Lotus Notes decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Lotus Notes decryption

L6 Presenter

We have a potential customer who would like to analyze email attachments in sandbox. They are using Lotus Notes as their mail application/server. Has anyone tried decrypting Lotus Notes traffic? 

Because if this doesn't work the only solution is a client based sandboxing solution. 

9 REPLIES 9

L4 Transporter

Hi Santonic,

 

Lotus Notes isn't in the excluded list, it also has sub-apps that are identified if decryption is turned on:

 

https://applipedia.paloaltonetworks.com/

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/List-of-Applications-Excluded-from-SSL-D...

 

I haven't tested it myself though.

 

hope this helps,

Ben

Thank you for your answer, it definitelly helps.

 

But I'm still hoping for some feedback if anyone has actually tried this and what were the results. Because i don't have an evnironment where i could test this.

 

 

So nobody tried this yet?

 

After almost 2 years this issue came up again. This time I was able to analyze at least client to server traffic recognised as lotus-notes-base by PA. I did a packet capture but i couldn't find any SSL/TLS handshake in the traffic. So it must be some proprietary encryption.

 

If someone can prove me wrong or find a way around it please let me know.

 

You probably won't get much, to be honest. In my six plus years of supporting these firewalls I can't think of more than only a few people running it in their environment, much less trying to decrypt it. Given that the App-ID exists as was mentioned, it's unlikely that there would be a problem decrypting it.

 

Is the traffic on port 443? If not, Wireshark won't show you that it's TLS since it only has a simple port-to-service mapping. You'll need to decode it as SSL (right click > "Decode As..." > select "SSL").

 

 

 

 

Ohh, good info, ty! It's on TCP 1352, I'll try again.

 

Yes, it's not a widely used protocol. But we have an opportunity where we need to extract files (and send to WF) from it. And they don't get mails as SMTP anywhere in their network (long story). They are also looking for ways to get just mails out of their Lotus Notes server as SMTP but they are not certain yet if it's possible. And then we will have a problem as PA can't be MTA 🙂

 

I tried to decode traffic on port 1352 as SSL but it didn't look good. Some packets were marked as SSL in Wireshark, but no packets were recognised as SSL handshake.

 

Wireshark can be a bit picky about how it displays, especially if the Client Hello or Server Hello messages are large. Ensure that you've enabled "Allow subdissector to reassemble TCP streams" in the TCP protocol preferences or it may not be able to combine the packets to give you a single useful frame. 

 

If you do have the TCP handshake, the next frame will likely have ACK and PSH flags set, and that should decode as the Client Hello. 

"Allow subdissector to reassemble TCP streams" was already on (by default) so that didn't make any change.

 

Yes, after TCP handhsake there are packets with PSH and ACK, but Wireshark doesn't recognise them as SSL handshake.

  • 4283 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!