TLS/SSL: Transport Layer Security/Secure Socket Layer
encrypted layer 7 SSL TLS
Contents
Introduction
This tutorial discusses the plugin sslDecode. It extracts all relevant non-encrypted parameters useful for encrypted malware detection. Some commercial companies use this method as preprocessing for their AI detectors and sell that capability very expensive. Now you can do it as well.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpStates sslDecode smtpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: faf-exercise.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing SSL/TLS traffic!
sslDecode
As we learnt in the smtpDecode tutorial, we have SSL/TLS traffic in our test pcap, I like you to have some correlation with the SSL output in the flow file later, so we load the smtpDecode plugin as well.
Let’s look at the plugin configuration first. You have the choice of printing anything what has value for the analyst. So extensions, coding, Certs, protocols, algorithms, etc. We leave everything as default.
sslDecode
vi src/sslDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
// OpenVPN
#define SSL_ANALYZE_OVPN 0 // analyze OpenVPN (Experimental)
// SSL/TLS
#define SSL_EXT_LIST 1 // output the list and number of extensions
#define SSL_MAX_EXT 8 // maximum number of extensions to store
#define SSL_EC 1 // output the list and number of Elliptic Curve
#define SSL_MAX_EC 6 // maximum number of EC to store
#define SSL_EC_FORMATS 1 // output the list and number of Elliptic Curve point formats
#define SSL_MAX_EC_FORMATS 6 // maximum number of EC formats to store
#define SSL_PROTO_LIST 1 // output the list and number of protocols
#define SSL_MAX_PROTO 6 // maximum number of protocols to store
#define SSL_PROTO_LEN 16 // maximum number of characters per protocols
#define SSL_CIPHER_LIST 1 // output the list and number of supported ciphers
#define SSL_MAX_CIPHER 30 // maximum number of ciphers to store
#define SSL_ANALYZE_CERT 1 // analyze certificates
#if SSL_ANALYZE_CERT == 1
#define SSL_CERT_SERIAL 1 // print the certificate serial number
#define SSL_CERT_FINGPRINT 1 // 0: no certificate fingerprint, 1: SHA1, 2: MD5
#define SSL_CERT_VALIDITY 1 // print the certificate validity (Valid from/to)
#define SSL_CERT_SIG_ALG 1 // print the certificate signature algorithm
#define SSL_CERT_PUBKEY_ALG 1 // print the certificate public key algorithm
#define SSL_CERT_ALG_NAME_LONG 0 // use short (0) or long (1) names for algorithms
#define SSL_CERT_PUBKEY_TS 1 // print the certificate public key type and size
#define SSL_CERT_SUBJECT 2 // 0: no information about the certificate subject,
// 1: print the whole subject as one string,
// 2: print selected fields only
#define SSL_CERT_ISSUER 2 // 0: no information about the certificate issuer,
// 1: print the whole issuer as one string,
// 2: print selected fields only
#if ((SSL_CERT_SUBJECT == 2) || (SSL_CERT_ISSUER == 2))
#define SSL_CERT_COMMON_NAME 1 // print the common name of the issuer/subject
#define SSL_CERT_ORGANIZATION 1 // print the organization name of the issuer/subject
#define SSL_CERT_ORG_UNIT 1 // print the organizational unit name of the issuer/subject
#define SSL_CERT_LOCALITY 1 // print the locality name of the issuer/subject
#define SSL_CERT_STATE 1 // print the state or province of the issuer/subject
#define SSL_CERT_COUNTRY 1 // print the country of the issuer/subject
#endif // ((SSL_CERT_SUBJECT == 2) || (SSL_CERT_ISSUER == 2))
#if (SSL_CERT_VALIDITY == 1 && SSL_CERT_PUBKEY_TS == 1 && ( \
(SSL_CERT_SUBJECT == 1 && SSL_CERT_ISSUER == 1)) || \
(SSL_CERT_SUBJECT == 2 && SSL_CERT_ISSUER == 2 && SSL_CERT_COMMON_NAME == 1 && SSL_CERT_ORGANIZATION == 1))
#define SSL_DETECT_TOR 0 // print if TLS connection is likely a Tor one
#endif
// TODO in order to analyze ALL certificates, we need to reassemble packets...
#define SSL_SAVE_CERT 0 // save certificates
#define SSL_CERT_NAME_FINDEX 0 // prepend the flowIndex to the certificate name
#if SSL_SAVE_CERT == 1 || SSL_CERT_FINGPRINT == 1
#define SSL_BLIST 0 // Search for blacklisted certificates
#define SSL_BLIST_LEN 41 // Max length for blacklist descriptions
#define SSL_JA3 1 // Output JA3 fingerprint (hash and description)
#define SSL_JA3_STR 0 // Also output JA3 fingerprint before hashing
#define SSL_JA3_DLEN 512 // Max length for JA3 descriptions
#define SSL_JA3_STR_LEN 1024 // Max length for uncompressed JA3 signatures (ja3_str)
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define SSL_RM_CERTDIR 1 // remove SSL_CERT_PATH before starting
#define SSL_CERT_PATH "/tmp/TranCerts/" // folder for saved certificates
#define SSL_CERT_EXT ".pem" // extension for saved certificates
#endif // SSL_SAVE_CERT == 1 || SSL_CERT_FINGPRINT == 1
#endif // SSL_ANALYZE_CERT == 1
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Now run t2 on the supplied pcap.
t2 -r ~/data/faf-exercise.pcap -w ~/results/
As expected there is SMTP and SSL traffic in the pcap, aka ESMTP.
So what does the aggregated sslStat tells us?
The sslStat column with value 0x2020 is to be interpreted as follows: bit | sslStat | Description ============================================================================= 5 | 0x0020 | Connection was renegotiated (existed before) 13 | 0x2000 | Weak cipher detected (Null, DES, RC4 (RFC7465), ADH, 40/56 bits)
Oups, one of the partners decided to use a weak cipher, nice. Let’s extract all SSL flows. You see the ESMTP flows and if you position the slider more to the right the output of the sslDecode plugin.
If you look at the sslJA3Desc at the end, you will see all human readable description,
which states nicely that it is a malware test. Did somebody attack the receiving host?
tawk 'bitsanyset($sslStat, 0xffff)' ~/results/faf-exercise_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags smtpStat smtpCC smtpRC smtpUsr smtpPW smtpSANum smtpESANum smtpERANum smtpSA smtpESA smtpERA sslStat sslProto sslFlags sslVersion sslVuln sslAlert sslCipher sslNumExt sslExtList sslNumECPt sslECPt sslNumECFormats sslECFormats sslNumProto sslProtoList sslNumCipher sslCipherList sslNumCC_A_H_AD_HB sslSessIdLen sslGMTTime sslServerName sslCertVersion sslCertSerial sslCertSha1FP sslCNotValidBefore_after_lifetime sslCSigAlg sslCKeyAlg sslCPKeyType_Size sslCSubjectCommonName sslCSubjectOrgName sslCSubjectOrgUnit sslCSubjectLocality sslCSubjectState sslCSubjectCountry sslCIssuerCommonName sslCIssuerOrgName sslCIssuerOrgUnit sslCIssuerLocality sslCIssuerState sslCIssuerCountry sslJA3Hash sslJA3Desc
B 12 0x0400000000004001 1258563573.941709 1258563576.594045 2.652336 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1397 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x2000 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 1 0x0004 1_0_4_8_0 32 1258563574.000000 3 01 584728c5c136f59aa9ea3fa1befb735149f846a0 1254499973.000000_1286035973.000000_31536000 "RSA-SHA1" "rsaEncryption" RSA_2048 "domex.local" US "domex.local" US 53611273a714cb4789c8222932efd5a7
A 13 0x0400000000004000 1258565030.304653 1258565030.420837 0.116184 1 3 eth:ipv4:tcp 00:0b:db:63:5b:d4 00:19:e3:e7:5d:23 0x0800 192.168.1.103 07 "Private network" 1749 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57pat" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 11 0x0004;0x0005;0x000a;0x0009;0x0064;0x0062;0x0003;0x0006;0x0013;0x0012;0x0063 1_0_3_8_0 32 1258565252.000000 de350869b8c85de67a350c8d186f11e6 "Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022), Malware Test FP: angler-ek-malware-payload-sandbox-analysis-winxp, smoke-loader-post-infection-traffic"
B 13 0x0400000000004001 1258565030.304696 1258565030.420877 0.116181 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1749 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x2000 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 1 0x0004 1_0_4_7_0 32 1258565030.000000 3 01 584728c5c136f59aa9ea3fa1befb735149f846a0 1254499973.000000_1286035973.000000_31536000 "RSA-SHA1" "rsaEncryption" RSA_2048 "domex.local" US "domex.local" US 53611273a714cb4789c8222932efd5a7
A 14 0x0400000000004000 1258565174.919134 1258565175.037809 0.118675 1 3 eth:ipv4:tcp 00:0b:db:63:5b:d4 00:19:e3:e7:5d:23 0x0800 192.168.1.103 07 "Private network" 1755 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57pat" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 11 0x0004;0x0005;0x000a;0x0009;0x0064;0x0062;0x0003;0x0006;0x0013;0x0012;0x0063 1_0_3_8_0 32 1258565397.000000 de350869b8c85de67a350c8d186f11e6 "Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022), Malware Test FP: angler-ek-malware-payload-sandbox-analysis-winxp, smoke-loader-post-infection-traffic"
B 14 0x0400000000004001 1258565174.919179 1258565175.037828 0.118649 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1755 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x2000 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 1 0x0004 1_0_4_7_0 32 1258565174.000000 3 01 584728c5c136f59aa9ea3fa1befb735149f846a0 1254499973.000000_1286035973.000000_31536000 "RSA-SHA1" "rsaEncryption" RSA_2048 "domex.local" US "domex.local" US 53611273a714cb4789c8222932efd5a7
A 15 0x0400000000004000 1258565820.302090 1258565821.898589 1.596499 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "Private network" 49218 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "M57Terry" 0x2000 0x0000 0x00 0x0301 0x00 0x00000000 0x002f 2 0x000a;0x000b 3 0x0017;0x0018;0x0019 1 0x00 0 12 0x002f;0x0035;0x0005;0x000a;0xc009;0xc00a;0xc013;0xc014;0x0032;0x0038;0x0013;0x0004 1_0_3_7_0 0 1258565965.000000 296c2c494ccfc5cb35d94bfbc74ef60a
A 16 0x0400000000004000 1258565880.189257 1258565880.212242 0.022985 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "Private network" 49219 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "M57Terry" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x002f 2 0x000a;0x000b 3 0x0017;0x0018;0x0019 1 0x00 0 12 0x002f;0x0035;0x0005;0x000a;0xc009;0xc00a;0xc013;0xc014;0x0032;0x0038;0x0013;0x0004 1_0_2_8_0 32 1258566025.000000 296c2c494ccfc5cb35d94bfbc74ef60a
A 17 0x0400000000004000 1258566050.124592 1258566050.238771 0.114179 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "Private network" 49220 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "M57Terry" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x002f 2 0x000a;0x000b 3 0x0017;0x0018;0x0019 1 0x00 0 12 0x002f;0x0035;0x0005;0x000a;0xc009;0xc00a;0xc013;0xc014;0x0032;0x0038;0x0013;0x0004 1_0_3_7_0 32 1258566195.000000 296c2c494ccfc5cb35d94bfbc74ef60a
A 18 0x0400000000004000 1258566123.706408 1258566123.739652 0.033244 1 3 eth:ipv4:tcp 00:0b:db:63:5b:d4 00:19:e3:e7:5d:23 0x0800 192.168.1.103 07 "Private network" 1806 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57pat" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 11 0x0004;0x0005;0x000a;0x0009;0x0064;0x0062;0x0003;0x0006;0x0013;0x0012;0x0063 1_0_3_7_0 32 1258566346.000000 de350869b8c85de67a350c8d186f11e6 "Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022), Malware Test FP: angler-ek-malware-payload-sandbox-analysis-winxp, smoke-loader-post-infection-traffic"
B 18 0x0400000000004001 1258566123.706462 1258566123.739692 0.033230 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1806 6 0x00 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x2000 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 1 0x0004 1_0_4_6_0 32 1258566123.000000 3 01 584728c5c136f59aa9ea3fa1befb735149f846a0 1254499973.000000_1286035973.000000_31536000 "RSA-SHA1" "rsaEncryption" RSA_2048 "domex.local" US "domex.local" US 53611273a714cb4789c8222932efd5a7
B 19 0x0400000000004001 1258567109.383558 1258567113.574642 4.191084 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1400 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x2000 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 1 0x0004 1_0_4_6_0 32 1258567109.000000 3 01 584728c5c136f59aa9ea3fa1befb735149f846a0 1254499973.000000_1286035973.000000_31536000 "RSA-SHA1" "rsaEncryption" RSA_2048 "domex.local" US "domex.local" US 53611273a714cb4789c8222932efd5a7
A 20 0x0400000000004000 1258567248.261596 1258567248.374768 0.113172 1 3 eth:ipv4:tcp 00:0b:db:63:58:a6 00:19:e3:e7:5d:23 0x0800 192.168.1.102 07 "Private network" 1404 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57jo" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 11 0x0004;0x0005;0x000a;0x0009;0x0064;0x0062;0x0003;0x0006;0x0013;0x0012;0x0063 1_0_3_7_0 32 1258567449.000000 de350869b8c85de67a350c8d186f11e6 "Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022), Malware Test FP: angler-ek-malware-payload-sandbox-analysis-winxp, smoke-loader-post-infection-traffic"
B 20 0x0400000000004001 1258567248.261635 1258567248.374809 0.113174 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1404 6 0x00 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x2000 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 1 0x0004 1_0_4_6_0 32 1258567248.000000 3 01 584728c5c136f59aa9ea3fa1befb735149f846a0 1254499973.000000_1286035973.000000_31536000 "RSA-SHA1" "rsaEncryption" RSA_2048 "domex.local" US "domex.local" US 53611273a714cb4789c8222932efd5a7
A 21 0x0400000000004000 1258567289.262109 1258567289.283592 0.021483 1 3 eth:ipv4:tcp 00:0b:db:63:58:a6 00:19:e3:e7:5d:23 0x0800 192.168.1.102 07 "Private network" 1405 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57jo" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 11 0x0004;0x0005;0x000a;0x0009;0x0064;0x0062;0x0003;0x0006;0x0013;0x0012;0x0063 1_0_2_8_0 32 1258567490.000000 de350869b8c85de67a350c8d186f11e6 "Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022), Malware Test FP: angler-ek-malware-payload-sandbox-analysis-winxp, smoke-loader-post-infection-traffic"
B 21 0x0400000000004001 1258567289.262156 1258567289.283642 0.021486 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1405 6 0x00 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x2000 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 1 0x0004 1_0_2_7_0 32 1258567289.000000 53611273a714cb4789c8222932efd5a7
A 22 0x0400000000004000 1258567757.457759 1258567757.572930 0.115171 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "Private network" 49336 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "M57Terry" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x002f 2 0x000a;0x000b 3 0x0017;0x0018;0x0019 1 0x00 0 12 0x002f;0x0035;0x0005;0x000a;0xc009;0xc00a;0xc013;0xc014;0x0032;0x0038;0x0013;0x0004 1_0_3_7_0 32 1258567902.000000 296c2c494ccfc5cb35d94bfbc74ef60a
A 23 0x0400000000004000 1258568036.508358 1258568036.620287 0.111929 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "Private network" 49353 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "M57Terry" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x002f 2 0x000a;0x000b 3 0x0017;0x0018;0x0019 1 0x00 0 12 0x002f;0x0035;0x0005;0x000a;0xc009;0xc00a;0xc013;0xc014;0x0032;0x0038;0x0013;0x0004 1_0_3_7_0 32 1258568182.000000 296c2c494ccfc5cb35d94bfbc74ef60a
A 24 0x0400000000004000 1258568059.128662 1258568059.160656 0.031994 1 3 eth:ipv4:tcp 00:0b:db:63:5b:d4 00:19:e3:e7:5d:23 0x0800 192.168.1.103 07 "Private network" 1836 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57pat" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 11 0x0004;0x0005;0x000a;0x0009;0x0064;0x0062;0x0003;0x0006;0x0013;0x0012;0x0063 1_0_3_7_0 32 1258568281.000000 de350869b8c85de67a350c8d186f11e6 "Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022), Malware Test FP: angler-ek-malware-payload-sandbox-analysis-winxp, smoke-loader-post-infection-traffic"
B 24 0x0400000000004001 1258568059.128711 1258568059.160696 0.031985 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1836 6 0x00 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x2000 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 1 0x0004 1_0_4_6_0 32 1258568059.000000 3 01 584728c5c136f59aa9ea3fa1befb735149f846a0 1254499973.000000_1286035973.000000_31536000 "RSA-SHA1" "rsaEncryption" RSA_2048 "domex.local" US "domex.local" US 53611273a714cb4789c8222932efd5a7
A 25 0x0400000000004000 1258568667.549041 1258568667.662968 0.113927 1 3 eth:ipv4:tcp 00:0b:db:63:58:a6 00:19:e3:e7:5d:23 0x0800 192.168.1.102 07 "Private network" 1709 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57jo" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 11 0x0004;0x0005;0x000a;0x0009;0x0064;0x0062;0x0003;0x0006;0x0013;0x0012;0x0063 1_0_3_7_0 32 1258568869.000000 de350869b8c85de67a350c8d186f11e6 "Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022), Malware Test FP: angler-ek-malware-payload-sandbox-analysis-winxp, smoke-loader-post-infection-traffic"
B 25 0x0400000000004001 1258568667.549083 1258568667.662999 0.113916 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1709 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x2000 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 1 0x0004 1_0_4_6_0 32 1258568667.000000 3 01 584728c5c136f59aa9ea3fa1befb735149f846a0 1254499973.000000_1286035973.000000_31536000 "RSA-SHA1" "rsaEncryption" RSA_2048 "domex.local" US "domex.local" US 53611273a714cb4789c8222932efd5a7
A 26 0x0400000000004000 1258568738.108255 1258568738.141234 0.032979 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "Private network" 49561 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "M57Terry" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x002f 2 0x000a;0x000b 3 0x0017;0x0018;0x0019 1 0x00 0 12 0x002f;0x0035;0x0005;0x000a;0xc009;0xc00a;0xc013;0xc014;0x0032;0x0038;0x0013;0x0004 1_0_3_7_0 32 1258568883.000000 296c2c494ccfc5cb35d94bfbc74ef60a
A 30 0x0400000000004000 1258581757.587843 1258581758.358872 0.771029 1 3 eth:ipv4:tcp 00:0b:db:63:5b:d4 00:19:e3:e7:5d:23 0x0800 192.168.1.103 07 "Private network" 1934 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57pat" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 11 0x0004;0x0005;0x000a;0x0009;0x0064;0x0062;0x0003;0x0006;0x0013;0x0012;0x0063 1_0_3_7_0 32 1258581981.000000 de350869b8c85de67a350c8d186f11e6 "Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022), Malware Test FP: angler-ek-malware-payload-sandbox-analysis-winxp, smoke-loader-post-infection-traffic"
B 30 0x0400000000004001 1258581757.587891 1258581758.358901 0.771010 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1934 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x2000 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 1 0x0004 1_0_4_6_0 32 1258581758.000000 3 01 584728c5c136f59aa9ea3fa1befb735149f846a0 1254499973.000000_1286035973.000000_31536000 "RSA-SHA1" "rsaEncryption" RSA_2048 "domex.local" US "domex.local" US 53611273a714cb4789c8222932efd5a7
A 31 0x0400000000004000 1258582107.588230 1258582108.822693 1.234463 1 3 eth:ipv4:tcp 00:0b:db:63:5b:d4 00:19:e3:e7:5d:23 0x0800 192.168.1.103 07 "Private network" 2008 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57pat" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 11 0x0004;0x0005;0x000a;0x0009;0x0064;0x0062;0x0003;0x0006;0x0013;0x0012;0x0063 1_0_3_7_0 32 1258582331.000000 de350869b8c85de67a350c8d186f11e6 "Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022), Malware Test FP: angler-ek-malware-payload-sandbox-analysis-winxp, smoke-loader-post-infection-traffic"
B 31 0x0400000000004001 1258582107.588266 1258582108.822724 1.234458 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 2008 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x2000 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 1 0x0004 1_0_4_6_0 32 1258582108.000000 3 01 584728c5c136f59aa9ea3fa1befb735149f846a0 1254499973.000000_1286035973.000000_31536000 "RSA-SHA1" "rsaEncryption" RSA_2048 "domex.local" US "domex.local" US 53611273a714cb4789c8222932efd5a7
A 32 0x0400000000004000 1258583614.298059 1258583615.323171 1.025112 1 3 eth:ipv4:tcp 00:0b:db:63:58:a6 00:19:e3:e7:5d:23 0x0800 192.168.1.102 07 "Private network" 1911 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57jo" 0x2020 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 11 0x0004;0x0005;0x000a;0x0009;0x0064;0x0062;0x0003;0x0006;0x0013;0x0012;0x0063 1_0_3_7_0 32 1258583817.000000 de350869b8c85de67a350c8d186f11e6 "Mozilla/4.0 (compatible; MSIE 6.0 or MSIE 7.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022), Malware Test FP: angler-ek-malware-payload-sandbox-analysis-winxp, smoke-loader-post-infection-traffic"
B 32 0x0400000000004001 1258583614.298161 1258583615.323218 1.025057 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1911 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x2000 0x0000 0x00 0x0301 0x00 0x00000000 0x0004 0 0 0 0 1 0x0004 1_0_4_6_0 32 1258583615.000000 3 01 584728c5c136f59aa9ea3fa1befb735149f846a0 1254499973.000000_1286035973.000000_31536000 "RSA-SHA1" "rsaEncryption" RSA_2048 "domex.local" US "domex.local"So the sslCipherList shows you all cyphers supported by the peers and
the finally selected cypher 0x0004 which both peers support is weak, as
a tawk shows below:
The sslCipher column with value 0x0004 is to be interpreted as follows: sslCipher | Description ============================================================================= 0x0004 | TLS_RSA_WITH_RC4_128_MD5 (WEAK)
If you need an explanation of the columns just look into the `faf-exercise_headers.txt* file:
# Col No. Type Name Description
...
34 S:R smtpERA SMTP Email receive addresses
35 H16 sslStat SSL status
36 H16 sslProto SSL proto
37 H8 sslFlags SSL flags
38 H16 sslVersion SSL version
39 H8 sslVuln SSL vulnerabilities
40 H32 sslAlert SSL alert
41 H16 sslCipher SSL preferred (Client) / negotiated (Server) cipher
42 U16 sslNumExt SSL number of extensions
43 H16:R sslExtList SSL list of extensions
44 U16 sslNumECPt SSL number of EC points
45 H16:R sslECPt SSL list of EC points
46 U8 sslNumECFormats SSL number of EC point formats
47 H8:R sslECFormats SSL list of EC point formats
48 U16 sslNumProto SSL number of protocols
49 S:R sslProtoList SSL list of protocols
50 U16 sslNumCipher SSL number of supported ciphers
51 H16:R sslCipherList SSL list of supported cipher
52 U16_U16_U16_U64_U64 sslNumCC_A_H_AD_HB SSL number of change_cipher, alert, handshake, application data, heartbeat records
53 U8 sslSessIdLen SSL Session ID length
54 U64.U32:R sslGMTTime SSL GMT Unix Time
55 S:R sslServerName SSL server name
56 U8:R sslCertVersion SSL certificate version
57 SC:R sslCertSerial SSL certificate serial number
58 SC:R sslCertSha1FP SSL certificate SHA1 fingerprint
59 U64.U32_U64.U32_U64:R sslCNotValidBefore_after_lifetime SSL certificate validity period (not valid before/after, lifetime (seconds))
60 S:R sslCSigAlg SSL certificate signature algorithm
61 S:R sslCKeyAlg SSL certificate public key algorithm
62 SC_U16:R sslCPKeyType_Size SSL certificate public key type, size (bits)
63 S:R sslCSubjectCommonName SSL certificate subject common name
64 S:R sslCSubjectOrgName SSL certificate subject organization name
65 S:R sslCSubjectOrgUnit SSL certificate subject organizational unit name
66 S:R sslCSubjectLocality SSL certificate subject locality name
67 S:R sslCSubjectState SSL certificate subject state or province name
68 SC:R sslCSubjectCountry SSL certificate subject country name
69 S:R sslCIssuerCommonName SSL certificate issuer common name
70 S:R sslCIssuerOrgName SSL certificate issuer organization name
71 S:R sslCIssuerOrgUnit SSL certificate issuer organizational unit name
72 S:R sslCIssuerLocality SSL certificate issuer locality name
73 S:R sslCIssuerState SSL certificate issuer state or province name
74 SC:R sslCIssuerCountry SSL certificate issuer country name
75 SC:R sslJA3Hash SSL JA3 fingerprint
76 S:R sslJA3Desc SSL JA3 descriptionNow is that an attack? Which plugin you might need now? Have a look into the Data carving with smtpDecode tutorial! I leave that exercise to you.
Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf sslDecode --reset && t2build sslDecode
Have fun analyzing.