First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to provide master secrect TLS file in wireshark

How to capture BACnet Secure Connection packets to monitor on wireshark i place filter bsc but didn't got anything

swapnil.zaveri's avatar
1
swapnil.zaveri
asked 2021-12-08 04:39:14 +0000
edit flag offensive 0 remove flag close merge delete

Comments

You'll have to actually capture traffic first before thinking about how to decrypt it.

BACnet can run over datalink layers other than Ethernet so may be more difficult to capture. BACnet SC does run over IP networks and uses TLS 1.3 so should be relatively easily captured, but will need extra work if, as is likely, you're running in a switched Ethernet environment. See the wiki page on Ethernet Capture for more info.

You should describe your capture setup and environment.

grahamb's avatar grahamb (2021-12-08 09:06:06 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

A lot of information is collected in the Wiki.

Jaap's avatar
13.7k
Jaap
answered 2021-12-08 07:25:23 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

A terse indication might read like so :-

  • Can't use Edge nor IE - they don't export the keys; works with Firefox

'User' Environment Variable: 'SSLKEYLOGFILE' (- with '.log' file extension); e.g.:

'D:\Tmp\SslKeys.log'

  • Or, for Chrome ?

    "C:\Program Files\Google\Chrome\Application\chrome.exe" --ssl-key-log-file=D:\Tmp\SslKeys.log

    You MUST be sure chrome totally be closed. And then reopen a fresh new chrome instance.

Chrome has a default options let chrome run in background enabled.

Double check your taskbar of windows or processes lists to make sure there's no chrome instance exists.

That's why '--ssl-key-log-file' isn't working, chrome stills alive after you click exit button.

  • In Wireshark

'Edit' -> 'Preferences' : 'Protocols' -> 'TLS' x 'Edit' -> 'Preferences' : 'Protocols' -> 'SSL'

'(Pre-)Master-Secret log filename'

    E.g.:  D:\Tmp\BACnetSC-RefImpl-TestHub_KeyLog.txt

(If you have a private key from a node, register it by clicking Edit button and adding it to the 'RSA keys' list.)

Some antiviruses (like 'Avast') inject 'the SSLKEYLOGFILE' environment variable into well-known processes like 'firefox.exe' and 'chrome.exe'. If you rename the browser executable file and launch that, then the environment variable won't be overridden.

And then (as a start) you should see something half-similar to this:

Node : WSS - Upgrade Hub : WSS - '101 Web Socket Protocol Handshake' 'Connect-Request' - Request to accepting peer to accept a WebSocket connection for BACnet/SC 'Connect-Accept' - Response to initiating peer to accept a WebSocket connection for BACnet/SC

Node -> Hub [Full request URI: https://127.1.3.1:4443/]:

GET / HTTP/1.1
Connection: Upgrade
Host: 127.1.3.1:4443
Sec-WebSocket-Key: nJV1o4FJa5s6tpoCb1aukw==
Sec-WebSocket-Protocol: hub.bsc.bacnet.org
Sec-WebSocket-Version: 13
Upgrade: websocket

Hub -> Node:

HTTP/1.1 101 Web Socket Protocol Handshake
Connection: Upgrade
Date: Thu, 16 Jun 2022 14:17:06 GMT
Sec-WebSocket-Accept: TILNyK3b8Qnn66fD2MDWO08LTt0=
Sec-WebSocket-Protocol: hub.bsc.bacnet.org
Server: TooTallNate Java-WebSocket
Upgrade: websocket

Node -> Hub {WSS}:

Building Automation and Control Network LPDU
    Function: Connect-Request (0x06)
    Control: 0x00
        0000 .... = Reserved Bits: valid (0)
        .... 0... = Originating Virtual Address: absent
        .... .0.. = Destination Virtual Address: absent
        .... ..0. = Destination Options: absent
        .... ...0 = Data Options: absent
    Message ID: 0x0000
    Payload (Connect-Request)
        VMAC Address: Private_11:11:11 (11:11:11:11:11:11)
        Device UUID: aac37693-4138-452f-8986-7bc1a389397c
        Maximum BVLC Length: 1600
        Maximum NPDU Length: 1497

Hex Dump:

0000   06 00 00 00 11 11 11 11 11 11 aa c3 76 93 41 38
0010   45 2f 89 86 7b c1 a3 89 39 7c 06 40 05 d9

Hex Stream:

06000000111111111111aac376934138452f89867bc1a389397c064005d9

Hub -> Node {WSS}:

Building Automation and Control Network LPDU (Link Protocol Data Unit)
    Function: Connect-Accept (0x07)
    Control: 0x00
        0000 .... = Reserved Bits: valid (0)
        .... 0... = Originating Virtual Address: absent
        .... .0.. = Destination Virtual Address: absent
        .... ..0. = Destination Options: absent
        .... ...0 = Data Options: absent
    Message ID: 0x0000
    Payload (Connect-Accept)
        VMAC Address: Private_11:11:11 (11:11:11:11:11:11)
        Device UUID: aac37693-4138-452f-8986-7bc1a389397c
        Maximum BVLC Length: 1600
        Maximum NPDU Length: 1497

Hex Dump:

WSS:   82 1e
0000         07 00 00 00 11 11 11 11 11 11 ...
(more)
DennisVM-D2i's avatar
1
DennisVM-D2i
answered 2023-03-04 00:38:53 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer