Wireshark-users: Re: [Wireshark-users] Trying to decode sshv2 traffic

From: Luis EG Ontanon <luis@xxxxxxxxxxx>
Date: Tue, 17 Jun 2014 16:28:19 -0500
To handle Diffie-Hellman exchanges what should be implemented is a
credentials-leaking protocol.

Two components, one in the ssh library that somehow leaks the
credentials, and one in Wireshark that uses the leaked info to
configure decryption.

IMHO using TCP OOB  would be excellent as it would match the same tcp
filter, but it has the problem that it goes all the way so is visible
in the entire path. Other alternative would be targeting UDP packets
towards the sniffer... Both create a major risk, but they can be very
helpful for development.

On Tue, Jun 17, 2014 at 4:17 PM, M Holt <m.iostreams@xxxxxxxxx> wrote:
> SSH uses Diffie-Hellman key exchange, which creates a shared 'ephemeral' key
> for encryption. As such, there is no current method of decrypting this type
> of traffic. For more info, take a look here:
> http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
>
>
> On Tue, Jun 17, 2014 at 1:41 PM, Ahmed Zaki <ahmed.mahmoudzaki@xxxxxxxxx>
> wrote:
>>
>> Thank you Jeff.
>>
>> Do you think we can submit it as a future enhancement?
>>
>>
>>
>> On Tue, Jun 17, 2014 at 8:16 PM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
>> wrote:
>>>
>>> On 06/17/14 12:59, Ahmed Zaki wrote:
>>>>
>>>> Dear All,
>>>>
>>>> I captured SSHV2 trace file between two servers, I want to see the
>>>> decrypted packets.
>>>>
>>>> Any ideas about how I can decrypt the packets?
>>>>
>>>> I believe it is possible to collect the public keys from both servers,
>>>> Is this going to help?
>>>
>>>
>>> Unfortunately, no.  The SSH dissector in Wireshark is not able to decrypt
>>> SSH packets.
>>>
>>> See:
>>>
>>> http://wiki.wireshark.org/SSH
>>>
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>>
>>
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan