Ask Your Question
0

Ignored unknown packet

asked 2021-10-25 15:58:39 +0000

Newbie here for Wireshark :)

During a pentest someone did for us they came to the conclusion that sometimes our TLS1.2 traffic is in cleartext. I,m trying to figure out whether this is a poorly written app which seems ( according to the pcap file of the pentester) to send information over TLS 1.2 in clear text or that something else is going on.

It states about 4200 "ignored unknown packet" messages. Some of the pcap lines do indeed contain readable information which is supposed to be encrypted. (password, username are visible)

Is this perhaps a setting that Wireshark is decrypting packets ? Or might the app be sending unencrypted info via TLS 1.2 ?

edit retag flag offensive close merge delete

Comments

Or might the app be sending unencrypted info via TLS 1.2 ?

This is the most likely cause. In some cases, Wireshark can decrypt TLS but you would have to configure the system to specific settings (see the Wiki) and then prep Wireshark with access to the crypto material. If you did not do this, then the issue is real. It would not be the first time unprotected data ends up in a TLS stream.

Bob Jones gravatar imageBob Jones ( 2021-10-25 16:41:02 +0000 )edit

1 Answer

Sort by » oldest newest most voted
1

answered 2021-10-25 18:45:14 +0000

André gravatar image

What happens when you enable "Reassemble out-of-order segments" in the TCP's protocol preferences?

Anyway any clear text will be easy to spot when you use "follow tcp stream".

edit flag offensive delete link more

Comments

When reassemble out of order segments, than it no longer states Ignored unknown packet. I says now. TCP segment of a reassembled PDU.

Did follow the TCP stream, and now everything (1704 words are readable in clear text). Looks like queries to database and config items. Think I also see a password in there.

donkerg gravatar imagedonkerg ( 2021-10-25 21:26:09 +0000 )edit

Did you capture the TLS Server Hello handshake? Then you see what cipher was used. I assume a NULL cipher.

I've seen that before used by middleware to minimize the CPU load -- with on-premise network considered save -- while still use TLS to verify authentication and prevent message tampering.

André gravatar imageAndré ( 2021-10-26 20:57:29 +0000 )edit

Regrettably the TLS hello seems not to be in the pcap file. But agree that this software perhaps might be poorly written and uses a null cipher.

donkerg gravatar imagedonkerg ( 2021-10-27 06:13:17 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-10-25 15:58:39 +0000

Seen: 161 times

Last updated: Oct 25