I want to decrypt TLS traffic in a pcap file using scapy by providing the keylog file (containing client random) recorded with openssl's -keylogfile. I found this documentation page says
if you got a master_secret somehow, use it with tls_session.(w|r)cs.derive_keys() and leave the rest to Scapy
But it's not clear to me how to use it with the keylog file.
I know Wireshark can import the keylogfile and decrypt the traffic. But I want to write some script to analyze the decrypted traffic instead of looking at the GUI manually.
I also tried to export the decrypted traffic from Wireshark so that scapy can use it directly. But it seems that Wireshark can only export the original encrypted traffic.
Could someone give me some suggestions? Thanks in advance.
Related
The root problem I am trying to solve is to view the (encrypted) requests I am making from HtmlUnit(http://htmlunit.sourceforge.net/) inside of wireshark. I can see the packets and Under Secure Sockets Layer, I can see that TLSv1.2 is being utilized in wireshark, but I need to see the contents of the packet. I have read information on: exporting firefox keys and on: using those keys in wireshark from a browser into wireshark for decryption is feasible, but HtmlUnit is not a 'traditional' browser. I know it is possible, I just do not know what info I need and where to get it. Any tips are appreciated.
Thanks!
Maybe it is simpler to enable HttpClient wire log.
java.util.logging.Logger.getLogger("org.apache.http.wire").setLevel(java.util.logging.Level.FINEST);
This will dump all outgoing and incoming content to the log.
I have a PCAP file that was given to me for a Forensics Challenge. The PCAP has encrypted traffic using TLS Version 1. I have looked into a BEAST attack but there are no tools to do this. Is there any way using just the packets I have in the PCAP file to decrypt this traffic in Wireshark without the private key? Can I get the private key from the certificate exchange in anyways or the master secret log or something? I could not find any tutorials online that do not involve having access to the private key. Any help is appreciated.
UPDATE:
My later research revealed that version 1 of TLS did have vulnerabilities and that it was possible to do but I would have needed access to the actual host as well not just the PCAP of its traffic.
If you have the master secret, you might be able to do something.
Have a look at the "Using the (Pre)-Master-Secret" section on the SSL page of the Wireshark wiki. You'll need a reasonably recent version of Wireshark, which adds the ability to set the master secret (instead of expecting the server's private key). This should also help for Ephemeral Diffie-Hellman cipher suites.
More details in this question on the Wireshark Q&A site.
Do you know if it is possible to disable Diffie-Hellman or set a fixed session key for openssh? Actually i want to analyze the traffic with WireShark and I need to decrypt it.
Your Options with SSH and Wireshark are really limited. Wireshark cannot decrypt SSH traffic because it uses session keys derived from DH. OpenSSH doesn't have a "fixed session key mode" because that would be really insecure and make it basically impossible to resolve the key oven an open channel.
you will need to put a MITM between your client and server, the record a pcap file of the decrypted traffic for wireshark to analyze. Ettercap is a good tool for this.
So here is my 'problem', I set up an FTP server thanks to vsftpd so that both login & data transfers should be encrypted.
Here is the interesting part of my vsftpd.conf file.
ssl_enable=YES
allow_anon_ssl=NO
require_ssl_reuse=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_ciphers=HIGH
I am using Filezilla as an FTP client, the connection is configured like this :
Protocol : FTP - File Transfer Protocol
Encryption : Require explicit FTP over TLS
Logon type: Normal
Some things to note :
Encryption : Plain FTP : does not work and I am happy with that.
(Response: 530 Non-anonymous sessions must use encryption.)
Encryption : Require implicit FTP over TLS : does not work either, the connection is refused by the server. I guess it is because I forced the SSL connection.
Now, once the (explicit) connection is established, Filezilla is showing a small lock icon at the bottom of the window saying The connection is encrypted. Click icon for details.
I wanted to make sure that the data transfers were indeed encrypted and not plain so I captured everything on my eth. card with Wireshark while downloading a file from my server to my computer.
Except that I can not find a single packet of SSL protocol, everything is TCP.
I am out of ideas on how to make sure the data transferred is encrypted, even if filezilla says so, and each time I google "vsftpd how to make sure data transfers are encrypted", the only answers I get is "ssl_enable=YES" or "Check the box Use SSL" ...
Thank you in advance for helping me !
After a little more research and especially after following the Complete walk through on http://wiki.wireshark.org/SSL, I have a better understanding of the whole thing.
I am answering to my own question hoping this will help someone someday, as long as what follows is correct...
Also writing this down is a good way for me, I think, to see if have clearly understood my problem. Any difficulties in writing this answer will prove me wrong.
First :
Typically, SSL uses TCP as its transport protocol.
SSL is wrapped in TCP, that is why I couldn't observe explicitly the SSL protocol while capturing packets.
When analyzing a TCP packet, I could only "Follow TCP stream" but not "Follow SSL stream" which mislead me into thinking the packet was not holding encrypted data. That is funny because the observable data was not human readable ... so encrypted.
To be able to decrypt it I had to provide wireshark the encryption key :
RSA keys list
This option specifies the bindings between an IP address, a port, a protocol and a decryption key.
Then, I could observe both encrypted / unencrypted data.
Also, after reading this on http://wiki.filezilla-project.org/ :
When you apply encryption to your FTP server the CPU will have to do many calculations to encrypt the data being sent and decrypt the data being received.
I simply decided to run the UNIX top command while downloading a file. I was able to observe a high CPU usage of the filezilla client process, contrary to a unencrypted data transfer. This was a second argument that confirmed the data transfered were indeed encrypted, and thus needed to be decrypted.
i am trying to block ssl handshakes before the secure connection is established. So can anyone advice me how to do this. I allready have access to all data transfered to network using Winsock SPI(LSP). But how can i identify that now there is a request for SSL connecion? the data needed for establisment cant be crypted but are encoded in some way. I cant find the format anywhere.
If you have any idea about this, please let me know. I am doing this in c++.
While I think what you are doing is totally dubious, well, the best place to start is this document: The SSL Protocol - it describes the actual packet format used by SSL to envelope the encrypted data.