Hello,

My company wanted me to look at testing the security of a device we might be purchasing or at the very least working with in the near future. Anyhow, the specifications say it uses TLS with X.509 certificates. I setup the client IDE on a windows workstation and connected to the remote device and it did exchange certificates "according to IDE". Anyhow, I setup a kali linux VM in bridged mode on the local host and conducted a MITM attack which worked at all traffic between host workstation and remote device was captured.

Now looking through the captured file I see lots of UDP traffic between the client and remote device. With Wireshark I can see the data payload, I do not see any TLS negotiation "but maybe that was done when the certificates was originally setup", if I run strings on the pcap file I can see recognized words "like the name of the company that produced the products".

Long story short, I would like to prove without a doubt the traffic is not using SSL/TLS before I go crying wolf to my boss, however I do not understand it enough to be confident. Is there any other way I can prove TLS is not being used?

R
Joe

I think you have enough evidence to make your case now.

TLS/SSL would always begin with a secure negotiation of secret session-keys, initially protected by the public key information, an all of the traffic between the two machines would be incomprehensible, from beginning to end. If you're seeing plain text, stuff is not being enciphered. If you don't see the key-handshake, it's not even being attempted.