EXCEPTION: Simultaneous ClientHello message present

Sep 11, 2012 at 1:39 PM

Trying to use NMDecrypt to decrypt LDAP/S traffic from a Win7 client to a Win2008R1 SP2 Active Directory domain controller, but the decryption always fails with EXCEPTION: Simultaneous ClientHello message present.  Happens in multiple captures. Have selected the TCP conversation in the Network Conversations field. Using NMDecrypt 2.3.4 from CodePlex and have used both the Default and Windows parsers 3.4.2774.001.

From debug log file:

6,74: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake
   Value:
6,75: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType
   Value: ServerHello(0x02)
Found Handshake Message 2 (Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.Tls.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType)
EXCEPTION: Simultaneous ClientHello message present
No Frames were decrypted, Netmon Filter Set may not match with current parser version.  Use parser version 3.4.2345.1 or greater.

From the network capture:

2 10:45:45 AM 9/7/2012 0.0000000  169.172.16.74 10.40.38.79 TCP TCP:Flags=......S., SrcPort=58447, DstPort=ldap protocol over TLS/SSL (was sldap)(636), PayloadLen=0, Seq=2920459848, Ack=0, Win=65535 ( Negotiating scale factor 0x1 ) = 65535 {TCP:2, IPv4:1}
3 10:45:45 AM 9/7/2012 0.0001559  10.40.38.79 169.172.16.74 TCP TCP: [Bad CheckSum]Flags=...A..S., SrcPort=ldap protocol over TLS/SSL (was sldap)(636), DstPort=58447, PayloadLen=0, Seq=1588180437, Ack=2920459849, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 {TCP:2, IPv4:1}
4 10:45:45 AM 9/7/2012 0.0041307  169.172.16.74 10.40.38.79 TCP TCP:Flags=...A...., SrcPort=58447, DstPort=ldap protocol over TLS/SSL (was sldap)(636), PayloadLen=0, Seq=2920459849, Ack=1588180438, Win=33312 (scale factor 0x1) = 66624 {TCP:2, IPv4:1}
5 10:45:45 AM 9/7/2012 0.0046922  169.172.16.74 10.40.38.79 SSL SSL:SSLv2RecordLayer, ClientHello (0x01) {SSL:4, SSLVersionSelector:3, TCP:2, IPv4:1}
6 10:45:45 AM 9/7/2012 0.0263000  10.40.38.79 169.172.16.74 TLS TLS:TLS Rec Layer-1 HandShake: Server Hello. Certificate. Certificate Request. Server Hello Done. {TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}
7 10:45:45 AM 9/7/2012 0.0319092  169.172.16.74 10.40.38.79 TCP TCP:Flags=...A...., SrcPort=58447, DstPort=ldap protocol over TLS/SSL (was sldap)(636), PayloadLen=0, Seq=2920459991, Ack=1588182724, Win=32863 (scale factor 0x1) = 65726 {TCP:2, IPv4:1}
8 10:45:45 AM 9/7/2012 0.0327988  169.172.16.74 10.40.38.79 TLS TLS:TLS Rec Layer-1 HandShake: Certificate.; TLS Rec Layer-2 HandShake: Client Key Exchange.; TLS Rec Layer-3 Cipher Change Spec; TLS Rec Layer-4 HandShake: Encrypted Handshake Message. {TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}
9 10:45:45 AM 9/7/2012 0.0342511  10.40.38.79 169.172.16.74 TLS TLS:TLS Rec Layer-1 Cipher Change Spec; TLS Rec Layer-2 HandShake: Encrypted Handshake Message. {TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}
10 10:45:45 AM 9/7/2012 0.0385734  169.172.16.74 10.40.38.79 LDAP LDAP:Encrypted Over SSL {LDAP:6, TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}
11 10:45:45 AM 9/7/2012 0.0459465  10.40.38.79 169.172.16.74 LDAP LDAP:Encrypted Over SSL {LDAP:6, TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}

Ideas?


BrianY MCT, MCLC

Apr 18, 2013 at 9:46 AM
I have the same problem, and the same situation - trying to decrypt ldaps traffic. It fails in the exact same way:

``` -.-.-.-.-.-.- SSL Decryption Log -.-.-.-.-.-.-

Log Created On: 2013-04-18 11:36:31

NMDecrypt Version: 2.3.4.0
NMAPIs Initialized.
Initializing Netmon Parsers...
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\ProgramData\Microsoft\Network Monitor 3\NPL\NetworkMonitor Parsers\Profiles\64BAA24A-0AAD-44e6-9846-3BE43D698FF6\sparser.npb.
Netmon Parsers initialized successfully.
Adding SSLVersionSelector Display Filter...
Display Filter added successfully
Adding Conversation.TCP.Id == 44 Conversation Filter...
Conversation Filter, Conversation.TCP.Id == 44 added successfully
SSL Version Filter added successfully
Adding Conversation.TCP.Id == 44 Conversation Filter...
Eval Parser Conversation Filter, Conversation.TCP.Id == 44 added successfully
This Netmon Version is supported
*Warning: We've tested with version: 03.04.2748.0001. Your version is: 3.4.2350.0 000000000. This might cause problems if the TLS/SSL parsers have changed significantly.
Opening Encrypted Capture File: C:\Users\runesand\Documents\Katalog\skat\cap\lewa2.cap
Creating Decrypted Capture File: C:\Users\runesand\Documents\Katalog\skat\cap\lewadecr.cap
Proposing Init Filter String of Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData
Using Init Filter String of Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.Tls.
Changing Conversation ID from 18446744073709551615 to 44
.................................................
Entered IsTLSSLPayloadFragmented: Frame 549
.................................................

...
<some frames left out>

...

Processing Frame Number: 551

Found 2936 Fields in Frame
551,0: Processing Field: PayloadHeader
Value: Reassembled Protocol=TCP, FrameCount=2,Length=1963
551,1: Processing Field: PayloadHeader.Version
Value: 0x200 -
551,2: Processing Field: PayloadHeader.HeaderLength
Value: 166 (0xA6)
551,3: Processing Field: PayloadHeader.Type
Value: Re-assembled
551,4: Processing Field: PayloadHeader.ReassembledProtocol
Value: TCP
551,5: Processing Field: PayloadHeader.RStatus
Value: Complete successfully (0)
551,6: Processing Field: PayloadHeader.LowerProtocolCount
Value: 2 (0x2)
551,7: Processing Field: PayloadHeader.LowerProtocol
Value: IPv4
551,8: Processing Field: PayloadHeader.LowerProtocol.ProtocolName
Value: IPv4
551,9: Processing Field: PayloadHeader.LowerProtocol.ConversationKeyLength
Value: 8 (0x8)
551,10: Processing Field: PayloadHeader.LowerProtocol.ConversationKey
Value:
551,11: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 76 (0x4C)
551,12: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 159 (0x9F)
551,13: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 220 (0xDC)
551,14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 147 (0x93)
551,15: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 128 (0x80)
551,16: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 159 (0x9F)
551,17: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 220 (0xDC)
551,18: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 147 (0x93)
551,19: Processing Field: PayloadHeader.LowerProtocol.PropertyBlockLength
Value: 12 (0xC)
551,20: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties
Value: Source Address = 147.220.159.128, Destination Address = 147.220.159.76
551,21: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties.SourceAddressDescriptor
Value: Not cumulative, number big endian, Length given:4 bytes
551,22: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties.SourceAddress
Value: 147.220.159.128
Repurposing Source IP Address: 147.220.159.128
551,23: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties.DestinationAddressDescriptor
Value: Not cumulative, number big endian, Length given:4 bytes
551,24: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties.DestinationAddress
Value: 147.220.159.76
Repurposing Destination IP Address 147.220.159.76
551,25: Processing Field: PayloadHeader.LowerProtocol
Value: TCP
551,26: Processing Field: PayloadHeader.LowerProtocol.ProtocolName
Value: TCP
551,27: Processing Field: PayloadHeader.LowerProtocol.ConversationKeyLength
Value: 4 (0x4)
551,28: Processing Field: PayloadHeader.LowerProtocol.ConversationKey
Value:
551,29: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 104 (0x68)
551,30: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 5 (0x5)
551,31: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 124 (0x7C)
551,32: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 2 (0x2)
551,33: Processing Field: PayloadHeader.LowerProtocol.PropertyBlockLength
Value: 50 (0x32)
551,34: Processing Field: PayloadHeader.LowerProtocol.TCPProperties
Value:
551,35: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.SourcePortDescriptor
Value: Not cumulative, number big endian
551,36: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.SourcePort
Value: 636 (0x27C)
Using Source Port: 8935704610656485376
551,37: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.DestinationPortDescriptor
Value: Not cumulative, number big endian
551,38: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.DestinationPort
Value: 1384 (0x568)
Using Destination Port: 7495397154828058624
551,39: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.SeqNumberDescriptor
Value: Not cumulative, number big endian
551,40: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.SeqNumber
Value: 2059249701 (0x7ABDA825)
551,41: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.NextSeqNumberDescriptor
Value: Not cumulative, number big endian, Update with the latest
551,42: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.NextSeqNumber
Value: 2059251664 (0x7ABDAFD0)
551,43: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.TcpFlagsDescriptor
Value: Not cumulative, number big endian, Update with the latest
551,44: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.TcpFlags
Value: 24 (0x18)
551,45: Processing Field: PayloadHeader.FrameCount
Value: 2 (0x2)
551,46: Processing Field: PayloadHeader.PayloadLength
Value: 1963 (0x7AB)
551,47: Processing Field: PayloadHeader.ContainedProtocol
Value:
551,48: Processing Field: PayloadHeader.TLSSSLData
Value: Transport Layer Security (TLS) Payload Data
551,49: Processing Field: PayloadHeader.TLSSSLData.TLS
Value: TLS Rec Layer-1 HandShake: Server Hello. Certificate. Certificate Request. Server Hello Done.
551,50: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer
Value:
551,51: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer
Value: TLS Rec Layer-1 HandShake:
551,52: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.ContentType
Value: HandShake:
Found Content Type: 22 (PayloadHeader.TLSSSLData.Tls.TlsRecLayer.TlsRecordLayer.ContentType)
551,53: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Version
Value: TLS 1.0
551,54: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Version.Major
Value: 3 (0x3)
551,55: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Version.Minor
Value: 1 (0x1)
551,56: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Length
Value: 1958 (0x7A6)
551,57: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake
Value: SSL HandShake Server Hello Done(0x0E)
551,58: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake
Value:
551,59: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType
Value: ServerHello(0x02)
Found Handshake Message 2 (PayloadHeader.TLSSSLData.Tls.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType)
EXCEPTION: Simultaneous ClientHello message present
No Frames were decrypted, Netmon Filter Set may not match with current parser version. Use parser version 3.4.2345.1 or greater.

-.-.-.-.-.-.- SSL Decryption Log Ends-.-.-.-.-.-.-

I'll gladly supply more info if needed.