# Decrypting live SSH traffic in virtual environments

**Authors:** Peter McLaren, Gordon Russell, William J.Buchanan, Zhiyuan Tan

arXiv: 1907.10835 · 2019-07-26

## TL;DR

This paper introduces MemDecrypt, a framework that exploits memory access to decrypt and analyze live SSH traffic in virtual environments, revealing sensitive information and malicious activities.

## Contribution

The paper presents a novel memory-based decryption framework for live SSH traffic in virtual machines, enabling rapid discovery of cryptographic artefacts and malicious communications.

## Key findings

- MemDecrypt successfully decrypts live SSH traffic in virtual environments.
- The framework detects and intercepts data exfiltration activities.
- AES-encrypted details like credentials and file contents are recovered.

## Abstract

Decrypting and inspecting encrypted malicious communications may assist crime detection and prevention. Access to client or server memory enables the discovery of artefacts required for decrypting secure communications. This paper develops the MemDecrypt framework to investigate the discovery of encrypted artefacts in memory and applies the methodology to decrypting the secure communications of virtual machines. For Secure Shell, used for secure remote server management, file transfer, and tunnelling inter alia, MemDecrypt experiments rapidly yield AES-encrypted details for a live secure file transfer including remote user credentials, transmitted file name and file contents. Thus, MemDecrypt discovers cryptographic artefacts and quickly decrypts live SSH malicious communications including the detection and interception of data exfiltration of confidential data.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1907.10835/full.md

## Figures

6 figures with captions in the complete paper: https://tomesphere.com/paper/1907.10835/full.md

## References

52 references — full list in the complete paper: https://tomesphere.com/paper/1907.10835/full.md

---
Source: https://tomesphere.com/paper/1907.10835