Using WireShark to detect encryption method

pablo1999 · 08-21-2009, 01:42 PM

Hello,

I'm trying to find out how to use WireShark to detect which encryption method is used between a windows client and windows server.

Can I use WireShark to look at the traffic from 2 computers and find out which encryption method is being in used?

If yes, how?

Thanks in advanced.

acid_kewpie · 08-21-2009, 03:11 PM

it depends what traffic it sees, and if it's a protocol it can understand. Encryption like SSL is easy to "Detect" as SSL uses very well known handshaking process, and can be pulled apart to show what sort of cipher methods and such are being used. Obviously what can't be done is see the encrypted data... is that the sort of thing you mean? if you are pushing other encrypted data, then you can't magically know what a file might be encrypted with if it's not something agreed upon by both boxes.

pablo1999 · 08-21-2009, 03:17 PM

I dont want to see the encrypted data. I just want to collect the traffic information that is encrypted from one host to another and figure out if its encrypted using AES, Blowfish, DES or other algorithm.

acid_kewpie · 08-21-2009, 03:54 PM

well as above, it depends what communication protocol is being used to agree the algorithm over, if it is agreed.

pablo1999 · 08-22-2009, 08:40 PM

So I can use WireShark to detect encryption methods like Encryption like
AES, Blowfish or DES ?

I yes, do you know of some document that explains on how to do this?

Thanks.

acid_kewpie · 08-23-2009, 01:42 AM

Just try it. Capture some traffic and see if it shows it in the traffic details. You'd need to see the start of the stream in just about all cases, if not absolutely all.

pablo1999 · 08-24-2009, 12:53 PM

I ran wireshark and all the frames only show the following:

Protocols in frame: eth:ip:tcp:tds

I was expecting something more like the following:

Protocols in frame: eth:ip:tcp:tds
Cipher in frame: Blowfish

or

Protocols in frame: eth:ip:tcp
Cipher in frame: AES