Wireshark is capable of decrypting TLS/SSL traffic when certain conditions are met:
- Wireshark was compiled with SSL decryption support (--with-gnutls)
- RSA is used for key exchange
- You have server's private key in PEM format (convert if necessary)
- You can capture the initial TLS/SSL Handshake
Wireshark needs to be configured for SSL decryption by defining a specially formatted string which contains server's IP address, port number, protocol, and the location of a private key file.
In the GUI interface select Edit -> Preferences
Next select Protocols -> SSL and fill in '''RSA keys list:''' field with a semicolon-separated list of private RSA keys used for SSL decryption; each list entry must be in the form of IP,PORT,PROTOCOL,KEYFILE. KEYFILE is a local file name of the RSA private key used by the server (or name of the file containing such a list). In this example we will add 127.0.0.1,443,http,/tmp/privkey.pem; string.
You can also manually edit '''ssl.keys_list''' parameter in '''~/.wireshark/preferences''' file. Here is a sample entry for a local SSL server with a test private key in '''/tmp/privkey.pem'''.
privkey.pem looks like an example below:
-----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQC3vXk1zRP8FRMX7pYetU2ubMLX6QwDuVVOWxWPlyUxWzxOu/MB hRqzoxain4E01TL92IGg/neKGjjqRvbE8IJ0J6wa3T78DmZzs325nLBBjiXXamds zapSmqFOharjhWk06W15a47xxz+KLRjbuJsDIxqvn8iHlpGgP2UvCLlt4wIDAQAB AoGAJeErBvtzfkm9+PYX/taz4BzOAoMqFe50dsXyaPrpEQbVJQo8a/jL63LY7Mfj dB6wf4LOHqm3bUJAr5PXtfw7eGtzKpIscRcTalP8d4EtxR2dCxaioLp00nrjHvUR EzRnRVY3m348N3jejwoG9VRimhgk1TZoiPQGVMETQYQokRECQQDbRpU2/zbFe4x8 AzldU8Q9bkpIC1YMbBTskydZCK+4RcerjDWTbF6jbtRYMZSmhe88ggoMXrebQCwP LLH8ftRbAkEA1oNOo2gf6ijQ6GoVRsiUXf8G6oH++Q/mV2C/iyoYQvHw0rHih7lY g776JTP9SE+67ZICJhwe5g/mTTXOP37jGQJAdl2OlKaFuWqs9hCDecaLCyIrBOLh q3Qn02DH/765pD4+v3KrRQ5as9lS1NzGwnFQKBi5NhE3CrKmVfapiYQpOwJBAMZr NbYXfh20q2gPmBadOf+oAfGwxPQELP/t0b8b9M0XlbcOLAd2/dT/NcpryIC2nyVY xPwTTtFnK5OHjXtWFyECQQCxkDbTCAj3B7dKCU1eH0XwQ58izkSFBISmSLGhHvnk KQVZMwn7BTfaGj4ie/BFLtEFpdVodJM7Yd1cjLxHrJge -----END RSA PRIVATE KEY-----
With proper configuration, Wireshark will now be able to decrypt already opened or future encrypted sessions using above configuration parameters.
Similarly tshark will also be able to properly decrypt SSL traffic:
tshark -r epiphany.pcap 1 0.000000 127.0.0.1 -> 127.0.0.1 TCP 36086 > https [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=5255645 TSER=0 WS=6 2 0.000007 127.0.0.1 -> 127.0.0.1 TCP https > 36086 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=16396 TSV=5255645 TSER=5255645 WS=6 3 0.000012 127.0.0.1 -> 127.0.0.1 TCP 36086 > https [ACK] Seq=1 Ack=1 Win=32832 Len=0 TSV=5255645 TSER=5255645 4 0.000687 127.0.0.1 -> 127.0.0.1 SSL Client Hello 5 0.000721 127.0.0.1 -> 127.0.0.1 TCP https > 36086 [ACK] Seq=1 Ack=163 Win=33856 Len=0 TSV=5255645 TSER=5255645 6 0.000858 127.0.0.1 -> 127.0.0.1 SSLv3 Server Hello, Certificate, Server Hello Done 7 0.000870 127.0.0.1 -> 127.0.0.1 TCP 36086 > https [ACK] Seq=163 Ack=647 Win=34112 Len=0 TSV=5255645 TSER=5255645 8 0.050308 127.0.0.1 -> 127.0.0.1 SSLv3 Client Key Exchange, Change Cipher Spec, Finished 9 0.053742 127.0.0.1 -> 127.0.0.1 SSLv3 Change Cipher Spec, Finished 10 0.053763 127.0.0.1 -> 127.0.0.1 TCP 36086 > https [ACK] Seq=375 Ack=722 Win=34112 Len=0 TSV=5255659 TSER=5255659 11 0.054818 127.0.0.1 -> 127.0.0.1 HTTP GET / HTTP/1.1 12 0.055169 127.0.0.1 -> 127.0.0.1 SSL [SSL segment of a reassembled PDU] 13 0.055303 127.0.0.1 -> 127.0.0.1 TCP https > 36086 [FIN, ACK] Seq=2732 Ack=780 Win=36032 Len=0 TSV=5255659 TSER=5255659 14 0.055317 127.0.0.1 -> 127.0.0.1 TCP 36086 > https [ACK] Seq=780 Ack=2733 Win=49280 Len=0 TSV=5255659 TSER=5255659 15 0.055933 127.0.0.1 -> 127.0.0.1 SSLv3 Alert (Level: Warning, Description: Close Notify) 16 0.055955 127.0.0.1 -> 127.0.0.1 TCP https > 36086 [RST] Seq=2733 Win=0 Len=0
If you don't want to make permanent changes to your configuration file, you can define '''ssl.keys_list''' parameter inline when using tshark:
tshark -o "ssl.keys_list: 127.0.0.1,443,http,/tmp/privkey.pem" -r epiphany.pcap
Published on April 12th, 2009 by iphelix
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are two closely related protocols designed to protect confidentiality and integrity of data in transit between two hosts. Read more.
Network traffic analysis is an important ingredient of a good iOS app pentest. The article covers several common approaches to iOS specific data interception such as network proxying, defeating network encryption, traffic injection and others. Read more.
OpenSSL is an open-source TLS/SSL toolkit implemented for a variety of platforms. In this article you will learn several openssl client and server commands useful in working with TLS/SSL protocol. Read more.
Stunnel allows a user to tunnel any TCP based application protocol through a connection secured by TLS/SSL. Read more.
TLS/SSL protocols support a large number of cipher suites. A cipher suite is a collection of symmetric and asymmetric encryption algorithms used by hosts to establish a secure communication. Supported cipher suites can be classified based on encryption algorithm strength, key length, key exchange and authentication mechanisms. Some cipher suites offer better level of security than others (e.g. Several weak cipher suites were developed for export to comply with US export law). There are more than 200 known cipher suites. Read more.
|Date||January 27th, 2010|
SSLMap is a lightweight TLS/SSL cipher suite scanner.
- Uses custom TLS/SSL query engine for increased reliability/speed (No need for third-party libraries such as OpenSSL)
- Tests for 200+ known cipher suites.
- Capable of discovering undocumented cipher suites.
- Advises on cipher suite security based on Protocol, Key Exchange, Authentication, Encryption algorithm, and other parameters.
- Configurable handshake versions (e.g. TLSv1.1, SSLv2.0) Read more.
Packet filtering is an important skill when capturing and managing large network dumps. In this article you will learn several tools and techniques used to simplify searching and extraction of useful data from captured data. Read more.