search

thomas-v2 / S7CommPlusDriver

Development of Communication Driver for Siemens S7-1200/1500 Plcs
GNU Lesser General Public License v3.0
89 stars 28 forks source link

Unable to decrypt WireShark packets #29

Open buffyslays opened 1 month ago

buffyslays commented 1 month ago

Hi Thomas!

First, thank you for providing this code as open-source code! Very well done and I can see that a lot of work has gone into this project.

As for my issue, I am attempting to decrypt Wireshark packets between the S7CommPlusDriver and a S71200.

I have tried both ways that you have included in your README.

1. Place the log file in a directory and make it known to Wireshark. To do this, go to the Wireshark menu → Settings. Under Protocols, select TLS, and select the appropriate file in the (Pre)-Master-Secret log filename field

I point Wireshark to the key log file that is created in the bin file when I capture the data from the program (edit -> preferences -> TLS -> Pre-Master-Secret log filename). I save the file as S7CommPlusTest.pcapng and close Wireshark. When I re-open the file, all the packets are still encrypted.

Integrate the secrets directly into the Wireshark recording

I have tried this manually using the command prompt as well as using the Pcap Key Injector utility tool included in your project. I save the capture as S7CommPlusTest.pcapng. When I open the S7CommPlusTest_withKey.pcapng file, all the packets are still encrypted.

I have verified that I am using the correct key log file with each capture. I have verified that the version of Wireshark I am using is the latest and includes the Siemens dissector.

I have tried this on two different PC's and am unable to view decrypted packets. Is there something that I am missing?

thomas-v2 commented 4 weeks ago

You should see in the Wireshark capture without keys, at least the S7COMM-PLUS "Req InitSSL" and "Res InitSSL". After this the TLS enrcryption is handshaked and then active. Do you see these packets in your captures? You need to start the capture before starting the communication, so Wireshark can see the TLS handshake packets.

buffyslays commented 4 weeks ago

Hi Thomas, thanks for the quick response. We were confused thinking the S7COMM-PLUS was bundled into Wireshark along with S7COMM! We added the plugin.dll and we are in business. Wishing I hadn't made that assumption. Thanks for pointing out which packets to look for!

thomas-v2 commented 4 weeks ago

The hint that you need the plugin dll for S7comm-Plus is in the readme. Yes it's a bit confusing that S7comm is integrated, and S7comm-plus not (not now).