Decrypt IPSEC traffic with wireshark
I’ve setup a VPN IPSEC link between a Cisco and a Linux to demo the ESP decrypting feature of wireshark.
After having configured both sides of the IPSEC link, it’s time to test from the Cisco router:
ping 192.168.3.1 source 192.168.2.1 size 123 data CAFE
Type escape sequence to abort.
Sending 5, 123-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
Packet has data pattern 0xCAFE
..!!!
Success rate is 80 percent (3/5), round-trip min/avg/max = 1/3/4 ms
Sucess! The 2 first dot are because it took seconds to bring up the tunnel.
As you can see in the following trace, the icmp-request is unencrypted. Righ after we see some ESP traffic. Could it be the icmp-replies?
No. Time Source Destination Protocol Info heure
fw-1 chain
12 6.376835 10.100.100.200 10.100.100.100 ESP ESP (SPI=0x09bfd93b) 2011-07-17 20:36:08
.629993
13 6.376835 192.168.2.1 192.168.3.1 ICMP Echo (ping) request (id=0x0008, seq(be/le)=1/256, ttl=255) 2011-07-17 20:36:08
.629993
14 6.376933 10.100.100.100 10.100.100.200 ESP ESP (SPI=0x8134dedc) 2011-07-17 20:36:08
.630091
15 6.383264 10.100.100.200 10.100.100.100 ESP ESP (SPI=0x09bfd93b) 2011-07-17 20:36:08
.636422
16 6.383264 192.168.2.1 192.168.3.1 ICMP Echo (ping) request (id=0x0008, seq(be/le)=2/512, ttl=255) 2011-07-17 20:36:08
.636422
17 6.383348 10.100.100.100 10.100.100.200 ESP ESP (SPI=0x8134dedc) 2011-07-17 20:36:08
.636506
18 6.385546 10.100.100.200 10.100.100.100 ESP ESP (SPI=0x09bfd93b) 2011-07-17 20:36:08
.638704
19 6.385546 192.168.2.1 192.168.3.1 ICMP Echo (ping) request (id=0x0008, seq(be/le)=3/768, ttl=255) 2011-07-17 20:36:08
.638704
20 6.385614 10.100.100.100 10.100.100.200 ESP ESP (SPI=0x8134dedc) 2011-07-17 20:36:08
.638772
21 6.387761 10.100.100.200 10.100.100.100 ESP ESP (SPI=0x09bfd93b) 2011-07-17 20:36:08
.640919
22 6.387761 192.168.2.1 192.168.3.1 ICMP Echo (ping) request (id=0x0008, seq(be/le)=4/1024, ttl=255) 2011-07-17 20:36:08
.640919
23 6.387827 10.100.100.100 10.100.100.200 ESP ESP (SPI=0x8134dedc) 2011-07-17 20:36:08
.640985
Now, go find information that wireshark requires to decode the ESP traffic. Note that some implementation like the Cisco’s one doesn’t disclose the keys with a command. However it’s possible to find it within the Cisco IOS arcanes by drilling into a core dump and look for the good hex string. On Linux, you could use the ip xfrm state command to display the automatically generated session specific encryption and authentication keys:
$ sudo ip xfrm state
src 10.100.100.100 dst 10.100.100.200
proto esp spi 0x8134dedc reqid 0 mode tunnel
replay-window 4
auth hmac(md5) 0xa45c1bde51d20a61381025a1d55b675f
enc cbc(des3_ede) 0x7926ddbf7170fe9ece55bffede0e74e5a0b532958bcd0bc2
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 10.100.100.200 dst 10.100.100.100
proto esp spi 0x09bfd93b reqid 0 mode tunnel
replay-window 4
auth hmac(md5) 0x09be7b297316b0085a5c99fd59745b54
enc cbc(des3_ede) 0xe4f6a1c56f8c31ff6c76a3ac24f284aaeb3a653cde839dcd
sel src 0.0.0.0/0 dst 0.0.0.0/0
Now, go to the wireshark preferences and fill the ESP protocol by the gathered information.
- Tick the ‘Attempt to detect/decode encrypted ESP payloads’ box
- SA #1 : IPv4|10.100.100.100|10.100.100.200|0x8134dedc
- Encryption algorithm #1: TripleDES-CBC [RFC2451]
- Authentication algorithm #1: HMAC-MD5-96 [RFC2403]
- Encryption Key #1: 0x7926ddbf7170fe9ece55bffede0e74e5a0b532958bcd0bc2
- Authentication Key #1: 0xa45c1bde51d20a61381025a1d55b675f
- SA #2 : IPv4|10.100.100.200|10.100.100.100|0x09bfd93b
- Encryption algorithm #2: TripleDES-CBC [RFC2451]
- Authentication algorithm #2: HMAC-MD5-96 [RFC2403]
- Encryption Key #2 : 0xe4f6a1c56f8c31ff6c76a3ac24f284aaeb3a653cde839dcd
- Authentication Key #2 : 0x09be7b297316b0085a5c99fd59745b54
After clicking the Apply button, the white magic occurs and a new tab called “Decrypted Tab” appears at the right of the frame’s one:
No. Time Source Destination Protocol Info heure
fw-1 chain
1 0.000000 192.168.2.1 192.168.3.1 ICMP Echo (ping) request (id=0x0008, seq(be/le)=1/256, ttl=255) 2011-07-17 20:36:08
.629993
2 0.000000 192.168.2.1 192.168.3.1 ICMP Echo (ping) request (id=0x0008, seq(be/le)=1/256, ttl=255) 2011-07-17 20:36:08
.629993
3 0.000098 192.168.3.1 192.168.2.1 ICMP Echo (ping) reply (id=0x0008, seq(be/le)=1/256, ttl=64) 2011-07-17 20:36:08
.630091
4 0.006429 192.168.2.1 192.168.3.1 ICMP Echo (ping) request (id=0x0008, seq(be/le)=2/512, ttl=255) 2011-07-17 20:36:08
.636422
5 0.006429 192.168.2.1 192.168.3.1 ICMP Echo (ping) request (id=0x0008, seq(be/le)=2/512, ttl=255) 2011-07-17 20:36:08
.636422
6 0.006513 192.168.3.1 192.168.2.1 ICMP Echo (ping) reply (id=0x0008, seq(be/le)=2/512, ttl=64) 2011-07-17 20:36:08
.636506
7 0.008711 192.168.2.1 192.168.3.1 ICMP Echo (ping) request (id=0x0008, seq(be/le)=3/768, ttl=255) 2011-07-17 20:36:08
.638704
8 0.008711 192.168.2.1 192.168.3.1 ICMP Echo (ping) request (id=0x0008, seq(be/le)=3/768, ttl=255) 2011-07-17 20:36:08
.638704
9 0.008779 192.168.3.1 192.168.2.1 ICMP Echo (ping) reply (id=0x0008, seq(be/le)=3/768, ttl=64) 2011-07-17 20:36:08
.638772
10 0.010926 192.168.2.1 192.168.3.1 ICMP Echo (ping) request (id=0x0008, seq(be/le)=4/1024, ttl=255) 2011-07-17 20:36:08
.640919
11 0.010926 192.168.2.1 192.168.3.1 ICMP Echo (ping) request (id=0x0008, seq(be/le)=4/1024, ttl=255) 2011-07-17 20:36:08
.640919
12 0.010992 192.168.3.1 192.168.2.1 ICMP Echo (ping) reply (id=0x0008, seq(be/le)=4/1024, ttl=64) 2011-07-17 20:36:08
.640985
Congrats! You are now able to read through IPSEC!
28 Notes/ Hide
-
ballisticexd liked this
-
squirmjungle liked this
-
effusivevaci liked this
-
vocaliccommo liked this
-
diocesanunco liked this
-
rhythmsubjec liked this
-
a1125freephotoeditornews liked this
-
fropert posted this
pello lives near Paris (France)