Wireshark-users: Re: [Wireshark-users] EAP-PEAP - Decryption of SSL traffic

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Fri, 11 Jan 2013 07:55:54 +0100
Hi,

I'm not aware of any plans in this regard, although I think this is a good idea.
What it would require is a enhancement of the SSL association tracking, beyond
current TCP / UDP (and there appears to be SCTP as well?) connections. It could
do with L2 connections as well. That would be the way forward.

If you want to have your idea recorded you can best file an enhancement bug, if
possible with example capture files and additional info for someone to start
coding on. Or code it yourself of course.

Thanks,
Jaap


On 01/11/2013 07:20 AM, teknet9 wrote:
> Hello Team, Everybody,
>  
> I want to decrypt SSL traffic inside 802.1x/EAP-PEAP packets.
> I can see that SSL decryption works fine, but only when it's encapsulated into TCP.
>  
> Are there any plans to add/fix that plugin so it could decrypt SSL inside EAP-PEAP ?
> I was wondering to write something for my own, but do not want to reinvent wheel.
> Question1: Do you know any solution for that ?
>  
> I have already written perl scritps which extract that SSL traffic from EAP
> frames, now i just need to decode it
> (using server private key, most EAP-PEAP servers still uses RSA ciphersuits
> instead of DH - so it's easy).
>  
> Now i am wondering if to put that SSL data back into some TCP session (i would
> have to contruct packet by packet to make sure TCP seq/ack is fine) and then use
> wireshark to decrypt that SSL.
>  
> Question2: Let's assume that i will put that SSL into TCP session and wireshark
> will decrypt it. Will wireshark decode decrypted content ? (MSCHAPv2 session) ?
>  
> Best Regards,
> Michal Garcarz
>  
>