Ask Your Question
0

decode tls on mirror port?

asked 2022-11-22 10:11:52 +0000

hostrup gravatar image

Hi! I have a home appliance running on my local network. it's a rail mounted server - that is used to control my light and switches.

i am trying to sniff the network traffic that goes to and from the server.

So i mirrrored the port in my switch. and i am able to see the traffic when i connect to the mirror port with wireshark.

when i do a local http connect to the local ip address on the server i am able to see the trafic and see the http traffic and the json that is sent to and from the server.

i can also connect to the server using https - and by adding the sslkeylogfile. the decodes the tls - and works just fine.

now - my problem is that the server communicates with a cloud service and the cloud service calls the server - using https - which i am not able to decode.

is this at all possible? i would really like to see what goes to and from the servers webserver.

thanks in advance

edit retag flag offensive close merge delete

Comments

You need a sslkeylogfile from either side of the TLS connection. Thus generated by the appliance / webserver or the cloud side.

If that TLS traffic passes your capture point (mirrored port) you can use the sslkeylogfile to decrypt.

André gravatar imageAndré ( 2022-11-22 22:37:10 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2022-11-22 13:26:11 +0000

Jaap gravatar image

Assuming ephemeral encryption, you have to get the same information as found in the SSLKEYLOGFILE for the communication between server and cloud. That is a question for the supplier of the server/cloud service, not for Wireshark.

edit flag offensive delete link more

Comments

Hi All! Thanks for your answers.

The server on my network ( the one i mirror - using wireshark ) is a black box. So the only access i have to the server is through it's configuration interface. the only ports that are open are: 80,443, and 4004.

Now the server allows you to "connect" it to the online service as well as disabling this - and only access it locally within the network.

I can access it both by iphone and with an android emulator. will it somehow be possible to fetch the needed certificate information on the android device / apk file? because then i would actually be able to test how i communicates with the server?

br

hostrup gravatar imagehostrup ( 2022-11-23 06:50:17 +0000 )edit

the only ports that are open are: 80,443, and 4004.

If you can use the unencrypted http (port 80), then analyzing will be easy.

will it somehow be possible to fetch the needed certificate information on the android device / apk file?

You need the session keys in the sslkeylogfile, not the certificate.

Only if you are able to configure the app (the TLS client) to generate this file then you will be able to decrypt the captured traffic.

There are some professional IDS solutions that basically operate as a man-in-the-middle to inspect, thus decrypt, the traffic.

André gravatar imageAndré ( 2022-11-23 17:51:03 +0000 )edit

Hi Andre! Thanks for you reply. unfurtunatly - the apps (APK and IOS ) both uses their own ssl/tls implementation - ignoring every attempt to proxy or even transparent proxy the content beeing sent :(.

so i guess i am a bit stuck for now :)

hostrup gravatar imagehostrup ( 2022-11-24 08:09:32 +0000 )edit

Hi Again all! Ok - so i managed to get access to the servers certificate store in ( jceks ) format. ( its a java server )

i also got the password for the key store - and can extract the keys - and i have converted from jceks to pk12 and saved it.

but i am still no able to decode the traffic. is there something i am missing here?

br

hostrup gravatar imagehostrup ( 2022-11-25 08:58:40 +0000 )edit

Using the private key only works if it is an old (and now unsafe) RSA key. Modern keys use Perfect Forward Secrecy (PFS), then this method does not work. That is why we suggested the use of SSLKEYLOGFILE.

See also https://wiki.wireshark.org/TLS

André gravatar imageAndré ( 2022-11-25 16:00:22 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-11-22 10:11:52 +0000

Seen: 63 times

Last updated: Nov 25