Closed markwangsm closed 2 years ago
Your IKEv2 header indicates next payload is 46, which corresponds to an IKEv2 Encrypted Payload with the following structure: https://github.com/P1sec/pycrate/blob/e30acd6242fcd3e6ee551e9fe9ddf9d665ce822d/pycrate_crypto/IKEv2.py#L626
But here, you provide a buffer that has already been decrypted and hence reformatted in some way by wireshark, I suppose this triggers an error when decoding the 1st payload and stops there. And if you try to decode the encrypted IKEv2 IKE_AUTH buffer with pycrate, it will certainly succeed (otherwise, there is a bug somewhere). So, you need to find your way on how wireshark reformat the decrypted IKE_AUTH message, and how to deal with it in pycrate.
Hi P1sec,
I use pycrate "IKEv2.py" to try to parse IKEv2 message. For the IKE_INIT message, it can decode it successfully. But for IKE_AUTH message, because it need to decipher it first, I use the wireshark preferences "IKEv2_decryption_table" to decipher it and then I copy payload and send it to my test code。For the test result , I can get the header message but the payload message is empty。 How could I use the IKEv2.py to decode IKE_AUTH payload ?
===== test code ===== `import sys import re import binascii
from pycrate_crypto.IKEv2 import IKEv2
bytes=binascii.unhexlify("IKE AUTH PDU Payload")
pdu = IKEv2() pdu.from_bytes(bytes)
print(pdu)`
==test result ==== python3 ikev2_test.py : <IKEv2 : <Header : <SPIInitiator : 0xXXXXXXXXX><SPIResponder : 0xXXXXXXXXXX><Next : 46><VersMaj : 2><VersMin : 0><ExchType : 35 (IKE_AUTH)><Flags : <undef : 0x0><R : 0><V : 0><I : 1><undef : 0x0>><MID : 0xXXXXXX>>>