scapy icon indicating copy to clipboard operation
scapy copied to clipboard

Published 20 hours ago verified publisher icon secdev

Regarding warning Unknown crypto suite from ClientMasterKey

Open russdm opened this issue 1 year ago • 4 comments

Brief description

Segmented packets are read in and misinterpreted as SSLv2 handshakes. Packets are often segmented TLS application Data packets when compared to Wireshark.

Scapy version

2.5.0

Python version

3.12.1

Operating system

Windows 11

Additional environment information

Develop a class in the SSLv2 handshake that recognizes and ignores segmented packets.

How to reproduce

sniff TLS packets and segmented TLS packets get misinterpreted as SSLv2_handshakes.

Actual result

No response

Expected result

No response

Related resources

No response

russdm avatar Feb 02 '24 01:02 russdm

Please provide a pcap and the code you're using to sniff.

gpotter2 avatar Feb 02 '24 08:02 gpotter2

See the following I've raised the warning for UnknownCipherSuite as an error, and have been logging them in my packet captures. In comparison to the packet captures in Wireshark. Application Data is being read as SSLv2ClientMasterkey. See the zip file containing code I'm using to capture packets with warning raised as error and logged. Tests for unknown cipher suite.zip

russdm avatar Feb 02 '24 17:02 russdm

Just a note the first two captures in the log file are in the pcap. To save longevity of analysis. Only meant to do two to save having to analyze a bunch of packets.

russdm avatar Feb 02 '24 20:02 russdm

Information regarding the SSLv2 header if your interested. SSLv2 header.txt

russdm avatar Feb 04 '24 20:02 russdm

Just use

from scapy.sessions import TCPSession
sniff(prn=pktsniff, session=TCPSession)

gpotter2 avatar Jul 14 '24 17:07 gpotter2