topic Re: SSH Decryption in General Topics

SSH Decryption

djohnson229 — Thu, 02 May 2019 04:24:38 GMT

Hi. If my FW is doing SSH decryption and sending all decrypted traffic out of a mirror port where my Kali machine is, what tools would be able to "read" the username/password from the decrypted SSH traffic?

I was looking for something similar to what "dsniff" does for telnet;

TELNET : 10.1.1.1:23 -> USER: myuser PASS: mypassword

So basically, something similar to the above but for SSH. I was thinking this would be easy, as the traffic is already decrypted but I have spent a while Googling this with no joy.

Can anyone point me in the right direction?

Re: SSH Decryption

yllib1213 — Thu, 02 May 2019 14:10:53 GMT

You could just run Wireshark on your Kali machine and filter for SSH traffic. You should be able to see the decrypted information.

Re: SSH Decryption

djohnson229 — Fri, 03 May 2019 02:53:34 GMT

Thanks, I already know this. I was hoping for a more automated tool to extract username/passwords without manually going through packets in Wireshark.....

Re: SSH Decryption

OtakarKlier — Fri, 03 May 2019 17:45:11 GMT

Hello,

Not sure about Kali, however have you looked into SecurityOnion? Its a Ubuntu build that does packet capture and IDS. You might be able to setup a rule that looks for this and alerts. However not entirely sure. They have a KB and forum you can ask about this on.

Regards,

Re: SSH Decryption

djohnson229 — Wed, 08 May 2019 08:11:54 GMT

Interesting. I won't spend time setting this up and testing, unless I know whether it would work or not. I may check the KB and forums though, as you suggested.