Thanks Mohammad,

I am aware about this process with wireshark to decrypt SSL but it does not fit for me.

In your method in the link you posted, we need to sepcify the server IP address, the encrypted protocol (http in the link you specified) and the port number of the packets that holds the TLS data (443 for https).

In my case; I have layer 2 packets that shows the traffic between a supplicant and a server before getting an IP.

it shows creation of PEAP TLS tunnel that is followed by 4-way handshake. I have no IP yet for the frames nor I have Layer 3 or above layers data.
So, all what I have is the encrypted form of the data in hex. I need to decrypt it with OpenSSL (as I said, I have the private key already). But the problem the data should be in binary format; in other words, the hex data should be represented in memory in same format. IF I save hex data in a text file they are being stored in ASCII in the memory ("1" will be represented in memory as 0x31, "A" will be saved as 0x41  and "a" saved as 0x61). What I want however is 1 saved as 0x1, "a" or "A" saved in memory as 0xA.

I found some hex editors that you can write bits that you want to save in hex and save it in memory. But they are trial version with some limitations.

I am aware I can use a programing languate to write series of bits to a file, but I don't want to install a compiler...etc. I want some tool that can do that quickly and safely.

I think I will finally fall back to use a powershell script that can does the same. using powershell I can (as I found) write hex data to a byte array and then save it as a file:

http://www.sans.org/windows-security/2010/02/11/powershell-byte-array-hex-convert

But if there is any easier GUI tool that will be great.

Thanks for your help man.

Amjad

Well, I just remembered that the contents of the TLS tunnel need probably be EAP-MSCHAPv2 communication. But I am still not able to view the packet contents. :-(

Hey Amjad,

Ive never tried to read what was inside the tunnel before. We know a few things. First its a symmetric tunnel. We also know you need to have the a cert and info inorder to read it ..

We also know its encryted twice, hence why they call is double tunnels. Its has a TLS outside with a inside MSCHAPv2.

Let me ask around and see if anyone I know has some ideas.

Thanks George for your reply.

We'll, I just want to ask how the tunnel is symmeteric? Do you mean there is a symmetric key to encryp it?

I was wondering that the traffic from the client to the server is encrypted using the public key of the server, then what key encrypts the traffic from the server to the client? if that is encrypted with the private key of the server that will be available for everyone!

Do the server and the client agree on a session key that is used to encrypt all tunnel traffic?

After writing the first post above and after I've done some investiations I realized that there need to be full EAP-MSCHAPv2 communication inside the tunnel. My imagination about the EAP-MSCHAPv2 was that:

- It starts with identity reqeust and identity response.

- EAP-MSCHAPv2 does not use TLS and it is considered somehow weak method to be used alone.

So I tried to decrypt the encrypted data in first packet that contains encrypted traffic and I was assuming there will be identity request. However, after decryption with the private key I found the data does not meet with either EAP format or MSCHAPv2 format. So I think my decryption was somehow wrong (mbye the private key is not the correct key to use).

If you can any useful answer about this that will be highly appreciated.

Regards,

Amjad