Analysis of SSH connection using Wireshark
Using Wireshark to analyze an SSH connection
Table Of Content
- Introduction
- Wireshark setup
- SSH server setup
- SSH Connect
- Packet Analysis
- Conclusion
Introduction
Wireshark
is a packet analyzer to monitor the incoming and outgoing of packet
transmission of a computer. I have already made a blog about Wireshark click this link.
OpenSSH is
a tool that provide encrypted communication between computers over an unsecured
network. I also have a blog on OpenSSH and the post-quantum cryptography too. Click this link.
The
installation steps to both Wireshark and OpenSSH are available on the blog.
In this
blog, I am going to analyze the packet transmission between 2 computers in an
SSH connection.
I am going to use 2 laptops. On laptop runs Ubuntu Linux 22.04 and the other I am running Kali Linux in a VirtualBox VM on windows 11. Ubuntu is the host machine and Kali is the client machine.
Lets setup Wireshark on both Linux.
sudo wireshark
This will launch Wireshark.
Then enter the Wi-Fi packet capture. Since my Ubuntu machine is connected to Wi-Fi. If you are using Ethernet cable, then choose the Ethernet packet capture.
It should then look like this:
Wi-Fi capture window |
The capture should start automatically.
Lets starts the SSH server in Ubuntu
sudo service start ssh
To check if the SSH is working properly use the command
sudo service status ssh
Start OpenSSH server |
ip a
Connect the machine
Then on our Kali, connect to the host
ssh <login username>@<IP of host machine>
Connect to server |
After the connection is made, play with the console like some simple commands like:
- change directory cd
- list directory ls
- print current working directory pwd
exit
Packet Analysis
We can stop capturing packets now. The packets captured will not only have SSH but have other packets like packets for web browsers, apps, or other stuff. To have only the SSH packets, I will apply a packer filter. SSH has a specific default port 22, we can filter out using said port.
using tcp.port == 22 OR tcp.port eq 22. The eq means equal.
Add filter |
After applying the filter, we can notice that the amount of packet in the list decreases, leaving us with only packets with port 22.
Filter applied |
Here in this picture, we can see the key exchange initialization from the server and the client. If we open the packet detail, we can see under key exchange, the kex_algorithms string, there is sntrup761x25519-sha512@openssh.com. It is the NTRU Prime algorithm that is being used to encrypt the packets. As stated in my previous blog, NTRU Prime is a candidate for post quantum encryption algorithm. Read mu article about it here.
The method of key exchanged used is Diffie-Hellman key exchange algorithm
Diffie-Hellman Key Exchange Algorithm |
DH (Diffie-Hellman) Key Exchange is a method of key exchange protocol between 2 machine communicating over a public network. It uses symmetric cryptography.
Conclusion
This little experiment was very interesting. This should be the basic use of Wireshark. Wireshark is much more complex than this. But not to be scared, above in the I have linked to a deep-dive in Wireshark playlist here.
Comments
Post a Comment