Wednesday, November 19, 2008

Deciphering Google Talk's Jabber Communication

Google Talk communicates through HTTPS (TCP Port 443) and Jabber (TCP Port 5222) Protocols. Google talk initially communicates through HTTPS and switches to Jabber. When 5222 is blocked using firewall Google Talk works on port 443 (HTTPS). Suppose HTTPS, port 443 is blocked and port 5222 is allowed in this case Google Talk doesn't work.

When the communication is through TCP Port 5222 for Google Talk we can see Octal (OCT) pattern in the pay load. We can see Description and Hex pattern in the payload of HTTPS communication.

Below payload is seen in “Client Hello” packet which is sent after three way handshake on port 443 and three way handshake on port 5222 if both the ports are allowed. This is the mapping between Octal and Hex Patterns.

Oct/Jabber Hex/HTTPS Description
--------------- --------------- -------------------------------------
\200L 804c Length: 76
\001 01 Handshake Message Type: Client Hello (1)
\003\001 0301 Version: TLS 1.0 (0x0301)
\0003 0033 Cipher Spec Length: 51
\000\000 0000 Session ID Length: 0
\000\020 0010 Challenge Length: 16
\000\000\004 000004 Cipher Specs: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
\000\000\005 000005 Cipher Specs: TLS_RSA_WITH_RC4_128_SHA (0x000005)
\000\000\n 00000a Cipher Specs: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
\001\000\200 010080 Cipher Specs: SSL2_RC4_128_WITH_MD5 (0x010080)
\a\000\300 0700c0 Cipher Specs: SSL2_ DES_192_ EDE3_CBC_WITH_MD5 (0x0700c0)
\003\000\200 030080 Cipher Specs: SSL2_RC2_CBC_128_CBC_WITH _MD5 (0x030080)
\000\000\t 000009 Cipher Specs: TLS_RSA_WITH_DES_CBC_SHA (0x000009)
\006\000@ 060040 Cipher Specs: SSL2_DES_64_CBC_WITH _MD5 (0x060040)
\000\000d 000064 Cipher Specs: TLS_RSA_WITH_RC4_128_MD5 (0x000064)
\000\000b 000062 Cipher Specs: TLS_RSA_ EXPORT1024_WITH_DES_CBC_SHA (0x000062)
\000\000\003 000003 Cipher Specs: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
\000\000\006 000006 Cipher Specs: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
\002\000\200 020080 Cipher Specs: SSL2_RC4_128_ EXPORT40_WITH_MD5 (0x020080)
\004\000\200 040080 Cipher Specs: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
\000\000\023 000013 Cipher Specs: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
\000\000\022 000012 Cipher Specs: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x000012)
\000\000c 000063 Cipher Specs: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x000063)

Google Talk communication through gmail uses "User Agent: Google Talk\r\n" which can be seen through Ethereal/Wireshark capture.

For Bittorrent detection signatures 

For Zebra protocol