Wireshark-users: Re: [Wireshark-users] Trying to decode sshv2 traffic

From: Evan Huus <eapache@xxxxxxxxx>
Date: Tue, 17 Jun 2014 14:30:32 -0700
On Tue, Jun 17, 2014 at 2:28 PM, Luis EG Ontanon <luis@xxxxxxxxxxx> wrote:
To handle Diffie-Hellman exchanges what should be implemented is a
credentials-leaking protocol.

Two components, one in the ssh library that somehow leaks the
credentials,

Good luck convincing any ssh libraries to implement that :P
 
and one in Wireshark that uses the leaked info to
configure decryption.

IMHO using TCP OOB  would be excellent as it would match the same tcp
filter, but it has the problem that it goes all the way so is visible
in the entire path. Other alternative would be targeting UDP packets
towards the sniffer... Both create a major risk, but they can be very
helpful for development.

On Tue, Jun 17, 2014 at 4:17 PM, M Holt <m.iostreams@xxxxxxxxx> wrote:
> SSH uses Diffie-Hellman key exchange, which creates a shared 'ephemeral' key
> for encryption. As such, there is no current method of decrypting this type
> of traffic. For more info, take a look here:
> http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
>
>
> On Tue, Jun 17, 2014 at 1:41 PM, Ahmed Zaki <ahmed.mahmoudzaki@xxxxxxxxx>
> wrote:
>>
>> Thank you Jeff.
>>
>> Do you think we can submit it as a future enhancement?
>>
>>
>>
>> On Tue, Jun 17, 2014 at 8:16 PM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
>> wrote:
>>>
>>> On 06/17/14 12:59, Ahmed Zaki wrote:
>>>>
>>>> Dear All,
>>>>
>>>> I captured SSHV2 trace file between two servers, I want to see the
>>>> decrypted packets.
>>>>
>>>> Any ideas about how I can decrypt the packets?
>>>>
>>>> I believe it is possible to collect the public keys from both servers,
>>>> Is this going to help?
>>>
>>>
>>> Unfortunately, no.  The SSH dissector in Wireshark is not able to decrypt
>>> SSH packets.
>>>
>>> See:
>>>
>>> http://wiki.wireshark.org/SSH
>>>
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>>
>>
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe