Ask Your Question
0

decrypting ssl traffic

asked 2019-11-10 14:29:25 +0000

ismaeel_ali gravatar image

updated 2019-11-10 17:06:41 +0000

grahamb gravatar image

Hi all,

I have been given 2 tasks using wireshark, and being a new user of the software, i am a tiny bit stumped about it.

The explanation of what we were meant to do is as follows: "Use the files located in LabFiles/Wireshark-TLS
Decrypt SSL traffic in the Wireshark interface
Identify the online service that was used to exfiltrate stolen data
Identify the flag in the POSTed data."

Our questions to do the task are the following:
1) "What domain was used to exfiltrate the data?"
2) "What is the Flag?"
3) "What is the unique ID that was assigned to the submitted data?"

edit retag flag offensive close merge delete

Comments

As this is a homework question we can't simply give you the answers, what have you tried?

grahamb gravatar imagegrahamb ( 2019-11-10 17:07:33 +0000 )edit

I have tried to navigate wireshark and look online for solutions, to no avail. I thought a forum would be my next best bet. A-Levels they said, it will be fun they said. @grahamb

ismaeel_ali gravatar imageismaeel_ali ( 2019-11-10 20:34:29 +0000 )edit

Presumably there was some intro to the subject in the class, have you reviewed that?

grahamb gravatar imagegrahamb ( 2019-11-11 13:42:15 +0000 )edit

I was absent, and upon reviewing the notes and resources it still does not make sense. I emailed my teacher but she has not replied and I do not think I will be back in school for at least another 2 weeks. Do you perhaps know how to do it?

ismaeel_ali gravatar imageismaeel_ali ( 2019-11-11 14:44:20 +0000 )edit

Its not for class I know what it's for. They are looking for people who can get a lot of information and learn very quickly with that information... All of the information on what to do is on their website or on google you don't need to ask these questions when the information is already there....

johnrown gravatar imagejohnrown ( 2019-11-15 22:52:10 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-11-11 15:14:46 +0000

grahamb gravatar image

Firstly we don't do SSL anymore, it's TLS as per the task you've been given.

To decrypt TLS sessions requires some keying material so that should have been provided. Adding the keying material to the appropriate preference settings in Wireshark allows decryption of the traffic in the capture file.

See the Wireshark Wiki page on TLS for more info on setting the required preferences.

edit flag offensive delete link more

Comments

So i think i decrypted it, now what stands out about finding a domain that data was posted to?

ismaeel_ali gravatar imageismaeel_ali ( 2019-11-11 15:24:01 +0000 )edit

I would use the Statistics -> Endpoints function to see what hosts have been communicating (with the IPv4 tab). Hopefully something will standout.

As the question asks about "POST" data, maybe add a display filter of http, or http.request.method == "POST"

grahamb gravatar imagegrahamb ( 2019-11-11 16:08:30 +0000 )edit

thanks it works!, one last problem. I am trying to find the unique id assigned to data, how do i find that while analysis the packet? which section?

ismaeel_ali gravatar imageismaeel_ali ( 2019-11-11 19:02:07 +0000 )edit

hey, did you solve 3) ? im finding myself stuck on this aswell..

a__lmonkey gravatar imagea__lmonkey ( 2019-11-12 15:39:02 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2019-11-10 14:29:25 +0000

Seen: 3,384 times

Last updated: Nov 11 '19