I was trying to figure out what is the calling HTTPS server using old deprecated SSLv2/SSLv3.

Ideally if the network equipment can capture the traffic, that would be best.

However, here is just one possible solution using open source tools. Maybe this would be useful for you.

My criteria were:

  • Windows based
  • Small logs (capture only SSLv2/SSLv3 traffic)
  • Small application footprint
  • Low cpu utilization
  • A way to extract only unique caller ip address
  • Low cost
  • Capture traffic on the server
  • Control log file size to prevent disk full situation

 

Was able to do this by using open source command line tool – Dumpcap (included in Wireshark).

Basically wrote a simple powershell script to:

  1. run dumpcap, capturing only SSLv2/SSLv3 traffic and dump it into a file.
  2. Daily stop the capture, process the captured file, extract only unique ip addresses and email the results.
  3. Delete the captured file and restart the dumpcap capture

 

So the key to dumpcap is by using filters, it is able to capture only SSLv2 and SSLv3 packets. The wireshark filter options used to achieve this:  ssl.record.version == 0x0002 or ssl.record.version == 0x300

  • SSLV2 – 0X0002
  • SSLV3 – 0x300
  • TLSv1 – 0x0301
  • TLSv1.1 – 0x0302
  • TLSv1.2 – 0x0303

 

Dumpcap filter option however is a little different:

tcp[((tcp[12]>>4)*4)+9:2]=0x0002 or tcp[((tcp[12]>>4)*4)+9:2]=0x300

This filter option works with tcpdump too.

Eg:

# sudo tcpdump -i eth0 ‘tcp[((tcp[12]>>4)*4)+9:2]=0x0300’

 

Capturing the traffic

So the full dumpcap.exe command line for my test:

dumpcap  -w z:\capture\mycapture.pcap -i 1 -f “tcp[((tcp[12]>>4)*4)+9:2]=0x0300 or tcp[((tcp[12]>>4)*4)+9:2]=0x0002 and tcp port 443 ”  -b files:3 -b filesize:4000

 

Basically it means, dumpcap capture SSLv2 and SSLv3 only traffic and only from port 443, write it to file z:\capture\mycapture.pcap , and create a ring files of maximum 3 files before it gets overwritten and each file with maximum 4MB size. Ring files prevents disk full but will overwrites, so may need to tweak it to prevent overwrites but still there as a precaution.

The captured files generally consist of a lot of tcp packets. When the files are opened with Wireshark tool, if there are SSLv3 packets, it’ll show up.

 

Report Unique IP

But the goal is to get only the unique ip addresses.  To achieve that, it can be done by using Wireshark à Statistics à Endpoints or via  Wireshark have a command line tool tshark.exe that can do the same too.

tshark -2 -q -r <input pcap> -R “ssl.record.version==0x300 or ssl.record.version==0x2” -z ip_hosts, tree  >  myuniquefile.txt

Parameter explanation for tshark

-2 run 2 pass analysis

-q run quietly

-R <filter> – filter only SSLV3 and SSLV2 traffic

-z ip_hosts, tree (just ip address in tree format)

So that generate a small result file with only unique ip addresses.

 

Email the results

And finally attach the result, delete processed logs and email it to me using powerShell script.

With the result file, then one can try and find the owners or partners and inform them in advance of  turning off the SSLv2/SSLv3 protocol.

 

Things to consider

Wireshark and Dumpcap being network sniffers may require corporate approval for use. So before considering this, highly advisable to check with your company if this is allowed.

Disk full would impact OS or application, logs should be installed on non-critical disk/drives. Can control via the ring file parameter.

May need to run the scripts a few times a day to control the logs.

 

Reference

https://isc.sans.edu/forums/diary/POODLE+Turning+off+SSLv3+for+various+servers+and+client/18837

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply