Ask Your Question
0

mqtt ssl decrypt

asked 2018-12-21 10:32:18 +0000

c4esp gravatar image

updated 2018-12-21 10:33:13 +0000

Hello guys,

I am trying to decrypt all the MQTT traffic between my AWS broker and my device with Wireshark.

I was following this guide:

https://wiki.wireshark.org/SSL

I configured RSA keys list as:

"192.168.123.123","8883","mqtt","C:/Users/SPA20000001.key","" "18.202.37.237","59424","mqtt","C:/Users/SPA20000001.key","" "192.168.123.123","59689","mqtt","C:/Users/SPA20000001.key","" "18.202.37.237","59424","mqtt","C:/Users/SPA20000001.key",""

192.168.123.123 is the IP of my device and 18.202.37.237 is the IP of AWS broker. Protocol is mqtt and add private key file of my device in PEM formated, that is:

-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAxfdaN7BkkLjqQqBqbLQGVcw0FciYNWTV/ZRIh1Q/syM8RHn8

...

...

...

AqS6228/pd7Mq+yKICYZ2+T5IwcCtRmT4GpTAjbglk9xuQ0XVOf0IjsmHQ57VI+Q CGd0G/TCxcvfDRV/iWvmOUn6R/sNxYG2KQ1PJioYYxpO7lvg8Ew4rg==

-----END RSA PRIVATE KEY-----

Then I save a pcapng and I can see the handshaking with ciphersuite and Client Hello and HelloDone and all SSL traffic encrypted, I save settings above and traffic still encrypted.

Do you know if I am doing something wrong? Wireshark allows to decrypt mqtt traffic?

Thanks in advance.

edit retag flag offensive close merge delete

Comments

Is the TLS encryption using an RSA scheme? What is the cipher suite selected by the server?

grahamb gravatar imagegrahamb ( 2018-12-21 10:56:22 +0000 )edit

Hello grahamb,

In that case device gives to the server all these cipher suites during Client Hello

Cipher Suites:

Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)
Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)

And server decides to take this cipher suite during Server Hello

Cipher Suite:

TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

So, trying to answer your question...is yes...

Thanks in advance.

c4esp gravatar imagec4esp ( 2018-12-21 16:19:22 +0000 )edit

We'll need your Wireshark TLS debug log, set in the TLS dissector preferences.

grahamb gravatar imagegrahamb ( 2018-12-21 16:47:01 +0000 )edit

Hello,

Here it is. https://ufile.io/uge1p

In any case. I am using private key from client side and using method 1 on this link.

http://www.joji.me/en-us/blog/walkthrough-decrypt-ssl-tls-traffic-https-and-http2-in-wireshark

I need private key from server side to decrypt traffic?

Thanks in advace.

c4esp gravatar imagec4esp ( 2019-01-04 11:52:52 +0000 )edit

I don't know which MQTT broker you're using, but in case it's mosquitto, you might want to follow Mosquitto Issue 632: Feature Request: Log TLS Session Keys.

cmaynard gravatar imagecmaynard ( 2019-01-18 17:31:09 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-01-04 12:08:41 +0000

grahamb gravatar image

I missed the fact that in your question you stated that you were trying to use the client key. That won't work, you need the private key of the server OR the pre-master key from the client as shown in the 2nd part of the article.

Note that older blog articles may be out of date, the definitive guide should be the Wireshark Wiki, e.g. the page on SSL.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-12-21 10:32:18 +0000

Seen: 4,205 times

Last updated: Jan 04 '19