Network Monitor Decryption Expert

New Post: EXCEPTION: Simultaneous ClientHello message present

andersRson — Thu, 18 Apr 2013 09:46:03 GMT

I have the same problem, and the same situation - trying to decrypt ldaps traffic. It fails in the exact same way:

``` -.-.-.-.-.-.- SSL Decryption Log -.-.-.-.-.-.-

Log Created On: 2013-04-18 11:36:31

NMDecrypt Version: 2.3.4.0
NMAPIs Initialized.
Initializing Netmon Parsers...
sparser.npb:001.000 Successfully unserialized NPL parser 'C:\ProgramData\Microsoft\Network Monitor 3\NPL\NetworkMonitor Parsers\Profiles\64BAA24A-0AAD-44e6-9846-3BE43D698FF6\sparser.npb.
Netmon Parsers initialized successfully.
Adding SSLVersionSelector Display Filter...
Display Filter added successfully
Adding Conversation.TCP.Id == 44 Conversation Filter...
Conversation Filter, Conversation.TCP.Id == 44 added successfully
SSL Version Filter added successfully
Adding Conversation.TCP.Id == 44 Conversation Filter...
Eval Parser Conversation Filter, Conversation.TCP.Id == 44 added successfully
This Netmon Version is supported
*Warning: We've tested with version: 03.04.2748.0001. Your version is: 3.4.2350.0 000000000. This might cause problems if the TLS/SSL parsers have changed significantly.
Opening Encrypted Capture File: C:\Users\runesand\Documents\Katalog\skat\cap\lewa2.cap
Creating Decrypted Capture File: C:\Users\runesand\Documents\Katalog\skat\cap\lewadecr.cap
Proposing Init Filter String of Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData
Using Init Filter String of Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.Tls.
Changing Conversation ID from 18446744073709551615 to 44
.................................................
Entered IsTLSSLPayloadFragmented: Frame 549
.................................................

...
<some frames left out>

...

Processing Frame Number: 551

Found 2936 Fields in Frame
551,0: Processing Field: PayloadHeader
Value: Reassembled Protocol=TCP, FrameCount=2,Length=1963
551,1: Processing Field: PayloadHeader.Version
Value: 0x200 -
551,2: Processing Field: PayloadHeader.HeaderLength
Value: 166 (0xA6)
551,3: Processing Field: PayloadHeader.Type
Value: Re-assembled
551,4: Processing Field: PayloadHeader.ReassembledProtocol
Value: TCP
551,5: Processing Field: PayloadHeader.RStatus
Value: Complete successfully (0)
551,6: Processing Field: PayloadHeader.LowerProtocolCount
Value: 2 (0x2)
551,7: Processing Field: PayloadHeader.LowerProtocol
Value: IPv4
551,8: Processing Field: PayloadHeader.LowerProtocol.ProtocolName
Value: IPv4
551,9: Processing Field: PayloadHeader.LowerProtocol.ConversationKeyLength
Value: 8 (0x8)
551,10: Processing Field: PayloadHeader.LowerProtocol.ConversationKey
Value:
551,11: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 76 (0x4C)
551,12: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 159 (0x9F)
551,13: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 220 (0xDC)
551,14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 147 (0x93)
551,15: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 128 (0x80)
551,16: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 159 (0x9F)
551,17: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 220 (0xDC)
551,18: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 147 (0x93)
551,19: Processing Field: PayloadHeader.LowerProtocol.PropertyBlockLength
Value: 12 (0xC)
551,20: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties
Value: Source Address = 147.220.159.128, Destination Address = 147.220.159.76
551,21: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties.SourceAddressDescriptor
Value: Not cumulative, number big endian, Length given:4 bytes
551,22: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties.SourceAddress
Value: 147.220.159.128
Repurposing Source IP Address: 147.220.159.128
551,23: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties.DestinationAddressDescriptor
Value: Not cumulative, number big endian, Length given:4 bytes
551,24: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties.DestinationAddress
Value: 147.220.159.76
Repurposing Destination IP Address 147.220.159.76
551,25: Processing Field: PayloadHeader.LowerProtocol
Value: TCP
551,26: Processing Field: PayloadHeader.LowerProtocol.ProtocolName
Value: TCP
551,27: Processing Field: PayloadHeader.LowerProtocol.ConversationKeyLength
Value: 4 (0x4)
551,28: Processing Field: PayloadHeader.LowerProtocol.ConversationKey
Value:
551,29: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 104 (0x68)
551,30: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 5 (0x5)
551,31: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 124 (0x7C)
551,32: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey
Value: 2 (0x2)
551,33: Processing Field: PayloadHeader.LowerProtocol.PropertyBlockLength
Value: 50 (0x32)
551,34: Processing Field: PayloadHeader.LowerProtocol.TCPProperties
Value:
551,35: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.SourcePortDescriptor
Value: Not cumulative, number big endian
551,36: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.SourcePort
Value: 636 (0x27C)
Using Source Port: 8935704610656485376
551,37: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.DestinationPortDescriptor
Value: Not cumulative, number big endian
551,38: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.DestinationPort
Value: 1384 (0x568)
Using Destination Port: 7495397154828058624
551,39: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.SeqNumberDescriptor
Value: Not cumulative, number big endian
551,40: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.SeqNumber
Value: 2059249701 (0x7ABDA825)
551,41: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.NextSeqNumberDescriptor
Value: Not cumulative, number big endian, Update with the latest
551,42: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.NextSeqNumber
Value: 2059251664 (0x7ABDAFD0)
551,43: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.TcpFlagsDescriptor
Value: Not cumulative, number big endian, Update with the latest
551,44: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.TcpFlags
Value: 24 (0x18)
551,45: Processing Field: PayloadHeader.FrameCount
Value: 2 (0x2)
551,46: Processing Field: PayloadHeader.PayloadLength
Value: 1963 (0x7AB)
551,47: Processing Field: PayloadHeader.ContainedProtocol
Value:
551,48: Processing Field: PayloadHeader.TLSSSLData
Value: Transport Layer Security (TLS) Payload Data
551,49: Processing Field: PayloadHeader.TLSSSLData.TLS
Value: TLS Rec Layer-1 HandShake: Server Hello. Certificate. Certificate Request. Server Hello Done.
551,50: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer
Value:
551,51: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer
Value: TLS Rec Layer-1 HandShake:
551,52: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.ContentType
Value: HandShake:
Found Content Type: 22 (PayloadHeader.TLSSSLData.Tls.TlsRecLayer.TlsRecordLayer.ContentType)
551,53: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Version
Value: TLS 1.0
551,54: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Version.Major
Value: 3 (0x3)
551,55: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Version.Minor
Value: 1 (0x1)
551,56: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Length
Value: 1958 (0x7A6)
551,57: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake
Value: SSL HandShake Server Hello Done(0x0E)
551,58: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake
Value:
551,59: Processing Field: PayloadHeader.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType
Value: ServerHello(0x02)
Found Handshake Message 2 (PayloadHeader.TLSSSLData.Tls.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType)
EXCEPTION: Simultaneous ClientHello message present
No Frames were decrypted, Netmon Filter Set may not match with current parser version. Use parser version 3.4.2345.1 or greater.

-.-.-.-.-.-.- SSL Decryption Log Ends-.-.-.-.-.-.-

I'll gladly supply more info if needed.

Source code checked in, #84401

PaulLong — Thu, 10 Jan 2013 16:07:43 GMT

• Descriptive error to understand where TLSDecrypt error comes from • Log the filter user supplied to log • Increased log size to max of 2Gigs • Added log message to identify unknown handshake message • Added more checks for SSL version info to see if we need to recalculate filterstring • Fixed message to indicate correct parser version in warning message • Added more log messages to understand when SetFilterString was occuring

Source code checked in, #84400

PaulLong — Thu, 10 Jan 2013 16:07:30 GMT

Commented Issue: Decryption seems to be limited to the first 1,000,000,000 bytes [12648]

PaulLong — Thu, 20 Dec 2012 17:33:00 GMT

I have a 1.6gig capture (SSAS DB sync via HTTPS).
When I attempt to decrypt it, it creates a destination file of 1,000,000,000 bytes (~953Meg).

Aside: I've not had a sucessful decrypt yet, but when I get some detail on that, I'll log it as a separate issue, but it could be because it's getting to the 1,000,000,001st byte and crashing.
Comments: ** Comment from web user: PaulLong **

I don't think there is any limit on the message size, but anything possible. I'm actually only maintaining the code right now so there could be some pieces I don't understand.

Can you tell me something about the traffic you are trying to decrypt? Is it one long conversation, or multiple separate TLS conversations?

Commented Issue: Decryption seems to be limited to the first 1,000,000,000 bytes [12648]

CraigHumphrey — Thu, 20 Dec 2012 02:57:00 GMT

One last correction...

There are correctly decrypted HTTP frames/packets later on in the CAPs, but they get fewer and fewer.

Let me know if there's anything I can send through that might help figure this out...

Commented Issue: Decryption seems to be limited to the first 1,000,000,000 bytes [12648]

CraigHumphrey — Thu, 20 Dec 2012 01:01:33 GMT

Thanks Paul,

that worked better.

I now have a 2gig and a 1.2gig decrypt file.

However, only the first 100 or so frames have been sucessfully decrypted.
It looks like the agregated TLS frames are still generated (though later they seem to have changed to SSL2) but not HTTP frames.

Is there a limit to the frame/packet size that can be decrypted? These SSAS sync packets often seem to be >64K.

Thanks
Craig

Commented Issue: Decryption seems to be limited to the first 1,000,000,000 bytes [12648]

PaulLong — Wed, 19 Dec 2012 15:23:26 GMT

You are right, the expert includes the original messages plus each layer of reassembly. Unfortunately the .cap file format has a limit since it uses a DWORD for each frame to reference the offset in the file. So 4 gigs is the absolute maximum addressable size, but as the frame table grows, this size shrinks.

Also the allocation of the size of 2gigs at first is how the API works. I'm not sure why, but let me know if this is a problem.

The only solution I could think of was to write a chained capture instead. I've attached that version. Of course if you want to see it altogether you could filter our all the DecryptHeader messages and use NMCap to create a file using all the chained files as input.

Paul

Commented Issue: Decryption seems to be limited to the first 1,000,000,000 bytes [12648]

CraigHumphrey — Wed, 19 Dec 2012 01:56:12 GMT

heh heh, it gets better.
where data spans more than one SSL/TLS frame, in the decrypted cap file, you get the original "continuation" frame, a combined TLS frame and a combined decrypted HTTP frame.

So that's three copies of the data. My 1.6gig cap probably needs more like 5gig...

FYI I just ran a capture against a smaller SSAS HTTPS DB sync, only 12meg of traffic.
While it pre-allocated a 2gig output file, once it was done, the decypted cap file was 26.5meg, so a bit more than double. So this makes no sense about output size...

Commented Issue: Decryption seems to be limited to the first 1,000,000,000 bytes [12648]

CraigHumphrey — Wed, 19 Dec 2012 01:40:18 GMT

One more thing for today... I noticed that it's pre-allocating the size of the decrypted file.
Even with smaller source CAP files, it's creating a 2gig file up front.

I also just noticed today that the original encrypted frames are still in the decrypted cap file, plus the decrypted version of each frame. Which suggests my 1.6gig cap probably needs a 3.2+gig output file.

Just thinking outloud :)

Commented Issue: Decryption seems to be limited to the first 1,000,000,000 bytes [12648]

CraigHumphrey — Tue, 18 Dec 2012 22:43:08 GMT

Hey Paul,

just confirming, if I take the first 100 or so frames of my 1.6gig cap file and decrypt it, it decrypts correctly.
But if I try the whole thing, the resulting cap file seems to be still encrypted.

Not sure if this is related to the massive size of my original cap file.

let me know if you want me to log this as a separate issue.

Thanks
Craig

Commented Issue: Decryption seems to be limited to the first 1,000,000,000 bytes [12648]

CraigHumphrey — Tue, 18 Dec 2012 21:55:12 GMT

Thanks for that Paul. I gave it a go and it converted my 1.6gig (1,692,539,750 bytes) HTTPS cap into a 2gig (2,151,018,561 bytes) HTTPS cap file...

Either I messed something up or the decrypt isn't working correctly.

Note: I can see correctly decrypted packets in the debug file, but the "decrypted" cap file still appears as HTTPS and appears to be encrypted when I load it into NetMon.

I'll try again with a small cap, just in case it's a size related issue.

Commented Issue: Decryption seems to be limited to the first 1,000,000,000 bytes [12648]

PaulLong — Mon, 17 Dec 2012 22:31:23 GMT

I've attached an x64 zip file with an install MSI. Hopefully this will allow you to save up to 2gigs. Please let me know if it works for you.

Paul

Commented Issue: Decryption seems to be limited to the first 1,000,000,000 bytes [12648]

CraigHumphrey — Mon, 17 Dec 2012 20:31:59 GMT

Thanks for your response Paul, I probably could manage to compile this if I dug deep enough into cobwebs of my VS.Net skills, but if you've got a moment to build a 2gig edition, that would be a real time-saver.

Thanks
Craig

Commented Issue: Decryption seems to be limited to the first 1,000,000,000 bytes [12648]

PaulLong — Mon, 17 Dec 2012 14:53:08 GMT

Yes, you are correct. I can raise it up to 2gig, but there is a limit which is somewhat variable. I will try to get an update posted, however in the meantime you can build the project. If that's not an option for you, let me know and we could work to get you a private version.

Paul

Created Issue: Decryption seems to be limited to the first 1,000,000,000 bytes [12648]

CraigHumphrey — Tue, 11 Dec 2012 04:22:40 GMT

Source code checked in, #81799

Project Collection Service Accounts — Mon, 01 Oct 2012 21:57:23 GMT

Upgrade: New Version of LabDefaultTemplate.xaml. To upgrade your build definitions, please visit the following link: http://go.microsoft.com/fwlink/?LinkId=254563

Source code checked in, #81798

Project Collection Service Accounts — Mon, 01 Oct 2012 21:51:05 GMT

Checked in by server upgrade

New Post: EXCEPTION: Simultaneous ClientHello message present

BrianWhy — Tue, 11 Sep 2012 13:39:28 GMT

Trying to use NMDecrypt to decrypt LDAP/S traffic from a Win7 client to a Win2008R1 SP2 Active Directory domain controller, but the decryption always fails with EXCEPTION: Simultaneous ClientHello message present. Happens in multiple captures. Have selected the TCP conversation in the Network Conversations field. Using NMDecrypt 2.3.4 from CodePlex and have used both the Default and Windows parsers 3.4.2774.001.

From debug log file:

6,74: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake
Value:
6,75: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType
Value: ServerHello(0x02)
Found Handshake Message 2 (Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.Tls.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType)
EXCEPTION: Simultaneous ClientHello message present
No Frames were decrypted, Netmon Filter Set may not match with current parser version. Use parser version 3.4.2345.1 or greater.

From the network capture:

2 10:45:45 AM 9/7/2012 0.0000000  169.172.16.74 10.40.38.79 TCP TCP:Flags=......S., SrcPort=58447, DstPort=ldap protocol over TLS/SSL (was sldap)(636), PayloadLen=0, Seq=2920459848, Ack=0, Win=65535 ( Negotiating scale factor 0x1 ) = 65535 {TCP:2, IPv4:1}
3 10:45:45 AM 9/7/2012 0.0001559  10.40.38.79 169.172.16.74 TCP TCP: [Bad CheckSum]Flags=...A..S., SrcPort=ldap protocol over TLS/SSL (was sldap)(636), DstPort=58447, PayloadLen=0, Seq=1588180437, Ack=2920459849, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 {TCP:2, IPv4:1}
4 10:45:45 AM 9/7/2012 0.0041307  169.172.16.74 10.40.38.79 TCP TCP:Flags=...A...., SrcPort=58447, DstPort=ldap protocol over TLS/SSL (was sldap)(636), PayloadLen=0, Seq=2920459849, Ack=1588180438, Win=33312 (scale factor 0x1) = 66624 {TCP:2, IPv4:1}
5 10:45:45 AM 9/7/2012 0.0046922  169.172.16.74 10.40.38.79 SSL SSL:SSLv2RecordLayer, ClientHello (0x01) {SSL:4, SSLVersionSelector:3, TCP:2, IPv4:1}
6 10:45:45 AM 9/7/2012 0.0263000  10.40.38.79 169.172.16.74 TLS TLS:TLS Rec Layer-1 HandShake: Server Hello. Certificate. Certificate Request. Server Hello Done. {TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}
7 10:45:45 AM 9/7/2012 0.0319092  169.172.16.74 10.40.38.79 TCP TCP:Flags=...A...., SrcPort=58447, DstPort=ldap protocol over TLS/SSL (was sldap)(636), PayloadLen=0, Seq=2920459991, Ack=1588182724, Win=32863 (scale factor 0x1) = 65726 {TCP:2, IPv4:1}
8 10:45:45 AM 9/7/2012 0.0327988  169.172.16.74 10.40.38.79 TLS TLS:TLS Rec Layer-1 HandShake: Certificate.; TLS Rec Layer-2 HandShake: Client Key Exchange.; TLS Rec Layer-3 Cipher Change Spec; TLS Rec Layer-4 HandShake: Encrypted Handshake Message. {TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}
9 10:45:45 AM 9/7/2012 0.0342511  10.40.38.79 169.172.16.74 TLS TLS:TLS Rec Layer-1 Cipher Change Spec; TLS Rec Layer-2 HandShake: Encrypted Handshake Message. {TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}
10 10:45:45 AM 9/7/2012 0.0385734  169.172.16.74 10.40.38.79 LDAP LDAP:Encrypted Over SSL {LDAP:6, TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}
11 10:45:45 AM 9/7/2012 0.0459465  10.40.38.79 169.172.16.74 LDAP LDAP:Encrypted Over SSL {LDAP:6, TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}

Ideas?

BrianY MCT, MCLC

New Post: Missing client hello

probich0 — Wed, 25 Jul 2012 14:15:54 GMT

In this case, the actual protocol is (should be) SIP, since I'm using Lync. However, I'm actually looking at data to/from mobile devices using Lync MCX, so it's possible that they're using some other protocol, kinda like Exchange ActiveSync does with WBXML. Thanks for the link, too; I'd already read that, and it will come in handy when I get to the meat of my testing, which involves watching traffic between two devices that are simultaneously talking to the server.

Cheers,
-Paul

New Post: Missing client hello

PaulLong — Wed, 25 Jul 2012 13:54:56 GMT

Glad you got that part sortted out.

Remember that the original traffic is still there. Filter on DecryptedPayloadHeader to focus on the decrypted frames.

What is the protocol ontop of SSL? We have to manually hook up the protocol in the SSL parser, so maybe this needs to be done for your case. In the past there have been others we've added. I did find another case that seemed similar where TSGU was the protocol and apparently it seemed to be working for me. But perhaps there are mutliple protocol possibilities here.

Also, when you have a client hello that is reused, you might want to read this blog as it has details about special considerations for this case. http://blogs.technet.com/b/netmon/archive/2011/03/03/nmdecrypt-expert-updates-version-2-3.aspx

Paul