Analyzing SSH packets in Wireshark

15,958 views
Skip to first unread message

Priyesh Barge

unread,
Aug 2, 2013, 6:45:58 AM8/2/13
to null-...@googlegroups.com
Hello,

I am trying to analyze SSH packets captured through wireshark. I need to find a hidden message in these packets. I am not sure how to go ahead with this since I have to analyze SSH packets and they have encrypted data. I tried researching it on the internet and found that I need to know the key to decrypt the message that has been encrypted. I am not sure how do I find this key. Please can anyone guide me here.


Thanks and Regards,
Priyesh Barge
Information Security Analyst
9821132795/8108197709

Anant Shrivastava

unread,
Aug 2, 2013, 8:27:21 AM8/2/13
to null-...@googlegroups.com
Can you be more specific as to where you have captured the packet or is it part of some CTF challenge that is running.

for any case encrypted packet analysis using wireshark that too without knowing certificate or encryption key near to impossible unless you are a crypto guru.



Anant Shrivastava 
GWAPT | CEH | RHCE
Mob : 91-9880166033
E-mail : an...@anantshri.info
Web : http://anantshri.info


--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Niraj Mohite

unread,
Aug 2, 2013, 9:32:14 AM8/2/13
to null-...@googlegroups.com
"When another layer of encryption, such as SSL or SSH, is used, traffic will still be encrypted at that layer, and the user’s communication will still be unreadable by a person with a packet sniffer." By Practical Packet Analysis using wireshark to solve Real World Network Problems (hopefully u vl read it). There are various courses on wireshark Packet analyZ.

Yeah absolutely, you require public/private Key(Depends) for your decryption. (giving you one small known url for ssh keygeneration)You can find #ssh-keygen HOWTO here.

khusha...@gmail.com

unread,
Aug 2, 2013, 9:40:55 AM8/2/13
to T
To establish a connection between client and server for ssl or ssh we require Public and private key which are usually starts 1024 onwards, transmiiting a data from c2S symmetric keys are used means same key is used for encryption and decryption which are usually starts from 128,256,512 bits

But to read data between C2S is not possible because data transmission which is using symmetric works inside the two key channel.
From: Niraj Mohite <nira...@gmail.com>
Date: Fri, 2 Aug 2013 06:32:14 -0700 (PDT)
Subject: [null] Re: Analyzing SSH packets in Wireshark
--

Priyesh Barge

unread,
Aug 6, 2013, 11:02:11 AM8/6/13
to null-...@googlegroups.com
Hello,

Sorry for replying late. Thanks for all your replies. I tried and researched on what you all said. Yes it is difficult to decrypt SSH packets but i would really like to find a way to do it. Maybe if I give you the wireshark packet, some of you can help me with this. So here is the link to download the SSH packet http://www.opensourcesolutions.in/SSH/SSH.html 

Please if you can try and help me decrypt it.

Anant - This is not a part of any CTF challenge. This is just for my practice. I got this packet from one of my friends who was asked to crack it during an interview. I am not sure from where the packet is captured.

Please can someone help me with this. Thanks in advance.

Thanks and Regards,
Priyesh Barge
Information Security Analyst
9821132795/8108197709


Swift Forensics

unread,
Aug 7, 2013, 2:35:11 AM8/7/13
to null-...@googlegroups.com
Dear Priyesh

Have you tried these tools?
  • ssh_kex_keygen: a tool to retrieve the Diffie-Hellman session key in a SSH conversation capture involving at least one OpenSSH running with a vulnerable OpenSSL. Key recovery will take half a minute on decent hardware.

    Be aware that this tool does'nt parse a pcap file, nor does it decipher the traffic for you, it has to be used in a higher-level program such as ssh_decoder in order to be useful.

  • ssh_decoder: a tool to decipher a ssh session from a pcap file (uses ssh_kex_keygen). This will allow you to retrieve passwords or public SSH keys used for authentication that may be vulnerable and to read older SSH traffic.


Regards

Rishi Narang

unread,
Aug 7, 2013, 2:44:28 AM8/7/13
to null-...@googlegroups.com
Dear Priyesh,

If you have access to the system, then 'probably' you can do that. You need to extract the session state file from the process with haystack (preferably in pickled format). After that you can use tool like sslsnoop-openssh in the offline mode on the pcap dump.

Syntax: sslsnoop-openssh offline -sessionstate <file1> -pcapfile <file2> -sport <source port> -dport <destination port> ... 
Help: sslsnoop-openssh offline -h

Youtube Demo Links: http://goo.gl/AmfrpX and http://goo.gl/Vr3Tba 

Also, see if chaosreader with keydata (Link: http://chaosreader.sourceforge.net/) can be of any help. I am not sure if it can help only with the pcap. But, again worth a try.

Incase you find a working solution or a magic trick; enlighten us as well :) Cheers.

--
Rishi Narang
Researcher | Consultant | Writer
Connect: Blog / LinkedIn / Twitter


On Tue, Aug 6, 2013 at 8:32 PM, Priyesh Barge <barge....@gmail.com> wrote:
Reply all
Reply to author
Forward
0 new messages