Re: OpenVPN traffic

[David Howe <DaveHowe.Pentest () googlemail com>]

Chris Clymer wrote:
> OpenVPN is an SSL based VPN. You would need to get your hands on the  
> certs, but if you did i would expect that you can use the SSL decrypt  
> funcionality in wireshark

Yes, that was what I thought until I tried it.

OpenVPN uses TLS technologies (although it doesn't have to use a x509
cert, it can use a preshared secret instead) but isn't as simple as
some-tunnel-protocol-over-stunnel would be. Instead, it is a UDP
streaming protocol with a simple five-bit packet type indicator; most
types are for the various key negotiation options, with only packet type
6 actually containing encrypted payload data. The actual session keys
used for hmac and payload are either taken from the preshared secret
(there are up to four, depending on mode) or negotiated using DH as part
of a certificate based TLS style handshake.

Its a complete nightmare to try and decode by hand, I managed to extract
the four keys after a half hour of work, only to find after three
payload packets the server sent a type 3 ("lets negotiate a new key!")
packet and the dance started over....


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------