First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Ignored unknown packet

Newbie here for Wireshark :)

During a pentest someone did for us they came to the conclusion that sometimes our TLS1.2 traffic is in cleartext. I,m trying to figure out whether this is a poorly written app which seems ( according to the pcap file of the pentester) to send information over TLS 1.2 in clear text or that something else is going on.

It states about 4200 "ignored unknown packet" messages. Some of the pcap lines do indeed contain readable information which is supposed to be encrypted. (password, username are visible)

Is this perhaps a setting that Wireshark is decrypting packets ? Or might the app be sending unencrypted info via TLS 1.2 ?

donkerg's avatar
1
donkerg
asked 2021-10-25 15:58:39 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Or might the app be sending unencrypted info via TLS 1.2 ?

This is the most likely cause. In some cases, Wireshark can decrypt TLS but you would have to configure the system to specific settings (see the Wiki) and then prep Wireshark with access to the crypto material. If you did not do this, then the issue is real. It would not be the first time unprotected data ends up in a TLS stream.

Bob Jones's avatar Bob Jones (2021-10-25 16:41:02 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1

What happens when you enable "Reassemble out-of-order segments" in the TCP's protocol preferences?

Anyway any clear text will be easy to spot when you use "follow tcp stream".

André's avatar
176
André
answered 2021-10-25 18:45:14 +0000
edit flag offensive 0 remove flag delete link
more

Comments

When reassemble out of order segments, than it no longer states Ignored unknown packet. I says now. TCP segment of a reassembled PDU.

Did follow the TCP stream, and now everything (1704 words are readable in clear text). Looks like queries to database and config items. Think I also see a password in there.

donkerg's avatar donkerg (2021-10-25 21:26:09 +0000) edit
more
  • delete

Did you capture the TLS Server Hello handshake? Then you see what cipher was used. I assume a NULL cipher.

I've seen that before used by middleware to minimize the CPU load -- with on-premise network considered save -- while still use TLS to verify authentication and prevent message tampering.

André's avatar André (2021-10-26 20:57:29 +0000) edit
more
  • delete

Regrettably the TLS hello seems not to be in the pcap file. But agree that this software perhaps might be poorly written and uses a null cipher.

donkerg's avatar donkerg (2021-10-27 06:13:17 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer