Skip to content

Secure Shell (SSH) Configuration

The sample configuration below is also available in the [GHOSTS GitHub repository](https://github.com/cmu-sei/GHOSTS/blob/master/src/Ghosts.Client.Windows/Sample%20Timelines/Ssh.json

The credentials JSON file expected by this handler has the following format.

{
         "Version": "1.0",
         "Data": {
            "credkey1": {"username":"user1","password":"pw1base64"},
            "credkey2": {"username":"user2","password":"pw2base64"},
            ....
            "credkeyN": {"username":"userN","password":"pwNbase64"},
          }
}

The Version slot string is unused at the moment but is there in case this implementation is extended in the future. The credkey is simply some unique string that identifies the credential. The password is assumed to be UTF8 that is base64 encoded. See src\Ghosts.Client\Infrastructure\SshSupport.cs for a list [reservedword] supported in Ssh commands

{
  "Status": "Run",
  "TimeLineHandlers": [
    {
      "HandlerType": "Ssh",
      "HandlerArgs": {
        "CommandTimeout": 1000, //max time to wait for new input from an SSH command execution
        "TimeBetweenCommandsMax": 5000, //max,min between individual SSH commands
        "TimeBetweenCommandsMin": 1000,
        "ValidExts": "txt;doc;png;jpeg", //used by [randomextension] reserved word, choose random extension from this list
        "CredentialsFile": "d:\\ghosts_data\\ssh_creds.json", //required, file path to a JSON file containing the SSH credentials
        "delay-jitter": 0 //optional, default =0, range 0 to 50, if specified, DelayAfter varied by delay-%jitter*delay to delay+%jitter*delay
      },
      "Initial": "",
      "UtcTimeOn": "00:00:00",
      "UtcTimeOff": "24:00:00",
      "Loop": "True",
      "TimeLineEvents": [
        {
          "Command": "random",
          "CommandArgs": [
            "<an IP>|<unique_key_from_credentials>|ls -lah;ls -ltrh;help;pwd;date;time;uptime;uname -a;df -h;cd ~;cd [remotedirectory];touch [randomname].[randomextension];mkdir [randomname]"  //<serverIP>|<credKey|<commmandList>
          ],
          "DelayAfter": 20000,
          "DelayBefore": 0
        }
      ]
    }
  ]
}

Instead of using an external credentials file specified by the HandlerArgs[CredentialsFile] key, the credentials can be placed directly in the timeline using the HandlerArgs[Credentials] key as shown below:

{
  "Status": "Run",
  "TimeLineHandlers": [
    {
      "HandlerType": "Ssh",
      "HandlerArgs": {
        "CommandTimeout": 1000, //max time to wait for new input from an SSH command execution
        "TimeBetweenCommandsMax": 5000, //max,min between individual SSH commands
        "TimeBetweenCommandsMin": 1000,
        "ValidExts": "txt;doc;png;jpeg", //used by [randomextension] reserved word, choose random extension from this list
        "Credentials": {
           "Version": "1.0",
           "Data": {
             "credkey1": {"username":"user1","password":"pw1base64"},
             "credkey2": {"username":"user2","password":"pw2base64"},
              ....
             "credkeyN": {"username":"userN","password":"pwNbase64"},
          }
        },
        "delay-jitter": 0 //optional, default =0, range 0 to 50, if specified, DelayAfter varied by delay-%jitter*delay to delay+%jitter*delay
      },
      "Initial": "",
      "UtcTimeOn": "00:00:00",
      "UtcTimeOff": "24:00:00",
      "Loop": "True",
      "TimeLineEvents": [
        {
          "Command": "random",
          "CommandArgs": [
            "<an IP>|<unique_key_from_credentials>|ls -lah;ls -ltrh;help;pwd;date;time;uptime;uname -a;df -h;cd ~;cd [remotedirectory];touch [randomname].[randomextension];mkdir [randomname]"  //<serverIP>|<credKey|<commmandList>
          ],
          "DelayAfter": 20000,
          "DelayBefore": 0
        }
      ]
    }
  ]
}

Placing the credentials directly in the timeline is a better approach if the GhostsApi server is used to update the timeline as this makes the timeline self-contained.