Discussion:
Trying to decode sshv2 traffic
Ahmed Zaki
2014-06-17 16:59:12 UTC
Permalink
Dear All,

I captured SSHV2 trace file between two servers, I want to see the
decrypted packets.

Any ideas about how I can decrypt the packets?

I believe it is possible to collect the public keys from both servers, Is
this going to help?

Thank you & Kind regards,
Ahmed
Jeff Morriss
2014-06-17 17:16:04 UTC
Permalink
Post by Ahmed Zaki
Dear All,
I captured SSHV2 trace file between two servers, I want to see the
decrypted packets.
Any ideas about how I can decrypt the packets?
I believe it is possible to collect the public keys from both servers,
Is this going to help?
Unfortunately, no. The SSH dissector in Wireshark is not able to
decrypt SSH packets.

See:

http://wiki.wireshark.org/SSH
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Ahmed Zaki
2014-06-17 20:41:05 UTC
Permalink
Thank you Jeff.

Do you think we can submit it as a future enhancement?
Post by Ahmed Zaki
Dear All,
I captured SSHV2 trace file between two servers, I want to see the
decrypted packets.
Any ideas about how I can decrypt the packets?
I believe it is possible to collect the public keys from both servers,
Is this going to help?
Unfortunately, no. The SSH dissector in Wireshark is not able to decrypt
SSH packets.
http://wiki.wireshark.org/SSH
____________________________________________________________
_______________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
unsubscribe
M Holt
2014-06-17 21:17:21 UTC
Permalink
SSH uses Diffie-Hellman key exchange, which creates a shared 'ephemeral'
key for encryption. As such, there is no current method of decrypting this
type of traffic. For more info, take a look here:
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
Post by Ahmed Zaki
Thank you Jeff.
Do you think we can submit it as a future enhancement?
Post by Ahmed Zaki
Dear All,
I captured SSHV2 trace file between two servers, I want to see the
decrypted packets.
Any ideas about how I can decrypt the packets?
I believe it is possible to collect the public keys from both servers,
Is this going to help?
Unfortunately, no. The SSH dissector in Wireshark is not able to decrypt
SSH packets.
http://wiki.wireshark.org/SSH
____________________________________________________________
_______________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
unsubscribe
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
?subject=unsubscribe
Luis EG Ontanon
2014-06-17 21:28:19 UTC
Permalink
To handle Diffie-Hellman exchanges what should be implemented is a
credentials-leaking protocol.

Two components, one in the ssh library that somehow leaks the
credentials, and one in Wireshark that uses the leaked info to
configure decryption.

IMHO using TCP OOB would be excellent as it would match the same tcp
filter, but it has the problem that it goes all the way so is visible
in the entire path. Other alternative would be targeting UDP packets
towards the sniffer... Both create a major risk, but they can be very
helpful for development.
SSH uses Diffie-Hellman key exchange, which creates a shared 'ephemeral' key
for encryption. As such, there is no current method of decrypting this type
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
Post by Ahmed Zaki
Thank you Jeff.
Do you think we can submit it as a future enhancement?
Post by Ahmed Zaki
Dear All,
I captured SSHV2 trace file between two servers, I want to see the
decrypted packets.
Any ideas about how I can decrypt the packets?
I believe it is possible to collect the public keys from both servers,
Is this going to help?
Unfortunately, no. The SSH dissector in Wireshark is not able to decrypt
SSH packets.
http://wiki.wireshark.org/SSH
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Evan Huus
2014-06-17 21:30:32 UTC
Permalink
Post by Luis EG Ontanon
To handle Diffie-Hellman exchanges what should be implemented is a
credentials-leaking protocol.
Two components, one in the ssh library that somehow leaks the
credentials,
Good luck convincing any ssh libraries to implement that :P
Post by Luis EG Ontanon
and one in Wireshark that uses the leaked info to
configure decryption.
IMHO using TCP OOB would be excellent as it would match the same tcp
filter, but it has the problem that it goes all the way so is visible
in the entire path. Other alternative would be targeting UDP packets
towards the sniffer... Both create a major risk, but they can be very
helpful for development.
Post by M Holt
SSH uses Diffie-Hellman key exchange, which creates a shared 'ephemeral'
key
Post by M Holt
for encryption. As such, there is no current method of decrypting this
type
Post by M Holt
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
Post by Ahmed Zaki
Thank you Jeff.
Do you think we can submit it as a future enhancement?
On Tue, Jun 17, 2014 at 8:16 PM, Jeff Morriss <
Post by Jeff Morriss
Post by Ahmed Zaki
Dear All,
I captured SSHV2 trace file between two servers, I want to see the
decrypted packets.
Any ideas about how I can decrypt the packets?
I believe it is possible to collect the public keys from both servers,
Is this going to help?
Unfortunately, no. The SSH dissector in Wireshark is not able to
decrypt
Post by M Holt
Post by Ahmed Zaki
Post by Jeff Morriss
SSH packets.
http://wiki.wireshark.org/SSH
___________________________________________________________________________
Post by M Holt
Post by Ahmed Zaki
Post by Jeff Morriss
Sent via: Wireshark-users mailing list <
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
___________________________________________________________________________
Post by M Holt
Post by Ahmed Zaki
Sent via: Wireshark-users mailing list <
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
___________________________________________________________________________
Post by M Holt
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
?subject=unsubscribe
Loading...