This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
0
1

We set up a test environment to experiment with sniffing related attacks. Basically it is an Apache2 server using https authenticating against an LDAP Active Directory. We have several pcap captures using tcpdump, tshark and wireshark done while users were authenticating. As the authentication involves the external LDAP server Apache can't use other method than basic plain text, so it should be pretty straightforward for an attacker to capture the data, and use the private key (providing he somehow manage to get it) to obtain the login information and cause havoc.

Nevertheless, we haven't been able to replicate that scenario with wireshark. Here is part of the debug log:

ssl_init keys string:
10.0.4.19,443,http,/home/jkane/Temp/snakeoil.key
ssl_init found host entry 10.0.4.19,443,http,/home/jkane/Temp/snakeoil.key
ssl_init addr '10.0.4.19' port '443' filename '/home/jkane/Temp/snakeoil.key' password(only for p12 file) '(null)'
Private key imported: KeyID 2d:71:01:cc:75:09:3d:34:7d:ff:1b:6c:d2:aa:9e:44:...
ssl_init private key file /home/jkane/Temp/snakeoil.key successfully loaded
association_add TCP port 443 protocol http handle 0x7f3c2c1b46d0

dissect_ssl enter frame #146 (first time)
ssl_session_init: initializing ptr 0x7f3c146be980 size 672
  conversation = 0x7f3c146be720, ssl_session = 0x7f3c146be980
  record: offset = 0, reported_length_remaining = 3

dissect_ssl enter frame #151 (first time)
  conversation = 0x7f3c146be720, ssl_session = 0x7f3c146be980
  record: offset = 0, reported_length_remaining = 10

dissect_ssl enter frame #153 (first time)
  conversation = 0x7f3c146be720, ssl_session = 0x7f3c146be980
  record: offset = 0, reported_length_remaining = 4

dissect_ssl enter frame #817 (first time)
ssl_session_init: initializing ptr 0x7f3c146d4df0 size 672
  conversation = 0x7f3c146d4068, ssl_session = 0x7f3c146d4df0
  record: offset = 0, reported_length_remaining = 175
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 170, ssl state 0x00
association_find: TCP port 37364 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 166 bytes, remaining 175 
packet_from_server: is from server - FALSE
ssl_find_private_key server 10.0.4.19:443
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #818 (first time)
ssl_session_init: initializing ptr 0x7f3c146d5188 size 672
  conversation = 0x7f3c146d4400, ssl_session = 0x7f3c146d5188
  record: offset = 0, reported_length_remaining = 175
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 170, ssl state 0x00
association_find: TCP port 37365 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 166 bytes, remaining 175

dissect_ssl enter frame #823 (first time)
  conversation = 0x7f3c146d4068, ssl_session = 0x7f3c146d4df0
  record: offset = 0, reported_length_remaining = 890
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 48, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 44 bytes, remaining 53 
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello can't find cipher suite 0x39
  record: offset = 53, reported_length_remaining = 837
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 421, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 11 offset 58 length 417 bytes, remaining 479 
  record: offset = 479, reported_length_remaining = 411
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 397, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 12 offset 484 length 393 bytes, remaining 881 
  record: offset = 881, reported_length_remaining = 9
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 4, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl4_handshake iteration 1 type 14 offset 886 length 0 bytes, remaining 890

I notice 'no decoder available' in all segments, no idea why. The private key is the one Apache uses by default, and I made sure according to the documentation that the format is the right one http://wiki.wireshark.org/SSL

Any suggestions?

asked 09 Dec '11, 11:51

Jacob%20Kane's gravatar image

Jacob Kane
1122
accept rate: 0%

Thanks for the reply, you're totally right, we totally overlooked the whole cipher suite thing...

Great news actually! The current option in the table was changing the plataform to use NTLM as auth scheme.

(09 Dec '11, 13:31) Jacob Kane

The SSL session is using a DiffieHellman cipher (0x39 = TLS_DHE_RSA_WITH_AES_256_CBC_SHA). This means the session key is transferred encrypted with a dynamically generated keypair (instead of encrypted with the public key from the certificate). This means you can't decrypt this session with wireshark by providing the private key.

Have a look at the following for more info:

permanent link

answered 09 Dec '11, 12:41

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×319
×165
×69
×8

question asked: 09 Dec '11, 11:51

question was seen: 26,882 times

last updated: 09 Dec '11, 13:31

p​o​w​e​r​e​d by O​S​Q​A