Ask Your Question
0

TLS RSA Key Extraction (Help/Hint Wanted)

asked 2020-08-04 10:42:29 +0000

CWatson gravatar image

updated 2020-08-04 14:15:20 +0000

grahamb gravatar image

HI all,

Hope you are all safe!!

I need some help with an exercise I have if anyone can help?

The task is, given a PCAP file, I believe I need to extract a private key from within the PCAP, and then re-apply said key to the same PCAP file via WSharks preferences > SSL > etc... to decrypt the traffic.

I am pretty certain I have found the Private Key, and have extracted and saved it to a text file.

"-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAg....etc..etc..."

I then try to reapply the key in the aforementioned preferences, but it doesn't work.

I have been trying this for about 2 weeks now, and have probably watched half of youtube and read 2 dozen articles of the on-the-line content on the webznet. I have also now started to doubt myself and think i need to use PreMasters etc.. which I have also located.

Could someone please point me in the right direction? Please don't give the answer. A document or youtube, or anything I can use to move forwards would be great.

Thanks. C.

edit retag flag offensive close merge delete

Comments

If you've read this much already you should know that it comes down to the details. Of these you provide little, so it's then hard to point to 'the right article'. For starters, what did you learn about the TLS connection so far?

Jaap gravatar imageJaap ( 2020-08-04 11:01:07 +0000 )edit

So I know that during a TLS connection being established there is a handshake and things go on, but most importantly they exchange keys. I believe it is these keys that I need to identify, and extract, which again I have done so I think, identifying the "Server Hello, Certificate" packet in the PCAP. ( I was going to upload a screen shot but the system wont let me until i have 60 points so I put it here instead : https://ibb.co/YkWzkRt )

I then need to tell Wireshark to use this key to decrypt any encrypted traffic within the PCAP file, thus revealing the SSL traffic in plain text.

I am stuck at knowing that I have the right pieces or not. Once I know I have the right pieces, I can probably move on from there.

Thanks. C.

CWatson gravatar imageCWatson ( 2020-08-04 11:19:14 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-08-04 11:13:42 +0000

grahamb gravatar image

As you haven't mentioned it yet, the Wireshark Wiki page on TLS has info about the keying material required to decrypt and the type of TLS encryption each keying material can be used with.

edit flag offensive delete link more

Comments

Ok thanks to grahamb for pointing out a sily mistake and having read and watched everything EXCEPT the wireshark manual itself. d'oh!

Hint to anyone else doing this in the future:

So basically I was ALMOST there! You don't need to fill in all the boxes when applying the RSA Key in the preferences. Just the file containing the extracted key, and the IP address of the box. Job done!

Exercise completed!

CWatson gravatar imageCWatson ( 2020-08-04 14:01:53 +0000 )edit

It's an area that has changed a bit recently and so a lot of third party tutorials and examples are out of date.

grahamb gravatar imagegrahamb ( 2020-08-04 14:14:41 +0000 )edit

Thanks. Once i get enough points to do so, i will upvote.

CWatson gravatar imageCWatson ( 2020-08-04 14:43:43 +0000 )edit

No need, accepting the answer is what we like folks to do here and you've done that so job done.

grahamb gravatar imagegrahamb ( 2020-08-04 14:52:20 +0000 )edit

Dear CWatson, I have exact same problem, but even after reading the TLS Wiki page I am no smarter. - So you extracted your RSA key and placed it in Notepad and saved as KEY.pem - You go Edit - Preferences and then what? Do you only edit "RSA key list"? And you only specify IP address and add your .pem file? No Port? No Protocol? Can you add more IP addresses? Source and Destination? - What about TLS debug file? What about Pre-shared key? what about Pre-Master-Secret log filename? - Then you go and find your encrypted handshake packet and see packet bytes in plain text now?

fff gravatar imagefff ( 2024-05-19 09:53:26 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-08-04 10:42:29 +0000

Seen: 5,017 times

Last updated: Aug 04 '20