Penetration Testing mailing list archives
Re: OpenVPN traffic
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Tue, 15 Dec 2009 17:08:09 +0000
Chris Clymer wrote:
OpenVPN is an SSL based VPN. You would need to get your hands on the certs, but if you did i would expect that you can use the SSL decrypt funcionality in wireshark
Yes, that was what I thought until I tried it. OpenVPN uses TLS technologies (although it doesn't have to use a x509 cert, it can use a preshared secret instead) but isn't as simple as some-tunnel-protocol-over-stunnel would be. Instead, it is a UDP streaming protocol with a simple five-bit packet type indicator; most types are for the various key negotiation options, with only packet type 6 actually containing encrypted payload data. The actual session keys used for hmac and payload are either taken from the preshared secret (there are up to four, depending on mode) or negotiated using DH as part of a certificate based TLS style handshake. Its a complete nightmare to try and decode by hand, I managed to extract the four keys after a half hour of work, only to find after three payload packets the server sent a type 3 ("lets negotiate a new key!") packet and the dance started over.... ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Pentest Cisco Paulo Ribeiro (Dec 08)
- Re: Pentest Cisco Daniel Hood (Dec 08)
- OpenVPN traffic David Howe (Dec 15)
- Re: OpenVPN traffic lorddoskias (Dec 15)
- Re: OpenVPN traffic Chris Clymer (Dec 15)
- Re: OpenVPN traffic David Howe (Dec 15)
- Message not available
- Re: OpenVPN traffic David Howe (Dec 21)
- OpenVPN traffic David Howe (Dec 15)
- Re: Pentest Cisco Daniel Hood (Dec 08)