Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

TLSv1 packet contents decryption

Hello guys

I just want to ask if someone can help me with decrypting contents of one packet.

I have a capture of authentication process between a client and radius server when the client tries to authenticate. PEAP-MSCHAPv2 is being used.

I need to decrypt the data in the TLS tunnel that is formed between the client and the radius server. I have the private key already.

Capture.PNG

My questions are:

- Do I need to put all the encrypted data in all packets in one file before I decrypt them? or if I decrypted data from one packet then the decrypted will show plain readable text?

- In order to decrypt the data, it must be in binary format. If I save a hex simpoles in a text file that will be represented in a ASCII in the memory but what I need is to make the hex saved in binary format in memory. How can I do that? is there any FREE (or Full Trial) tool that can achieve this?

Thanks.

Amjad

Rating useful replies is more useful than saying "Thank you"
6 REPLIES
Cisco Employee

TLSv1 packet contents decryption

Re: TLSv1 packet contents decryption

Thanks Mohammad,

I am aware about this process with wireshark to decrypt SSL but it does not fit for me.

In your method in the link you posted, we need to sepcify the server IP address, the encrypted protocol (http in the link you specified) and the port number of the packets that holds the TLS data (443 for https).

In my case; I have layer 2 packets that shows the traffic between a supplicant and a server before getting an IP.

it shows creation of PEAP TLS tunnel that is followed by 4-way handshake. I have no IP yet for the frames nor I have Layer 3 or above layers data.
So, all what I have is the encrypted form of the data in hex. I need to decrypt it with OpenSSL (as I said, I have the private key already). But the problem the data should be in binary format; in other words, the hex data should be represented in memory in same format. IF I save hex data in a text file they are being stored in ASCII in the memory ("1" will be represented in memory as 0x31, "A" will be saved as 0x41  and "a" saved as 0x61). What I want however is 1 saved as 0x1, "a" or "A" saved in memory as 0xA.

I found some hex editors that you can write bits that you want to save in hex and save it in memory. But they are trial version with some limitations.

I am aware I can use a programing languate to write series of bits to a file, but I don't want to install a compiler...etc. I want some tool that can do that quickly and safely.

I think I will finally fall back to use a powershell script that can does the same. using powershell I can (as I found) write hex data to a byte array and then save it as a file:

http://www.sans.org/windows-security/2010/02/11/powershell-byte-array-hex-convert

But if there is any easier GUI tool that will be great.

Thanks for your help man.

Amjad

Rating useful replies is more useful than saying "Thank you"

TLSv1 packet contents decryption

Guys,

I have now encrypted application data (highlighted in the image in my first post). I have public key and private key.

However, I am not able to decrypt the data whatsoever. Tried many times with OpenSSL but no luck. I don't know how to exactly decrypt it but I was searching and trying with no hope.

Does anyone knows how to decrypt the data? If not, then why they care about certificates? It seems all over any intruder or attacker will not be able to decrypt the data anyway

Please help, share whatever info you have about the topic. I need to get this done. It is a challenge.

Thank you all.

Amjad

Rating useful replies is more useful than saying "Thank you"

TLSv1 packet contents decryption

Well, I just remembered that the contents of the TLS tunnel need probably be EAP-MSCHAPv2 communication. But I am still not able to view the packet contents. :-(

Rating useful replies is more useful than saying "Thank you"

TLSv1 packet contents decryption

Hey Amjad,

Ive never tried to read what was inside the tunnel before. We know a few things. First its a symmetric tunnel. We also know you need to have the a cert and info inorder to read it ..

We also know its encryted twice, hence why they call is double tunnels. Its has a TLS outside with a inside MSCHAPv2.

Let me ask around and see if anyone I know has some ideas.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

TLSv1 packet contents decryption

Thanks George for your reply.

We'll, I just want to ask how the tunnel is symmeteric? Do you mean there is a symmetric key to encryp it?

I was wondering that the traffic from the client to the server is encrypted using the public key of the server, then what key encrypts the traffic from the server to the client? if that is encrypted with the private key of the server that will be available for everyone!

Do the server and the client agree on a session key that is used to encrypt all tunnel traffic?

After writing the first post above and after I've done some investiations I realized that there need to be full EAP-MSCHAPv2 communication inside the tunnel. My imagination about the EAP-MSCHAPv2 was that:

- It starts with identity reqeust and identity response.

- EAP-MSCHAPv2 does not use TLS and it is considered somehow weak method to be used alone.

So I tried to decrypt the encrypted data in first packet that contains encrypted traffic and I was assuming there will be identity request. However, after decryption with the private key I found the data does not meet with either EAP format or MSCHAPv2 format. So I think my decryption was somehow wrong (mbye the private key is not the correct key to use).

If you can any useful answer about this that will be highly appreciated.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"
2368
Views
5
Helpful
6
Replies
CreatePlease login to create content