2012-03-30 17:51:54 +00:00
|
|
|
#!/bin/bash
|
|
|
|
#
|
|
|
|
# Test decryption capabilities of the Wireshark tools
|
|
|
|
#
|
|
|
|
# Wireshark - Network traffic analyzer
|
|
|
|
# By Gerald Combs <gerald@wireshark.org>
|
|
|
|
# Copyright 2005 Ulf Lamping
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or
|
|
|
|
# modify it under the terms of the GNU General Public License
|
|
|
|
# as published by the Free Software Foundation; either version 2
|
|
|
|
# of the License, or (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program; if not, write to the Free Software
|
2012-06-28 22:56:06 +00:00
|
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
2012-03-30 17:51:54 +00:00
|
|
|
#
|
|
|
|
|
2012-04-03 16:10:55 +00:00
|
|
|
# To do:
|
|
|
|
# IEEE 802.15.4
|
|
|
|
# IPsec / ESP
|
|
|
|
# ISAKMP / IKEv2
|
|
|
|
# PKCS#12
|
|
|
|
# SNMP
|
|
|
|
# DCERPC NETLOGON
|
|
|
|
# Kerberos
|
|
|
|
# KINK
|
|
|
|
# LDAP
|
|
|
|
# NTLMSSP
|
|
|
|
# SPNEGO
|
2012-03-30 17:51:54 +00:00
|
|
|
|
|
|
|
# common exit status values
|
|
|
|
EXIT_OK=0
|
|
|
|
EXIT_COMMAND_LINE=1
|
|
|
|
EXIT_ERROR=2
|
|
|
|
|
|
|
|
UAT_FILES="
|
2012-03-30 23:51:48 +00:00
|
|
|
80211_keys
|
2012-04-02 16:37:40 +00:00
|
|
|
dtlsdecrypttablefile
|
2012-03-30 17:51:54 +00:00
|
|
|
ssl_keys
|
2013-10-09 17:21:30 +00:00
|
|
|
c1222_decryption_table
|
2014-09-17 11:40:48 +00:00
|
|
|
ikev1_decryption_table
|
2012-03-30 17:51:54 +00:00
|
|
|
"
|
|
|
|
|
2013-10-06 12:44:10 +00:00
|
|
|
TEST_KEYS_DIR="$TESTS_DIR/keys/"
|
2012-03-30 17:51:54 +00:00
|
|
|
if [ "$WS_SYSTEM" == "Windows" ] ; then
|
2013-03-01 16:13:44 +00:00
|
|
|
TEST_KEYS_DIR="`cygpath -w $TEST_KEYS_DIR`"
|
2012-03-30 17:51:54 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
#TS_ARGS="-Tfields -e frame.number -e frame.time_epoch -e frame.time_delta"
|
|
|
|
TS_DC_ARGS=""
|
|
|
|
|
|
|
|
DIFF_OUT=./diff-output.txt
|
|
|
|
|
2012-03-30 23:51:48 +00:00
|
|
|
# WPA PSK
|
2015-03-10 17:46:50 +00:00
|
|
|
# https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=wpa-Induction.pcap
|
2012-03-30 23:51:48 +00:00
|
|
|
decryption_step_80211_wpa_psk() {
|
|
|
|
env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
|
|
|
|
-o "wlan.enable_decryption: TRUE" \
|
|
|
|
-Tfields -e http.request.uri \
|
2013-10-06 12:44:10 +00:00
|
|
|
-r "$CAPTURE_DIR/wpa-Induction.pcap.gz" \
|
2013-04-10 14:27:24 +00:00
|
|
|
-Y http \
|
2012-03-30 23:51:48 +00:00
|
|
|
| grep favicon.ico > /dev/null 2>&1
|
|
|
|
RETURNVALUE=$?
|
|
|
|
if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
|
|
|
|
test_step_failed "Failed to decrypt IEEE 802.11 WPA PSK"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
test_step_ok
|
|
|
|
}
|
|
|
|
|
2015-05-01 20:56:50 +00:00
|
|
|
# WPA EAP (EAPOL Rekey)
|
|
|
|
# Included in git sources test/captures/wpa-eap-tls.pcap.gz
|
|
|
|
decryption_step_80211_wpa_eap() {
|
Try wrapping some tshark invocations in a script to catch crashes.
Add a script that takes a command as an argument and runs it in a
subshell, so that said subshell will catch any signals from it and
report it.
This would be done for commands that aren't the last command in the
pipeline, as, given that the exit status of a pipeline is the exit
status of the last command in the pipeline, there's no guarantee that
the shell will bother to pick up the exit status of earlier commands in
the pipeline.
Use that for the tshark in the WPA EAPOL Rekey test, so it at least can
report the signal (on Solaris, SIGSEGV means, among other things,
"dereferenced a pointer pointing out of the address space" and SIGBUS
means, among other things, "dereferenced a misaligned pointer on
SPARC"). Maybe we can make the script also fire up a debugger if it
finds a core dump (and a debugger) and get a stack trace.
Change-Id: I4188190a1f1a4d3afc4719d886161ee56bd89d8b
Reviewed-on: https://code.wireshark.org/review/8392
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2015-05-10 21:16:14 +00:00
|
|
|
./run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
|
2015-05-01 20:56:50 +00:00
|
|
|
-o "wlan.enable_decryption: TRUE" \
|
|
|
|
-r "$CAPTURE_DIR/wpa-eap-tls.pcap.gz" \
|
|
|
|
-Y "wlan.analysis.tk==7d9987daf5876249b6c773bf454a0da7" \
|
|
|
|
| grep "Group Message" > /dev/null 2>&1
|
|
|
|
RETURNVALUE=$?
|
|
|
|
if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
|
|
|
|
test_step_failed "Failed to decrypt IEEE 802.11 WPA EAP"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
test_step_ok
|
|
|
|
}
|
|
|
|
|
2012-04-02 16:37:40 +00:00
|
|
|
# DTLS
|
2015-03-10 17:46:50 +00:00
|
|
|
# https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=snakeoil.tgz
|
2012-04-02 16:37:40 +00:00
|
|
|
decryption_step_dtls() {
|
|
|
|
env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
|
|
|
|
-Tfields -e data.data \
|
2014-04-25 00:37:34 +00:00
|
|
|
-r "$CAPTURE_DIR/snakeoil-dtls.pcap" -Y data \
|
2013-12-11 20:52:05 +00:00
|
|
|
| grep "69:74:20:77:6f:72:6b:20:21:0a" > /dev/null 2>&1
|
2012-04-02 16:37:40 +00:00
|
|
|
RETURNVALUE=$?
|
|
|
|
if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
|
2012-04-02 18:48:56 +00:00
|
|
|
test_step_failed "Failed to decrypt DTLS"
|
2012-04-02 16:37:40 +00:00
|
|
|
return
|
|
|
|
fi
|
|
|
|
test_step_ok
|
|
|
|
}
|
|
|
|
|
2014-03-11 21:46:25 +00:00
|
|
|
# SSL, using the server's private key
|
2015-03-10 17:46:50 +00:00
|
|
|
# https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=snakeoil2_070531.tgz
|
2012-03-30 17:51:54 +00:00
|
|
|
decryption_step_ssl() {
|
2013-10-06 12:44:10 +00:00
|
|
|
env $TS_DC_ENV $TSHARK $TS_DC_ARGS -Tfields -e http.request.uri \
|
|
|
|
-r "$CAPTURE_DIR/rsasnakeoil2.pcap" -Y http \
|
|
|
|
| grep favicon.ico > /dev/null 2>&1
|
2012-03-30 17:51:54 +00:00
|
|
|
RETURNVALUE=$?
|
|
|
|
if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
|
2014-03-11 21:46:25 +00:00
|
|
|
test_step_failed "Failed to decrypt SSL using the server's private key"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
test_step_ok
|
|
|
|
}
|
|
|
|
|
|
|
|
# SSL, using the master secret
|
|
|
|
decryption_step_ssl_master_secret() {
|
|
|
|
env $TS_DC_ENV $TSHARK $TS_DC_ARGS -Tfields -e http.request.uri \
|
|
|
|
-o "ssl.keylog_file: $TEST_KEYS_DIR/dhe1_keylog.dat" \
|
|
|
|
-o "ssl.desegment_ssl_application_data: FALSE" \
|
|
|
|
-o "http.ssl.port: 443" \
|
|
|
|
-r "$CAPTURE_DIR/dhe1.pcapng.gz" -Y http \
|
|
|
|
| grep test > /dev/null 2>&1
|
|
|
|
RETURNVALUE=$?
|
|
|
|
if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
|
|
|
|
test_step_failed "Failed to decrypt SSL using the master secret"
|
2012-03-30 17:51:54 +00:00
|
|
|
return
|
|
|
|
fi
|
|
|
|
test_step_ok
|
|
|
|
}
|
|
|
|
|
2012-04-02 18:48:56 +00:00
|
|
|
# ZigBee
|
|
|
|
# https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7022
|
|
|
|
decryption_step_zigbee() {
|
|
|
|
env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
|
2013-10-06 12:44:10 +00:00
|
|
|
-r "$CAPTURE_DIR/sample_control4_2012-03-24.pcap" \
|
2012-04-02 18:48:56 +00:00
|
|
|
-Tfields -e data.data \
|
2013-04-10 14:27:24 +00:00
|
|
|
-Y zbee_aps \
|
2012-04-02 18:48:56 +00:00
|
|
|
| grep "30:67:63:63:38:65:20:63:34:2e:64:6d:2e:74:76:20" > /dev/null 2>&1
|
|
|
|
RETURNVALUE=$?
|
|
|
|
if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
|
|
|
|
test_step_failed "Failed to decrypt ZigBee"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
test_step_ok
|
|
|
|
}
|
|
|
|
|
2013-10-09 17:21:30 +00:00
|
|
|
# ANSI C12.22
|
|
|
|
# https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9196
|
|
|
|
decryption_step_c1222() {
|
|
|
|
env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
|
|
|
|
-o "c1222.decrypt: TRUE" \
|
|
|
|
-o "c1222.baseoid:2.16.124.113620.1.22.0" \
|
|
|
|
-r "$CAPTURE_DIR/c1222_std_example8.pcap" \
|
|
|
|
-Tfields -e c1222.data \
|
2014-12-24 09:25:32 +00:00
|
|
|
| grep "00:10:4d:41:4e:55:46:41:43:54:55:52:45:52:20:53:4e:20:92" > /dev/null 2>&1
|
2013-10-09 17:21:30 +00:00
|
|
|
RETURNVALUE=$?
|
|
|
|
if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
|
|
|
|
test_step_failed "Failed to decrypt C12.22 $RETURNVALUE"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
test_step_ok
|
|
|
|
}
|
|
|
|
|
2013-12-07 17:56:39 +00:00
|
|
|
# DVB-CI
|
|
|
|
# simplified version of the sample capture in
|
|
|
|
# https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6700
|
|
|
|
decryption_step_dvb_ci() {
|
|
|
|
env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
|
|
|
|
-o "dvb-ci.sek: 00000000000000000000000000000000" \
|
|
|
|
-o "dvb-ci.siv: 00000000000000000000000000000000" \
|
|
|
|
-Tfields -e dvb-ci.cc.sac.padding \
|
2013-12-08 22:16:22 +00:00
|
|
|
-r "$CAPTURE_DIR/dvb-ci_UV1_0000.pcap" \
|
|
|
|
| grep "80:00:00:00:00:00:00:00:00:00:00:00" > /dev/null 2>&1
|
2013-12-07 17:56:39 +00:00
|
|
|
RETURNVALUE=$?
|
|
|
|
if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
|
|
|
|
test_step_failed "Failed to decrypt DVB_CI"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
test_step_ok
|
|
|
|
}
|
|
|
|
|
2014-09-17 11:40:48 +00:00
|
|
|
# IKEv1 (ISAKMP) with certificates
|
|
|
|
# https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7951
|
|
|
|
decryption_step_ikev1_certs() {
|
|
|
|
env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
|
|
|
|
-Tfields -e x509sat.printableString \
|
|
|
|
-r "$CAPTURE_DIR/ikev1-certs.pcap" \
|
|
|
|
| grep "OpenSwan" > /dev/null 2>&1
|
|
|
|
RETURNVALUE=$?
|
|
|
|
if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
|
|
|
|
test_step_failed "Failed to decrypt IKEv1"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
test_step_ok
|
|
|
|
}
|
|
|
|
|
2015-01-08 16:04:05 +00:00
|
|
|
# HTTP2 (HPACK)
|
|
|
|
decryption_step_http2() {
|
2015-01-20 20:26:14 +00:00
|
|
|
env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
|
|
|
|
-Tfields -e http2.header.value \
|
|
|
|
-d tcp.port==3000,http2 \
|
|
|
|
-r "$CAPTURE_DIR/packet-h2-14_headers.pcapng" \
|
|
|
|
> ./testout.txt
|
|
|
|
grep "nghttp2" ./testout.txt > /dev/null 2>&1
|
|
|
|
RETURNVALUE=$?
|
|
|
|
if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
|
|
|
|
env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
|
|
|
|
-V \
|
|
|
|
-d tcp.port==3000,http2 \
|
|
|
|
-r "$CAPTURE_DIR/packet-h2-14_headers.pcapng" \
|
|
|
|
> ./testout2.txt
|
|
|
|
echo
|
|
|
|
echo "Test output:"
|
|
|
|
cat ./testout.txt
|
|
|
|
echo "Verbose output:"
|
|
|
|
cat ./testout2.txt
|
|
|
|
test_step_failed "Failed to decode HTTP2 HPACK"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
test_step_ok
|
2015-01-08 16:04:05 +00:00
|
|
|
}
|
|
|
|
|
2013-12-07 17:56:39 +00:00
|
|
|
|
2012-03-30 17:51:54 +00:00
|
|
|
tshark_decryption_suite() {
|
2012-03-30 23:51:48 +00:00
|
|
|
test_step_add "IEEE 802.11 WPA PSK Decryption" decryption_step_80211_wpa_psk
|
2015-05-01 20:56:50 +00:00
|
|
|
test_step_add "IEEE 802.11 WPA EAP Decryption" decryption_step_80211_wpa_eap
|
2012-04-02 16:37:40 +00:00
|
|
|
test_step_add "DTLS Decryption" decryption_step_dtls
|
2014-03-11 21:46:25 +00:00
|
|
|
test_step_add "SSL Decryption (private key)" decryption_step_ssl
|
|
|
|
test_step_add "SSL Decryption (master secret)" decryption_step_ssl_master_secret
|
2012-04-02 18:48:56 +00:00
|
|
|
test_step_add "ZigBee Decryption" decryption_step_zigbee
|
2013-10-09 17:21:30 +00:00
|
|
|
test_step_add "ANSI C12.22 Decryption" decryption_step_c1222
|
2013-12-07 17:56:39 +00:00
|
|
|
test_step_add "DVB-CI Decryption" decryption_step_dvb_ci
|
2014-09-17 11:40:48 +00:00
|
|
|
test_step_add "IKEv1 Decryption (certificates)" decryption_step_ikev1_certs
|
2015-01-08 16:04:05 +00:00
|
|
|
test_step_add "HTTP2 (HPACK)" decryption_step_http2
|
2012-03-30 17:51:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
decryption_cleanup_step() {
|
2013-10-06 18:57:01 +00:00
|
|
|
rm -rf "$TEST_HOME"
|
2012-03-30 17:51:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
decryption_prep_step() {
|
|
|
|
decryption_cleanup_step
|
2013-10-06 18:57:01 +00:00
|
|
|
|
2013-10-06 23:29:59 +00:00
|
|
|
TS_DC_ENV="${HOME_ENV}=${HOME_PATH}"
|
2012-03-30 17:51:54 +00:00
|
|
|
|
|
|
|
for UAT in $UAT_FILES ; do
|
2013-10-06 18:57:01 +00:00
|
|
|
sed -e "s|TEST_KEYS_DIR|${TEST_KEYS_DIR//\\/\\\\x5c}|" \
|
|
|
|
< "$TESTS_DIR/config/$UAT.tmpl" \
|
2013-10-06 23:29:59 +00:00
|
|
|
> "$CONF_PATH/$UAT"
|
2012-03-30 17:51:54 +00:00
|
|
|
done
|
|
|
|
}
|
|
|
|
|
|
|
|
decryption_suite() {
|
|
|
|
test_step_set_pre decryption_prep_step
|
|
|
|
test_step_set_post decryption_cleanup_step
|
|
|
|
test_suite_add "TShark decryption" tshark_decryption_suite
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
2015-03-10 17:46:50 +00:00
|
|
|
# Editor modelines - https://www.wireshark.org/tools/modelines.html
|
2013-03-01 16:13:44 +00:00
|
|
|
#
|
|
|
|
# Local variables:
|
|
|
|
# c-basic-offset: 8
|
2012-03-30 17:51:54 +00:00
|
|
|
# tab-width: 8
|
|
|
|
# indent-tabs-mode: t
|
|
|
|
# End:
|
|
|
|
#
|
2013-03-01 16:13:44 +00:00
|
|
|
# vi: set shiftwidth=8 tabstop=8 noexpandtab:
|
2012-03-30 17:51:54 +00:00
|
|
|
# :indentSize=8:tabSize=8:noTabs=false:
|
2013-03-01 16:13:44 +00:00
|
|
|
#
|
|
|
|
|