2

I have a few pcaps of traffic for EAP-TTLS conversation, carried by RADIUS. I also have some being carried by EAPoL, but I think the answer to that case might be even less straightforward (though perhaps not necessarily so). In both cases I can view the EAP contents in Wireshark, and I can drill down as far as TLS negotiation/handshaking, and the encrypted TLS bytes.

It would be handy for me to see the contents of the encrypted data itself, as it contains yet further layers of the authentication exchange that I am investigating.

All of this has been generated using my own test-systems so I have all of the information available, certs etc. and I know what should be in the encrypted TLS data.

I have followed the Wireshark tutorial, pretty much to the letter. http://wiki.wireshark.org/SSL

But I am not having much luck with this, and I am worried that perhaps Wireshark only knows how to deal with less tricky TLS cases, i.e. your day to day, common or garden SSL protocols such as those running over TCP such as HTTP, SSH, RADIUS, SCP etc.

I'm looking at the slightly more complex case of SSL over EAP over RADIUS over UDP on the one hand, and the even more specialised SSL over EAP over EAPoL on the other.

I "think" I may be seeing the app-data decrypted in one or two of the EAP packets, where the handshake information is present, but this information doesn't seem to be getting carried across to the rest of them.

Could it be that I'm just too far out in the weeds here? Or maybe there's something I'm missing, it certainly seems like it should be possible.

I'm sure I can work around this somehow by decrypting offline (or perhaps using the NULL cypher) but I thought I'd be sure I've exhausted all avenues with wireshark first.

robert
  • 335
  • 2
  • 11
  • this is a homework –  Oct 17 '14 at 16:16
  • 2
    @begueradj Thank you for your advice . It is hardly constructive though, and the meaning of what you say is unclear. This is not a school homework assignment. It is also not the case that I have not "done my homework" if that is what you mean. Maybe you mean it is easy, in which case I would prefer you share your wisdom. This is a specific enquiry about the capabilities of Wireshark, that I am making here after exhausting the documentation and all possible google searches. Thanks. – robert Oct 17 '14 at 16:40
  • @robert, Generally we don't help with school homework assignments, as the point is for the student to learn, and they won't learn if someone just gives them the correct answer. I believe this is what begueradj was referring to. Having said that, this doesn't look like homework to me. – Chris Murray Oct 20 '14 at 10:13
  • 1
    Thanks Chris, I understand the principle. However, it is apparent that begueradj did not read or fully understand the question. His glib remark is not constructive and I have flagged as such. I am hoping mods will clean up these comments as they don't really add anything to the topic at hand. – robert Oct 20 '14 at 13:07

2 Answers2

2

If you have RSA keys and the transport uses a non-DHE ciphersuite, you should be able to decrypt EAP-TLS with Wireshark. There was however a bug that got fixed in the development version (v1.99.10rc0-191-g5e635ad) and will end up in the 2.0 release.

At the moment you have to specify dummy values for the port number and such, but after that you should be able to decrypt EAP-TLS traffic. Go to Edit, Preferences, Protocols SSL, RSA keys list. Then fill in the following details:

  • IP address: any
  • Port: 0
  • Protocol: data (anything would work here)
  • Key File: path to your key file
  • Password: empty for PEM-formatted key files, a password for PKCS#12 formats otherwise.
Lekensteyn
  • 5,898
  • 5
  • 37
  • 62
  • 1
    Thanks. I tried a few variations of this before, but it could be you've provided additional info I didn't have. I'll give it a go soon ... – robert Sep 21 '15 at 16:50
  • @robert There was a bug which prevented this from working, so no matter what option you had used, you could not get it to work with RSA key files within Wireshark. For **development** snapshot builds, see https://www.wireshark.org/download/automated/ – Lekensteyn Sep 22 '15 at 17:30
1

Robert - I recently was faced with the same issue. Wireshark does not decode SSL over EAP. What you can do is fake Wireshark out and take the entire ssl conversation and build it into a pseudo tcp session with the SSL data from the original eap packets and retransmit the frames. I used Python raw sockets to generate the tcp session and then capture the tcp session from wireshark (note you only need one pc raw sockets allows you to generate frames with any source/dest combo) You set the ssl decryption just like you would if it were an original tcp session setting the protocol field to eat instead of HTTP. note the data will be decrypted but eap over ssl is not entirely interpreted correctly via wireshark so you may have to do some eap header/data decoding by hand but at least it won't be encrypted. Here is a link to an article by Cisco that gives more info on what I described above for eap-peap decryption. https://supportforums.cisco.com/blog/154046.

Hope this helps

FemtoEng
  • 11
  • 3