locked
EXCEPTION: Simultaneous ClientHello message present RRS feed

  • Question

  • Trying to use NMDecrypt to decrypt LDAP/S traffic from a Win7 client to a Win2008R1 SP2 Active Directory domain controller, but the decryption always fails with EXCEPTION: Simultaneous ClientHello message present.  Happens in multiple captures. Have selected the TCP conversation in the Network Conversations field. Using NMDecrypt 2.3.4 from CodePlex and have used both the Default and Windows parsers 3.4.2774.001.

    From debug log file:

    6,74: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake
       Value:
    6,75: Processing Field: Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType
       Value: ServerHello(0x02)
    Found Handshake Message 2 (Ethernet.Ipv4.Tcp.TCPPayload.TLSSSLData.Tls.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType)
    EXCEPTION: Simultaneous ClientHello message present
    No Frames were decrypted, Netmon Filter Set may not match with current parser version.  Use parser version 3.4.2345.1 or greater.

    From the network capture:

    2 10:45:45 AM 9/7/2012 0.0000000  169.172.16.74 10.40.38.79 TCP TCP:Flags=......S., SrcPort=58447, DstPort=ldap protocol over TLS/SSL (was sldap)(636), PayloadLen=0, Seq=2920459848, Ack=0, Win=65535 ( Negotiating scale factor 0x1 ) = 65535 {TCP:2, IPv4:1}
    3 10:45:45 AM 9/7/2012 0.0001559  10.40.38.79 169.172.16.74 TCP TCP: [Bad CheckSum]Flags=...A..S., SrcPort=ldap protocol over TLS/SSL (was sldap)(636), DstPort=58447, PayloadLen=0, Seq=1588180437, Ack=2920459849, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 {TCP:2, IPv4:1}
    4 10:45:45 AM 9/7/2012 0.0041307  169.172.16.74 10.40.38.79 TCP TCP:Flags=...A...., SrcPort=58447, DstPort=ldap protocol over TLS/SSL (was sldap)(636), PayloadLen=0, Seq=2920459849, Ack=1588180438, Win=33312 (scale factor 0x1) = 66624 {TCP:2, IPv4:1}
    5 10:45:45 AM 9/7/2012 0.0046922  169.172.16.74 10.40.38.79 SSL SSL:SSLv2RecordLayer, ClientHello (0x01) {SSL:4, SSLVersionSelector:3, TCP:2, IPv4:1}
    6 10:45:45 AM 9/7/2012 0.0263000  10.40.38.79 169.172.16.74 TLS TLS:TLS Rec Layer-1 HandShake: Server Hello. Certificate. Certificate Request. Server Hello Done. {TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}
    7 10:45:45 AM 9/7/2012 0.0319092  169.172.16.74 10.40.38.79 TCP TCP:Flags=...A...., SrcPort=58447, DstPort=ldap protocol over TLS/SSL (was sldap)(636), PayloadLen=0, Seq=2920459991, Ack=1588182724, Win=32863 (scale factor 0x1) = 65726 {TCP:2, IPv4:1}
    8 10:45:45 AM 9/7/2012 0.0327988  169.172.16.74 10.40.38.79 TLS TLS:TLS Rec Layer-1 HandShake: Certificate.; TLS Rec Layer-2 HandShake: Client Key Exchange.; TLS Rec Layer-3 Cipher Change Spec; TLS Rec Layer-4 HandShake: Encrypted Handshake Message. {TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}
    9 10:45:45 AM 9/7/2012 0.0342511  10.40.38.79 169.172.16.74 TLS TLS:TLS Rec Layer-1 Cipher Change Spec; TLS Rec Layer-2 HandShake: Encrypted Handshake Message. {TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}
    10 10:45:45 AM 9/7/2012 0.0385734  169.172.16.74 10.40.38.79 LDAP LDAP:Encrypted Over SSL {LDAP:6, TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}
    11 10:45:45 AM 9/7/2012 0.0459465  10.40.38.79 169.172.16.74 LDAP LDAP:Encrypted Over SSL {LDAP:6, TLS:5, SSLVersionSelector:3, TCP:2, IPv4:1}

    Ideas?


    BrianY MCT, MCLC

    Friday, September 7, 2012 3:55 PM

All replies

  • Brain, I'm certain, but I might have addressed this problem recently and haven't posted a new version on Codeplex yet.  I would need your trace to confirm this.  If you could contact me via the blog, we could communicate in email and try to see if this is resovled by the newer unreleased version.

    Thanks,

    Paul

    Wednesday, September 12, 2012 4:16 PM