"` .......BA.....W.k..:.".....diffie-hellman-g
..........2.A>....(..d...=diffie-hellman-group-exchange-sh
..........oI....J\F`.i$.~....A..1 d....H.a....7.r..u....w.
...........jQ............1....ssh-dss.......h.{......[v#r.
..............E.....
...qp.).dPv
....
....C......
.dS.6~.............Yr.c*.........T......9....F..3.ii
%...?l.E.E...r...8....L=..z0.......)...I3...r.....1.u.....
...f`.:..k..`.:?H..P..r
f.....ZW^...A.......t.c...>.....x?
:..H..d~.$.M.^V.h{5w....}J..g0..y4.....597.e.....*.g....3.
..........>JR.g z|....l.lM........U.w~........N.......oL.'
.....
..."$M..e...fJ:....KTG....V..`.N....Y..2W.
>g.~..$)
The above was produced in Expert Info and Follow TCP Streams shown as
ASCII. Actually I have attached ASCII and hexdump formats.
As suggested a capture trace might help, including the "malformed" packet(s), but if you can produce a small complete session exhibiting the error it might be more helpful. I would have done this before, but since I have not been able to get WinPCAP working on Token Ring for months, I haven't.
sshd2[30327]: WARNING: DNS lookup failed for "10.8.4.3
SSH-2.0-3.2.9 SSH Secure Shell
SSH-2.0-PuTTY-Release-0.52
..........5G"` .......BA.....W.k..:.".....diffie-hellman-g
..........2.A>....(..d...=diffie-hellman-group-exchange-sh
..........oI....J\F`.i$.~....A..1 d....H.a....7.r..u....w.
...........jQ............1....ssh-dss.......h.{......[v#r.
..............E.....
...qp.).dPv
....
....C......
.dS.6~.............Yr.c*.........T......9....F..3.ii
%...?l.E.E...r...8....L=..z0.......)...I3...r.....1.u.....
...f`.:..k..`.:?H..P..r
f.....ZW^...A.......t.c...>.....x?
:..H..d~.$.M.^V.h{5w....}J..g0..y4.....597.e.....*.g....3.
..........>JR.g z|....l.lM........U.w~........N.......oL.'
.....
..."$M..e...fJ:....KTG....V..`.N....Y..2W.
>g.~..$)
00000000 73 73 68 64 32 5b 33 30 33 32 37 5d 3a 20 57 41 sshd2[30 327]: WA
00000010 52 4e 49 4e 47 3a 20 44 4e 53 20 6c 6f 6f 6b 75 RNING: D NS looku
00000020 70 20 66 61 69 6c 65 64 20 66 6f 72 20 22 31 30 p failed for "10
00000030 2e 31 31 38 2e 32 34 2e 32 33 .11.2. 3
0000003A 53 53 48 2d 32 2e 30 2d 33 2e 32 2e 39 20 53 53 SSH-2.0- 3.2.9 SS
0000004A 48 20 53 65 63 75 72 65 20 53 68 65 6c 6c 0d 0a H Secure Shell..
00000000 53 53 48 2d 32 2e 30 2d 50 75 54 54 59 2d 52 65 SSH-2.0- PuTTY-Re
00000010 6c 65 61 73 65 2d 30 2e 35 32 0a lease-0. 52.
0000005A 00 00 00 0c 06 02 00 00 00 00 35 47 22 60 20 ec ........ ..5G"` .
0000006A 00 00 01 d4 06 14 42 41 b4 d4 ef c8 96 57 ca 6b ......BA .....W.k
0000007A 96 ea 3a ef 22 16 00 00 00 1a 64 69 66 66 69 65 ..:."... ..diffie
0000008A 2d 68 65 6c 6c 6d 61 6e 2d 67 -hellman -g
0000001B 00 00 01 e4 0b 14 19 c8 9d 14 32 fc 41 3e bb b2 ........ ..2.A>..
0000002B f0 c8 28 9b 9a 64 00 00 00 3d 64 69 66 66 69 65 ..(..d.. .=diffie
0000003B 2d 68 65 6c 6c 6d 61 6e 2d 67 72 6f 75 70 2d 65 -hellman -group-e
0000004B 78 63 68 61 6e 67 65 2d 73 68 xchange- sh
00000055 00 00 00 8c 06 1e 00 00 00 80 6f 49 d0 99 11 98 ........ ..oI....
00000065 4a 5c 46 60 c1 69 24 ea 7e 1b 1c b3 13 41 bd 95 J\F`.i$. ~....A..
00000075 31 20 64 0c 1f 90 11 48 83 61 17 bb c9 0b 37 cd 1 d....H .a....7.
00000085 72 fb 84 75 bd e3 fe 81 77 b1 r..u.... w.
00000094 00 00 00 0c 06 02 00 00 00 00 ea 6a 51 c2 9d a4 ........ ...jQ...
000000A4 00 00 03 fc 06 1f 00 00 03 31 00 00 00 07 73 73 ........ .1....ss
000000B4 68 2d 64 73 73 00 00 01 01 00 95 9a 68 f0 7b 96 h-dss... ....h.{.
000000C4 e4 d7 81 94 cf 5b 76 23 72 8e .....[v# r.
000000CE 00 00 00 0c 06 02 00 00 00 00 b9 7f e5 82 45 c6 ........ ......E.
000000DE 00 00 00 0c 0a 15 f8 86 71 70 d4 29 e0 64 50 76 ........ qp.).dPv
0000008F 00 00 00 0c 0a 15 1e f7 ce 43 e0 0e e4 1f a1 19 ........ .C......
0000009F a0 64 53 d5 36 7e fa be de c9 92 f8 fe 04 12 b3 .dS.6~.. ........
000000AF 07 b3 90 59 72 97 63 2a 91 af a9 ae 12 a0 1d 7f ...Yr.c* ........
000000BF d0 54 e5 e6 9a f3 cb cc 39 01 e4 f1 1f 46 af dd .T...... 9....F..
000000CF 33 d9 69 69 3.ii
000000EE 25 a2 0f db 3f 6c e5 45 db 45 da 14 e9 72 d2 ca %...?l.E .E...r..
000000FE 8f 38 0f d3 88 8b 4c 3d ea 15 7a 30 dc fa fe ab .8....L= ..z0....
0000010E b1 f2 fa 29 c6 f6 f9 49 33 b9 a5 d2 72 b6 fa a3 ...)...I 3...r...
0000011E ca c7 31 ab 75 11 c0 85 b3 db ..1.u... ..
000000D3 ca af b3 66 60 b5 3a 11 9b 6b cb e5 60 bf 3a 3f ...f`.:. .k..`.:?
000000E3 48 ed 1d 50 86 83 72 0a 66 9a 98 f1 ac 15 5a 57 H..P..r. f.....ZW
000000F3 5e ca ae af 41 b5 1e d3 b7 bb 0e eb 74 c3 63 ef ^...A... ....t.c.
00000103 80 14 3e a4 b9 b8 12 b3 78 3f ..>..... x?
00000128 3a c1 bd 48 c9 0c 64 7e c1 24 9b 4d 0e 5e 56 e6 :..H..d~ .$.M.^V.
00000138 68 7b 35 77 1b e8 f7 8f 7d 4a d7 1f 67 30 1b b1 h{5w.... }J..g0..
00000148 79 34 92 8a f8 cd cc 35 39 37 fd 65 e7 ce 08 08 y4.....5 97.e....
00000158 a3 2a 0b 67 a0 db 85 8a 33 f1 .*.g.... 3.
00000162 bb 87 9c 99 0b 97 eb ff 06 c7 3e 4a 52 ad 67 20 ........ ..>JR.g
00000172 7a 7c 1c d9 84 81 6c 7f 6c 4d ac 0e c8 ff 0c 7f z|....l. lM......
00000182 cc 9d 55 0e 77 7e ac a4 9c e5 12 ae f8 c0 4e ee ..U.w~.. ......N.
00000192 d9 cc 1a dc d8 f9 6f 4c 04 27 ......oL .'
0000019C 13 fc bd df 0f 0a d1 17 b2 22 24 4d aa c8 65 c6 ........ ."$M..e.
000001AC ea b9 66 4a 3a e2 91 e3 10 4b 54 47 c6 cb cf f2 ..fJ:... .KTG....
000001BC 56 eb e3 60 05 4e 8f b5 ac c6 59 04 96 32 57 1b V..`.N.. ..Y..2W.
000001CC 0a 3e 67 c9 7e 0b d0 24 29 0d .>g.~..$ ).
- References:
- Prev by Date: Re: [Wireshark-users] What about a Wireshark forum?
- Next by Date: Re: [Wireshark-users] Malformed packet within Putty's 0.52 SSH
- Previous by thread: Re: [Wireshark-users] Malformed packet within Putty's 0.52 SSH
- Next by thread: [Wireshark-users] SSL decryption problems
- Index(es):