When first connecting to a new SSH host in Putty it displays a message asking me to verify the RSA fingerprint:
When viewing this same information on the network (e.g. through Wireshark), the same value is not shown, instead is shown as:
How can I calculate the fingerprint from the information shown in the Packet Capture?
The value shown in wireshark is the full public key from the server. The fingerprint (MD5 Hash value) of this value is shown to the user in putty as it's much easier (shorter) to read that expecting the user to match up the entire key.
To calculate the public key fingerprint it is necessary to first convert the hex stream given by Wireshark to the the byte stream equivilent then to calculate the MD5 hash from this and output in hexadecimal format.
A crude implementation of this in python is below which will take the wireshark value (HEX DH host Key copied as a HEX Stream) on STDIN and output the fingerprint on STDOUT:
import md5
import sys
# Accepts a wireshark encoded string on STDIN an outputs MD5 fingerprint to STDOUT
# The value copied from the 'HEX DH host Key' as a HEX Stream
wireshark_key = sys.stdin.readline()
# Change the HEX value into the raw byte stream, which will include non-printable characters
hex_string = wireshark_key.strip().decode("hex")
# Calculate the MD5 Hash of the byte stream and output in Hexidecimal format
md5_fingerprint = md5.new(hex_string).hexdigest()
# Tidy up the output so it matches what Putty displays
putty_fingerprint = ":".join([md5_fingerprint[i:i+2] for i in range(0, len(md5_fingerprint), 2)])
print(putty_fingerprint)
To run this, save the wireshark value (public key) to a file and then execute:
cat <key.txt> | python scriptname.py
The output should then match what is displayed by Putty on first connect as well as in the Event Log.
The following web pages were very useful in figured this all out:
http://passionateaboutis.blogspot.co.uk/2015/07/ssh-fingerprint-from-pcap.html
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Public_Key_Authentication
Whilst this script may be useful for one off cases, if you need to obtain fingerprints for a large number of hosts, nmap and one of it's NSE scripts may be more efficient:
https://nmap.org/nsedoc/scripts/ssh-hostkey.html
Saving the output from NMAP to XML will automatically store the calculated fingerprint for all hsots.
Related
I have been messing around with the SSLKEYLOGFILE environment variable, and I am trying to understand what everything inside the output that it gives me (the .log file with all the session keys).
Here is a picture of what the output looks like:
I understand that these are keys, but what I notice is a space in the middle of each line, indicating to me that they are separate keys. What exactly are the 2 different keys that they are giving me, and how is WireShark able to use this file to decrypt ssl traffic?
The answer to your question is in a comment from the commmit that added this feature:
* - "CLIENT_RANDOM xxxx yyyy"
* Where xxxx is the client_random from the ClientHello (hex-encoded)
* Where yyy is the cleartext master secret (hex-encoded)
* (This format allows non-RSA SSL connections to be decrypted, i.e.
* ECDHE-RSA.)
In what format are you supposed to supply the certificates (and keys) in the WifiClientSecure module? NO examples exist, or documentation of it's usage.
I am following the Arduino (ESP32) WiFiClientSecure example code - and trying to connect while specifying a CA Certificate, such as:
client.connect(server, 443, test_ca_cert, test_client_cert, test_client_key)
(test_client_cert and test_client_key are NULL pointers). If test_ca_cert is a NULL pointer, the SSL connection is fine.
If I try to specify my own test_ca_cert, I always get:
CA cert: mbedtls_x509_crt_parse returned -0x2180 (which is an error code for "invalid format")
I have tried a multitude of things for the test_ca_cert such as a string with the PEM formatted (cleartext) base64 encoded certificate, and a byte array of the DER formatted certificates. Nothing seems to work.
What is the format in which this certificate should be specified?
I figured it out by a combination of brute-force, and combing through some mbedtls code online. The certificate has to be specified in exactly the format as follows - i.e. by embedding your own newlines in the array:
unsigned char test_ca_cert[] =
"-----BEGIN CERTIFICATE-----\n"
"MIIDpDCCAowCCQC7mCk5Iu3YmDANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMC\n"
"VVMxFjAUBgNVBAgMDU5ldyBIYW1wc2hpcmUxDzANBgNVBAcMBk5hc2h1YTEYMBYG\n"
"A1UECgwPYnJhZGdvb2RtYW4uY29tMR0wGwYDVQQDDBRCcmFkIEdvb2RtYW4gUm9v\n"
"dCBDQTEiMCAGCSqGSIb3DQEJARYTYnJhZEBicmFkZ29kbWFuLmNvbTAeFw0xNDEy\n"
"MDgwMTM2NDJaFw0yNDEyMDUwMTM2NDJaMIGTMQswCQYDVQQGEwJVUzEWMBQGA1UE\n"
"CAwNTmV3IEhhbXBzaGlyZTEPMA0GA1UEBwwGTmFzaHVhMRgwFgYDVQQKDA9icmFk\n"
"Z29vZG1hbi5jb20xHTAbBgNVBAMMFEJyYWQgR29vZG1hbiBSb290IENBMSIwIAYJ\n"
"KoZIhvcNAQkBFhNicmFkQGJyYWRnb2RtYW4uY29tMIIBIjANBgkqhkiG9w0BAQEF\n"
"AAOCAQ8AMIIBCgKCAQEAq0TfPz/2eH1vMhs5wKjZQU5KEpJH8n27jW3cSVPJPRHo\n"
"tn1S14zzaxuMYhZ1LQJgqT3/V9eVJdJkgoW54dgHLZVMb0xRilJPXNtR9WIZI+3r\n"
"6+7sm6OOhmxjOKUuTWdK+Rbx/KGU+xjQjlyw7Ir4hRLmfaNAw7gnZWyzVcJbvg8O\n"
"5JsReO4x4CnDveX0EJK6L9kNpTSLJZoFsVPdA3QJrxUYOw9s7gQYSjxx1SlcXqQQ\n"
"eWyJWF0FSkRcgRo4qu3JiV94kLUwYNno89G5kU1TnlK0d740KK/A3LN686HhtT66\n"
"XTtE/GLP9EUdlNgEkSoa00580iZqxYZBjlswa04qPQIDAQABMA0GCSqGSIb3DQEB\n"
"BQUAA4IBAQBqf27PAMC0cs5qgr6z5nUxSUN+o3Ap0YjNqrvBID0jQNPr3pfW8fy2\n"
"7dGa3ZAGwPnAmMvx2M6UF5GRYA7lAiC/jBmp0qrdekst4FBx5whJL6tt6sSSmeNp\n"
"4dF7OpGFFDeuBj1CJlN7dro+nd+wty9f7rpjNmGcNjD/vGOrk9T67uWB5NYDIrcn\n"
"rBOAVb+yBnDphBH7UIXWnSBCyDGD7SjAnWPQdH6uRAhVrbhIPylC50NwhqjlN5su\n"
"ll2eQ0Vfp5u+viLK441MwfF77CjhFMs50Ahu7y5ApRD9nzMdqav63dU4oKrdOJgK\n"
"yiUGy+6qJ0KK7FyaU4YKbcsqmd/kev9m\n"
"-----END CERTIFICATE-----\n";
I have seen the command that generates and also prints the ZMK component. The command is : Generate and Print a ZMK Component for which the Command Code is 'OC'.
But I don't want it to be printed. But in 'OC' command it seems mandatory:
Question:
Is there any way i can tweek this? Or any other command which just generates ZMK without the need to print it? I'm using Thales HSM 9000
from 1270A546-016 Host Command Reference v2.3bNotes:This command is superseded by host command 'A2'.
A printer must be attached to one of the USB ports on the payShield 9000. Serial-to-USB and parallel-to-USB cables are available from Thales, on request.
I believe that there is no way to use the Generate and Print a ZMK Component (OC) command without using a printer.
Follow up
Check the command Generate a Key (A0).
Mode = 0 (Generate key)
Key Type = 000 (Zone Master Key,ZMK)
This is the A0 response using the Thales Test LMK
HEADA100U6809C450D3F68AC78E80BA0C80E1D071F5EE20U6809C450D3F68AC78E80BA0C80E1D071F5EE20
I've search high and low looking for a way to display all text from FTP.exe to a richtextbox. so far i've only been able to do is display the output code. the idea is to run the test and display and capture to a file which hasn't been a problem except i can't seem to display all text as you would see it in Command.Hoping to see all text when done. Please Help!!
Here is he code:
Private Sub Rectangle1_Click(sender As Object, e As EventArgs) Handles Rectangle1.Click
Dim p As New Process()
With p
.StartInfo.Arguments = " -s:c:\dsl\ftptest\speed1.txt 65.40.220.20"
.StartInfo.CreateNoWindow = True
.StartInfo.FileName = "ftp"
.StartInfo.RedirectStandardError = True
.StartInfo.RedirectStandardOutput = True
.StartInfo.UseShellExecute = False
.Start()
Dim StErr As StreamReader = .StandardError
Dim StOut As StreamReader = .StandardOutput
While (Not StOut.EndOfStream)
Me.RichTextBox1.AppendText(String.Format("{0}", StOut.ReadLine() & vbCrLf))
End While
.WaitForExit()
End With
End Sub
End Class
Here is the output from the code:
User (65.40.220.20:(none)): Hash mark printing On ftp: (2048 bytes/hash mark) .
hash
get test.1meg
#
cd upload
put test.1meg
#
close
bye
Here is What I'm looking for:
C:\DSL\FTPTEST>call FTP -s:c:\dsl\FTPtest\speed1.txt 65.40.220.20
Connected to 65.40.220.20.
220-
This server is provided as a EMBARQ Speedtest server for DSL customers only.
Any other use is prohibited.
You may login using anonymous ftp and download the test files to determine your speed.
You may upload the same files to the upload directory to test your upload speed.
You may only upload the files that you previously downloaded from this server.
You cannot download anything from the upload directory.
Remember, some ftp programs measure speed in bytes per second.
DSL speeds are measured in bits per second. There are 8 bits in a byte.
If you can download at 64 kilobytes per second then that is the same as
512 kilobits per second.
220 65.40.220.20 FTP server ready
User (65.40.220.20:(none)):
331 Anonymous login ok, send your complete email address as your password.
230-
This server is provided as a EMBARQ Speedtest server for DSL customers only.
Any other use is prohibited.
You may login using anonymous ftp and download the test files to determine your speed.
You may upload the same files to the upload directory to test your upload speed.
You may only upload the files that you previously downloaded from this server.
You cannot download anything from the upload directory.
Remember, some ftp programs measure speed in bytes per second.
DSL speeds are measured in bits per second. There are 8 bits in a byte.
If you can download at 64 kilobytes per second then that is the same as
512 kilobits per second.
230 Anonymous access granted, restrictions apply.
ftp> hash
Hash mark printing On ftp: (2048 bytes/hash mark) .
ftp> get test.1meg
200 PORT command successful
150 Opening ASCII mode data connection for test.1meg (1048576 bytes)
#
#
#
ftp: 1048576 bytes received in 5.96Seconds 175.94Kbytes/sec.
ftp>
ftp> cd upload
250 CWD command successful
ftp> put test.1meg
200 PORT command successful
150 Opening ASCII mode data connection for test.1meg
#
#
#
226 Transfer complete.
ftp: 1048576 bytes sent in 5.98Seconds 175.23Kbytes/sec.
ftp>
ftp>
I think that you might be able to redirect the output of your command to a file. e.g, at the end of the command add (assuming that you have a directory c:\temp)
your command here > c:\temp\TestOutput.text
Then in your program, add a file system watcher to watch that file and load it into the textbox when it changes. If you're doing this lots of time then you might have to dynamically generate a filename and delete the files when no-longer needed.
I have a wireshark capture that contains an RTP multicast stream (plus some other incidental data).
Using a Tshark command like the following, I can produce a CSV of the RTP timestamp compared with the packet capture time:
tshark.exe -r "capture.pcap" -Eseparator=, -Tfields -e rtp.timestamp -e frame.time_epoch -d udp.port==5000,rtp
This decodes the UDP packets as RTP, and successfully prints out the two fields as expected.
Now, my question: The payload of the RTP stream is an MPEG2 Transport Stream, and I also want to print the PCR value (if there is one) alongside the packet and RTP timestamps.
In wireshark, I can see the PCR being decoded correctly, however using a command like the following:
tshark.exe -r "HBO HD CZ.pcap" -Eseparator=,-Tfields -e rtp.timestamp -e frame.time_epoch -e mp2t.af.pcr -d udp.port==5000,mp2t
...only prints out a "1" if there is a PCR oresent, not the actual value. I have also checked the .pcr_flag to confirm that these two are not exchanged, but still I see the same result.
The documentation seems to call mp2t.af.pcr a "Label", does this mean that Tshark is not able to use it as a field? Is there a way to generate a CSV with these values?
(What part of the documentation calls it a "Label"? That's a somewhat odd description of a named field.)
The problem is that the value that Wireshark displays after "base(XXX)*300 + ext(YYY)" is calculated and displayed, but the field itself isn't given an integral type and is instead given a type that doesn't have a value. Arguably, it should be an FT_UINT64 field and should be given a value, so that you can filter on it and can print the value in TShark.
Please file an enhancement request for this on the Wireshark Bugzilla.