Introduction

Secure Socket Tunneling Protocol (SSTP) is a Microsoft-developed VPN protocol that encapsulates Point-to-Point Protocol (PPP) frames inside TLS over TCP (typically port 443). Because SSTP runs on top of TLS it blends with regular HTTPS traffic, making packet capture and analysis for network forensics both challenging and rewarding. This article provides practical, hands-on techniques for capturing SSTP traffic, identifying SSTP sessions, decrypting TLS when possible, and extracting meaningful forensic artifacts such as PPP payloads and authentication exchanges. The audience is primarily webmasters, enterprise security teams, and developers who need to investigate suspected misuse, exfiltration, or configuration/compatibility issues involving SSTP.

Overview of SSTP Protocol Stack

Understanding where to look in a capture requires a brief recap of SSTP internals. SSTP consists of:

  • TLS (SSL) session over TCP (default port 443), carrying HTTPS-like records;
  • HTTP-like signaling for establishing the SSTP tunnel (SSTP uses HTTP POST/200 OK style exchanges early in the tunnel lifecycle);
  • Encapsulated PPP frames transported inside TLS records once the session is established.

Because SSTP embeds PPP, after TLS termination you will see IP packets, PPP authentication protocols (PAP, CHAP, MSCHAPv2), and tunneled traffic (IPv4/IPv6) within the capture. For forensic analysis you must either identify and analyze metadata on the encrypted TLS channel or decrypt it to inspect the inner PPP data.

Capture Best Practices

Effective forensics depends on high-quality captures. Follow these practical steps:

  • Capture at strategic points: For enterprise investigations, capture at perimeter firewalls, VPN concentrators, or endpoint network interfaces. Capturing at the endpoint (client or SSTP server) is best for correlated logs.
  • Use full-packet capture: Record entire packets (no truncation). Tools: tcpdump/tshark/WinDump/Wireshark. Example: tcpdump -i eth0 -s 0 -w sstp_full.pcap port 443.
  • Synchronize clocks: Ensure NTP/accurate timestamps so events correlate with logs and IDS alerts.
  • Collect system logs: Gather server-side VPN logs, authentication logs, and Windows Event logs (for SSTP on Windows Server) to correlate with packet-level events.
  • Filter intelligently: If storage or bandwidth is limited, capture with filters to focus on candidate hosts or port 443 sessions to/from known VPN servers.

Identifying SSTP Traffic in PCAPs

Even without decryption, SSTP flows can be identified using several heuristics:

  • Look for long-lived TCP connections to port 443 with sustained bi-directional traffic after a TLS handshake. SSTP sessions typically persist and carry regular-sized TLS records.
  • Inspect TLS ClientHello and ServerHello records. SSTP clients often present specific ciphersuites and extensions consistent with underlying Windows SChannel implementations; fingerprinting via JA3/JA3S may reveal an SSTP client/server profile.
  • Search for SSTP-specific HTTP signaling in plaintext for initial negotiation (rare if full TLS is used from the start). In Wireshark use a display filter like tcp.port == 443 and tls then look for SSTP dissector information.
  • After decryption, Wireshark decodes SSTP frames—look for “SSTP” protocol entries and subsequent PPP payloads.

Decrypting TLS: Options and Limitations

Decryption is often necessary to inspect PPP authentication exchanges or tunneled traffic. There are several approaches, each with trade-offs:

1) Session Key Logging (Preferred Where Possible)

If you control the client (for example during a forensic capture of a known machine or a lab), enable TLS session key logging so Wireshark can decrypt TLS. Browsers using NSS/Chrome/Firefox support the SSLKEYLOGFILE environment variable. Example:

Linux/macOS: In the client session environment set export SSLKEYLOGFILE=/tmp/sslkeys.log before launching the application that negotiates TLS. Then load that file in Wireshark Preferences → TLS → (Pre)-Master-Secret log filename.

Note: Native Windows SSTP client (rasphone/rasman) typically uses SChannel and does not honor SSLKEYLOGFILE. For those, session key logging is more difficult and may require OS-level instrumentation or a different approach.

2) Private Key Decryption (Limited Use)

If the SSTP server uses RSA key exchange (in modern TLS, rarely the case), possessing the server private key lets you decrypt sessions. TLS 1.2 with RSA key exchange works with Wireshark’s RSA keymap. However, most SSTP deployments use ephemeral key exchanges (ECDHE), making private-key decryption infeasible.

3) TLS Interception in Controlled Environments

For enterprise forensics and testing, you can deploy a TLS intercepting proxy (man-in-the-middle) with a trusted root certificate installed on endpoints. This allows termination of TLS and inspection of PPP frames. Use this only with explicit authorization and legal compliance; it constitutes an active interception.

4) Endpoint Forensics and Memory Acquisition

On endpoints, capture process memory or perform certificate/key extraction when permissible. Extracted session keys or process memory can allow decryption of captured TLS sessions offline. Tools: Volatility for memory analysis and targeted memory dumps for rasphone/rasman processes.

Analyzing Decrypted PPP and Authentication Exchanges

Once TLS is decrypted, the PPP stream becomes visible. Steps to analyze the inner traffic:

  • Use Wireshark to follow the SSTP stream and then the PPP stream; Wireshark can dissect PPP and show LCP, IPCP and authentication protocols.
  • Identify authentication protocol: PAP (cleartext), CHAP, or MSCHAPv2. MSCHAPv2 is common on Windows SSTP and is of particular forensic interest because challenge/response exchanges can be captured.
  • Extract challenge/response handshake data for offline cracking: tools such as asleap or conversion utilities can take MSCHAPv2 tuples and format for Hashcat or John the Ripper. Example workflow: export MSCHAPv2 handshake from Wireshark, convert to hccapx or the appropriate format, then run Hashcat with GPU acceleration.
  • Inspect PPP payloads for tunneled IP flows. Analyze destination IPs, domains, DNS traffic, and payload sizes and timing to deduce exfiltration or C2 channels.

Practical Command Examples

Common capture and analysis commands:

  • Capture full SSTP traffic: tcpdump -i eth0 -s 0 -w sstp_capture.pcap port 443
  • Read and filter SSTP sessions in tshark: tshark -r sstp_capture.pcap -Y “tcp.port==443 and tls” -V
  • Extract TCP stream to inspect raw TLS records: tshark -r sstp_capture.pcap -z follow,tcp,raw,1
  • Use Wireshark to decrypt (after populating SSLKEYLOGFILE) — Preferences → Protocols → TLS → (Pre)-Master-Secret log filename.

Advanced Forensic Tips

Beyond basic decryption and authentication cracking, consider these advanced techniques:

  • JA3/JA3S fingerprinting: Use JA3 to fingerprint TLS client and server implementations. SSTP clients running Windows SChannel often have consistent fingerprints useful for identifying SSTP clients across captures.
  • Metadata correlation: Correlate capture timestamps with server logs (RAS/VPN logs), system event logs, and firewall logs to build a timeline. Use unique identifiers like TCP sequence numbers, ports, and IP addresses to match events.
  • Traffic pattern analysis: Examine packet sizes, inter-packet intervals, and session duration to distinguish interactive sessions from bulk file transfer or tunneling attacks.
  • Partial decrypt heuristics: If you cannot decrypt TLS, extract and analyze unencrypted metadata: TLS SNI (if present), certificate fields, ciphersuites, and record-level sizes. These provide clues about client/server software and potential misconfigurations.
  • Automated parsing: Integrate tshark/Wireshark dissection into scripts to batch process captures. Use Python + pyshark for programmatic extraction of PPP and MSCHAPv2 fields.

Legal and Ethical Considerations

Decrypting and inspecting VPN traffic inherently involves privacy and legal risks. Always obtain proper authorization before performing active interception, session key extraction, or memory acquisition. Enterprise incident response teams should follow internal policies and local regulations. For public or third-party-hosted servers, coordinate with legal counsel and service owners.

Conclusion

SSTP forensics bridges TLS-level analysis with PPP-level packet inspection. High-quality captures, strategic placement of sensors, and the ability to decrypt TLS keys (or use controlled interception) are critical to reveal underlying PPP frames and authentication exchanges. Combining automated tools (Wireshark, tshark, tcpdump), fingerprinting (JA3), and offline cracking workflows for protocols like MSCHAPv2 provides a comprehensive toolkit for incident responders and network forensic analysts. Maintain good operational controls and legal authorization when applying these techniques in production environments.

For more VPN-related guides and tools tailored to administrators and developers, visit Dedicated-IP-VPN.