Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Trying to decode sshv2 traffic

From: Evan Huus <eapache () gmail com>
Date: Tue, 17 Jun 2014 14:30:32 -0700
On Tue, Jun 17, 2014 at 2:28 PM, Luis EG Ontanon <luis () ontanon org> wrote:


To handle Diffie-Hellman exchanges what should be implemented is a
credentials-leaking protocol.

Two components, one in the ssh library that somehow leaks the
credentials,



Good luck convincing any ssh libraries to implement that :P



and one in Wireshark that uses the leaked info to
configure decryption.

IMHO using TCP OOB  would be excellent as it would match the same tcp
filter, but it has the problem that it goes all the way so is visible
in the entire path. Other alternative would be targeting UDP packets
towards the sniffer... Both create a major risk, but they can be very
helpful for development.

On Tue, Jun 17, 2014 at 4:17 PM, M Holt <m.iostreams () gmail com> wrote:

SSH uses Diffie-Hellman key exchange, which creates a shared 'ephemeral'

key

for encryption. As such, there is no current method of decrypting this

type

of traffic. For more info, take a look here:
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange


On Tue, Jun 17, 2014 at 1:41 PM, Ahmed Zaki <ahmed.mahmoudzaki () gmail com

wrote:


Thank you Jeff.

Do you think we can submit it as a future enhancement?



On Tue, Jun 17, 2014 at 8:16 PM, Jeff Morriss <

jeff.morriss.ws () gmail com>

wrote:


On 06/17/14 12:59, Ahmed Zaki wrote:


Dear All,

I captured SSHV2 trace file between two servers, I want to see the
decrypted packets.

Any ideas about how I can decrypt the packets?

I believe it is possible to collect the public keys from both servers,
Is this going to help?



Unfortunately, no.  The SSH dissector in Wireshark is not able to

decrypt

SSH packets.

See:

http://wiki.wireshark.org/SSH



___________________________________________________________________________

Sent via:    Wireshark-users mailing list <

wireshark-users () wireshark org>

Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe







___________________________________________________________________________

Sent via:    Wireshark-users mailing list <

wireshark-users () wireshark org>

Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe






___________________________________________________________________________

Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org

Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe




--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org
?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: