January 27, 2016

Decrypting SSL traffic using Wireshark! - The Logical Kid

Hello! All.

Like me, you as-well might have heard quite often that the Government is able to 'read' all our 'secure' traffic too, and they do it by using some secret keys, or so. Did you hear the same?

Well, even if you have heard, or have not heard, thats the way they do it! ;)

Now to understand how they do it, the curiosity led me to some good forums over the internet where they explained how they do it.

First things first. To make this happen, the Government needs to have the decryption key, probably the private key.
We will emulate the same here.
Things we require:

1. SSL Traffic dump
2. Decryption key (private key)
3. Wireshark (used Version 2.0.0rc3)

Patience, people! I will provide the link for sample SSL traffic dump and all that is required for this task after I explain; somewhere down the lane.:)


1. Run Wireshark, and open the sample SSL traffic dump file.



The data gets loaded.

 

So far so good, but then you can see some (encrypted stuff) Greek or Latin as we casually refer to something of that sort. Let me presume that none of us know either of these. ;)

In the above picture you can see (under data) that the data is encrypted.
So, what next?

2. Click on Edit -> Preferences -> Protocols -> SSL and click on 'Edit' beside "RSA keys list" as follows:





3. Click on "+" and fill the fields IP Address, Port, protocol with 127.0.0.1, 443 and http respectively.

4. Now double click on the 'Key file' parameter and browse and select the private key file.

Thats it!



You will see some extra panes in the window, as follows:


You can see that the SSL traffic was decrypted and explained in clear HTTP.

Lets compare a couple of frames as to how they looked when encrypted, and also after decryption.



Simple, right?

This was also done for the test given on 'Pentester Academy' with respect to the module 'Decrypting SSL Traffic' in WAP Challenges. If you have enrolled for that course, this will help in solving it. :)

Uhm, now the stuff I used here can be downloaded from here.


Now whenever somebody says that Government is able to read all your 'secure' data sent to an xyz website, you now know that they probably have the private key used by that server. :)

Thats all folks!
Kindly leave comments which may include suggestions, queries, and anything which can make this post effective in doing what it was meant to do.

Regards,
itsmeRiF
The Logical Kid