Friday, October 15, 2010

Tshark Fu: decrypting SSL streams

Nice article from Pauldotcom about  decrypting SSL streams with tshark, that is focused on HTTPS servers.

The article is easy to follow and explains the full process as well as the problems they found. The following points were particularly interesting:

Convert the certificate from PKCS#8 to PKCS#1
I understand that the private key must be  in PKCS1  because it is the only format understood by tshark.

openssl pkcs8 -in private.key -out rsaprivate.key -nocrypt

This point is particularly confusing... I found the following entry in the Wireshark mailing list that explains this problem.

Tshark output and the HTTP parser

The following command decrypts the stream and parses the output with tshark's internal HTTP parser.

tshark -o "ssl.desegment_ssl_records: TRUE"  \
-o "ssl.desegment_ssl_application_data: TRUE" \
-o "ssl.keys_list:,443,http,rsa_private.key"  \
-o "ssl.debug_file:rsa_private.log" -r all.pcap  \
 -R "(tcp.port eq 443)" -V

This behavior can be changed  if we want to read the raw data. This is achieved by modifying the flags in the third parameter, so we have data instead of  http

-o "ssl.keys_list:,443,data,rsa_private.key"

No comments:

Post a Comment