nmdecrypt failed after decoding first payload of RDP trace

Mar 16, 2011 at 2:33 AM

I am using network monitor (version 4.4.2350.0) and nmDecrypt version 2.3 Date: Thu Mar 3 2011.

nmDecrypt failed after decrypting one set of cipher text of RDP 7.1 full trace with the following error:

848: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.ApplicationData.SSLApplicationData
With Value: Binary Large Object (1440 Bytes)
Found Encrypted Application Data (PayloadHeader.TlsSslData.Tls.TlsRecLayer.TlsRecordLayer.ApplicationData.SSLApplicationData)
Decrypting Application Data...

Cipher Text[1440]:
     00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ........

Plain Text[1440]:
     00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F .......

Computing ServerIV for next application data
Exception: Object reference not set to an instance of an object.   at SSLDecryptionExpert.AppDataDecryption.LogApplicationDataDetails(String sourceIP, CipherSuiteInfo cipherSuite)
   at SSLDecryptionExpert.AppDataDecryption.DecryptSslApplicationData(String sourceIP, CipherSuiteInfo cipherSuite)
Exception: Object reference not set to an instance of an object.   at System.Security.Cryptography.HMAC.InitializeKey(Byte[] key)
   at SSLDecryptionExpert.AppDataDecryption.VerifyMacValueTLS(CipherSuiteInfo cipherSuite, String sourceIP)
   at SSLDecryptionExpert.AppDataDecryption.VerifyMacValue(CipherSuiteInfo cipherSuite, String sourceIP)
   at SSLDecryptionExpert.AppDataDecryption.DecryptSslApplicationData(String sourceIP, CipherSuiteInfo cipherSuite)
   at SSLDecryptionExpert.SSLDecryption.DecryptApplicationData(Int32[] value, String sourceIP)
   at SSLDecryptionExpert.SSLDecryption.ParsedFrameInformation(IntPtr parsedFrame, UInt32& frameNumber, Boolean& isKeyBlockComputed, Boolean& decryptedAppDataPacket, Boolean& exitOnError, NMFilters filter)
   at SSLDecryptionExpert.SSLDecryption.StartDecryption(Dictionary`2 property, String& decryptionResult)
   at SSLDecryptionExpert.SSLDecryption.SslDecryptCapture(Dictionary`2 property, String& decryptionResult)

I believe the first Exception is harmless.  The 2nd exception VerifyMacValueTLS() is where the code failed.

Mar 16, 2011 at 2:55 PM

From the looks of the log, it seems that TLS session setup was never evaluated as part of the traffic you sent the expert.  I see that the Cipher and Plain text match which is what I've seen in the past when this was the case.

Did you run the expert by clicking on a TCP node in the conversation tree first, and then running the decryption expert?

Is 848 the first frame that appears in the log file?

When you look at the TLS conversation in Network Monitor does it start with the Client Hello and Server Hello portion?

Thanks,

Paul

Mar 18, 2011 at 10:16 PM

Paul,

I recorded a single TCP session in the cap file and looks like the first frame the nmdecrypt attempt to decide in the log is not the first encrypted frame with data and actually the frame.

I have uploaded the cap, pfx and text file for your reference.

CAP file:  https://cid-361ec6db4f6f7bf2.office.live.com/self.aspx/netmon/62%5E_tls-0318-2.cap

TXT file: https://cid-361ec6db4f6f7bf2.office.live.com/self.aspx/netmon/62%5E_tls-0318-2-log.txt

PTX file: https://cid-361ec6db4f6f7bf2.office.live.com/self.aspx/netmon/nm.pfx   (password "nm")

Thanks.

Mar 23, 2011 at 11:20 PM

I just wanted to let you know that I have started working on this. I was sick last week, but have made some progress today. To set you expectations, we haven't tested RDP yet. In fact the first step was to enable this path in the expert. After doing that I was able to get some of the file decrypted, but then I ran into some other issues that this exposed. RDP is the first protocol I've seen that data going in both directions that can be fragmented. There may be other complications which require large changes in the expert which I could not do in the short term. But if there's simple changes I can make, then I can implement these.

Apr 22, 2011 at 2:57 PM

Just another quick update.  I've unfortunately had other higher priority work to do and haven't had a lot of time to investigate this.  However, I will get around to it.  If you have any interest in looking at the code yourself, please feel free to dig into the issue.  If you need help understanding the flow of the program I can do that.

Paul