[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using libssh to decrypt packets offline

Subject: Re: Using libssh to decrypt packets offline
From: Andreas Schneider <asn@xxxxxxxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Fri, 02 Feb 2018 08:26:33 +0100
To: libssh@xxxxxxxxxx

On Friday, 2 February 2018 08:19:44 CET dibyendu.chakraborty@xxxxxxxxxxxx 
wrote:
> Hi,
> 
> I am trying to decode SSH encrypted packets in Wireshark using libssh
> (eventually). For this, I have written a sample program following the
> tutorials to connect to my localhost, authenticate myself, and run
> commands. I have captured these packet exchanges using tcpdump. I went
> through the code and found that I require several pieces of runtime
> information (which the libssh library can generate with some tweaking) -
> the cipher name, decrypt key, decrypt IV, if compression was used etc. Out
> of all these, I found that decrypt IV kept on changing with each packet Rx.
> On my system (Ubuntu 14.04.2 LTS), I found AES 256 (CTR) was used to
> encrypt/decrypt the packets.
> 
> My question is: If I modify libssh library to store decrypt key, decrypt IV,
> chipher name etc in a file when they are first generated (modify
> generate_session_keys) and later use them to decrypt packets offline (by
> invoking ssh_packet_socket_callback with a dummy session having decrypt
> key, decrypt IV etc previously generated), is there a way to calculate the
> value of decrypt IV before decrypting the nth packet?
> 
> Consider the following scenario:
> Libssh generated the keys, and I wrote them in a file. Then some data
> exchange happened. During this time, the decrypt IV has changed. Now I run
> tcpdump for some time and capture the subsequent packets. Now I want to
> decrypt these packets offline using the information that I had stored in
> the file. Out of all these, the initial decrypt IV that was generated is no
> longer valid. Is there a way to calculate the correct decrypt IV from the
> initial decrypt IV so that the packets captured by tcpdump could be
> decrypted properly. I'm guessing the algorithm to calculate the final
> decrypt IV from the initial decrypt IV will vary from one cipher to the
> next. Could you please provide some links about the algorithms that each
> cipher employ (that libssh supports)?

Or you just turn on pcap support in libssh ...

https://git.libssh.org/projects/libssh.git/tree/include/libssh/pcap.h


	Andreas

Follow-Ups:
RE: Using libssh to decrypt packets offline	<dibyendu.chakraborty@xxxxxxxxxxxx>

References:
Using libssh to decrypt packets offline	<dibyendu.chakraborty@xxxxxxxxxxxx>

Archive administrator: postmaster@lists.cynapses.org