Ask Your Question
0

Decrypting PPPoTLS traffic

asked 2023-11-19 10:39:32 +0000

Leetanizer gravatar image

Hello everyone, I've a packet capture with PPPoTLS (Point-to-Point Protocol over TLS) traffic in it. I'm capturing the SSL vpn traffic comming from a client to an SSL VPN server.

I was able to get the pre-master key and decrypt the traffic in wireshark successfully. However, once decrypted, wireshark doesn't seem to recognize the PPP traffic inside TLS.

All wireshark displays is "Protocol: HTTP, Info: Continuation", in the HTTP layer I see only Data with hex values in it. I tried to : right click on a packet > decode as.. > and change from HTTP to PPP, but PPP is not even an option.

Could you please help me to make wiresharke display the PPP traffic ?

Many thanks, Karim

edit retag flag offensive close merge delete

Comments

Are you able to share the TLS pre-master secret key and the pcap of a test session to have a look at?

SYN-bit gravatar imageSYN-bit ( 2023-11-19 10:45:31 +0000 )edit

Hello

thanks for your replay,

Yes of course, you can find below a GoogleDrive link where you can download a test.pcap + test.pms txt file. It's a very small pcap (1.2Mo) and there is no sensitive information on this pcap. If we are able to make wireshakre decode the PPP traffic, we would be able to see a ping from the remote SSL VPN client to one internal IP.

By the way, I took the PCAP on an F5 loadbalancer (which acts as the SSL Server). I make the Loadbalancer add some debug information in each packets, it might be usefull to make sure that : Analys > Enabled Protocols > "F5 Ethrnet trailer, F5ethtrailer, F5 TLS, FILEINFO, f5fileinfo, Noise" are checked, for you to be able to see all packet correctly decoded.

https://drive.google.com/drive/folder...

You use the following filter to see the TLS ...(more)

Leetanizer gravatar imageLeetanizer ( 2023-11-19 10:58:34 +0000 )edit

Great that you are able to share the files. Something went wrong with the link though, could you correct the Gdrive link?

SYN-bit gravatar imageSYN-bit ( 2023-11-19 11:07:19 +0000 )edit

Oh, of course. This one should be OK (i verified it using another PC and worked fine) : https://drive.google.com/drive/folder...

Leetanizer gravatar imageLeetanizer ( 2023-11-19 11:10:57 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-11-19 12:37:32 +0000

SYN-bit gravatar image

Seems the PPP frames are pre-pended by a header of 0xf5 and 3 bytes with the length of the PPP frame. My guess is that this a custom format used by F5. So to be able to decode the PPP frames in Wireshark, a dissector needs to be written that takes the decrypted TLS data, decodes the custom header and then passes the remaining data to the PPP dissector. Also some logic must be added that it does this only for traffic that started of with the HTTP request/response for setting up the SSL-VPN tunnel.

A quick-and-dirty Lua post-dissector script might do the job if you don't care about false positives and just want the PPP frames decoded.

edit flag offensive delete link more

Comments

Many thanks for your quick replay Sake, never wrote a dissector before but I'll give it a try and let you know if it did work. May I ask how did you manage to find the PPP frames are prepanded by the "0xf5" followed by the 3bytes ? Because when I look at let's say packet #399, the first bytes of the data field is "00 00 00 00 00 00 00 01 01..etc) there doesn't seem to include the "0xf5" bytes... am I missing something? Many thanks, Karim

Leetanizer gravatar imageLeetanizer ( 2023-11-19 18:02:55 +0000 )edit

I was looking for an indication of an IP packet, and found them in tcp stream 14. For instance, frame 1857 is a ping packet from 10.20.1.2 (0a:14:01:02 in hex) to 172.16.20.1 *ac:10:14:01 in hex) and you can see the payload (abcde...) easily. The IP packet itself starts with 45:00:00... and is prepended with 21, the content type for IP within PPP.

Then in front of the 21 are f5:00:00:3d, where 3d is the length of the PPP PDU (from 21:45:00:00 till the end of the packet). So I'm assuming the f5 at the beginning is just a magic number and the 00:00:3d is the length (I can see the second octet being used for the length on larger packets and as an IP datagram can be ...(more)

SYN-bit gravatar imageSYN-bit ( 2023-11-19 20:41:44 +0000 )edit

Hi, Many thanks for the explanations and help :) Karim

Leetanizer gravatar imageLeetanizer ( 2023-11-21 22:53:02 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-11-19 10:39:32 +0000

Seen: 369 times

Last updated: Nov 19 '23