OSQA is unmaintained. Help us figure out where to go from here.
0
1

i am new to wireshark and trying to get a little exposer. Is there any way to export SSL session key through command line.

Please help me....

\Thanks in advance... :)

asked 10 Apr '13, 07:08

Amby's gravatar image

Amby
1234
accept rate: 0%


As @SYN-bit said, there is no CLI option to do that.

But, you could run tshark with a SSL debug file and then extract the SSL session keys from the debug file.

Use a command like this (not tested lately!).

tshark -n -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:x.x.x.x,443,http,rsa_private.key" -o "ssl.debug_file:ssl_debug.log" -r input.pcap -R "(tcp.port eq 443)"

Please replace x.x.x.x with the IP address of your server.

After tshark has finished, parse the file ssl_debug.log (with your preferred scripting language) and extract the SSL session keys. Search for the string below and extract the consecutive lines, which is the SSL session key in HEX.

ssl_save_session stored master secret

Example:

ssl_save_session stored master secret[48]:
f8 35 52 95 9e f0 dc 62 19 f6 c0 be cc 0c 32 fd 
84 d8 b1 2d 64 fa 51 b9 d6 25 2b 00 76 36 fd 4d 
20 a1 ea ff 6b 6a ed 56 b4 c2 fe f1 e8 87 65 2f 

Regards
Kurt

permanent link

answered 10 Apr '13, 07:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.7k1037236
accept rate: 15%

edited 10 Apr '13, 07:53

Guys i was able to generate SSL session key using the above hints that you gave i.e. by grepping "ssl_save_session stored session id" all i want to know that is there any chances that ssl session key what we generate from wire shark will not work to get the decrypted pcap data....

(14 May '13, 21:52) Amby

is there any chances that ssl session key what we generate from wire shark will not work to get the decrypted pcap data.

yes, if the key extraction (with a script) fails (missing some bytes, etc.). Does it work, if you extract the key manually and then use it in Wireshark?

(14 May '13, 23:40) Kurt Knochner ♦

As @Kurt pointed out, the SSL session keys are available in the ssl-debug file (nice one Kurt), it just needs to be reformatted.

I did a little CLI mungling and came with the following oneliner (on multiple lines for readability):

cat ssl_debug.log |\
 grep -A6 "ssl_save_session stored session id" |\
 sed -e 's/ //g' |\
 awk -F'|' '$1 ~ "ssl_save_sessionstoredsessionid" {printf("RSA Session-ID:");next} 
            $1 ~ "ssl_save_sessionstoredmastersecret" {printf(" Master-Key:");next} 
            $1 == "--" {printf("\n");next} 
            {printf("%s",$2)} 
            END {printf("\n")}'

Which transforms the following output in the ssl-debug file:

ssl_save_session stored session id[32]:
| fb cf 32 21 28 ed 0a 00 b2 72 d6 ac 85 84 3f 50 |ûÏ2!(í..²rÖ¬..?P|
| de cc dd 94 ac 33 26 15 23 18 96 39 f5 ba 18 9a |ÞÌÝ.¬3&.#..9õº..|
ssl_save_session stored master secret[48]:
| bd a6 ea 47 2f 6c 39 a9 fc fd 5d c7 9e b1 61 d1 |½¦êG/l9©üý]Ç.±aÑ|
| a4 ca e5 d9 24 fd de 80 0f 27 62 63 fd 6d f1 ee |¤ÊåÙ$ýÞ..'bcýmñî|
| 8e d2 46 b5 a6 41 2e 32 8e b8 57 44 c9 bf 7c f2 |.ÒFµ¦A.2.¸WDÉ¿|ò|

into:

RSA Session-ID:fbcf322128ed0a00b272d6ac85843f50deccdd94ac33261523189639f5ba189a Master-Key:bda6ea472f6c39a9fcfd5dc79eb161d1a4cae5d924fdde800f276263fd6df1ee8ed246b5a6412e328eb85744c9bf7cf2

Which is the format needed for Wireshark to be able to import the session keys to decrypt the SSL sessions in the file without the need for the private key.

(multiple session keys in the debug file will be converted)

permanent link

answered 10 Apr '13, 08:11

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 10 Apr '13, 08:27

Thanks Kurt and SYN-bit for your quick responses. @SYN-bit can we generate the session key using batch scripting??

(10 Apr '13, 22:10) Amby

(please use "add a comment" to respond to given answers, see the FAQ for details)

Yes, you can use bash scripting to extract the session keys from a bunch of tracefiles. You can loop through your files with a "for" loop and then for each file call the command from @Kurt's answer and then call my command sequence to extract the session keys from the ssl-debug file.

(11 Apr '13, 01:13) SYN-bit ♦♦

using batch scripting??

by batch scripting, do you mean Windows batch scripting?

If yes, I recommend to look at powershell.
If no, please follow the instructions of @SYN-bit.

(11 Apr '13, 02:43) Kurt Knochner ♦

Nice catch @Kurt, I am not using windows much anymore, so I kinda have a bias in my answers.

@Amby, you could use Cygwin on windows to have a bash shell and the then you can use my 'script' on a Windows machine too. But powershell should be able to do the ssame, I am just not familiar enough with it to convert my 'script' into powershell commands...

(11 Apr '13, 02:54) SYN-bit ♦♦

I am not using windows much anymore

If VMware Workstation wasn't such a pain in the a.. on Linux (i.e. forced to recompile all modules after a kernel update, etc.), I would probably use Linux as a Desktop system ;-) Unless that changes, Windows 7 is my preferred VMWare Workstation Host, of course dual booted with Linux :-)

(11 Apr '13, 03:22) Kurt Knochner ♦

Unfortunately not, that has not (yet?) been implemented, so for now, you will need to use the Wireshark GUI to export the SSL session keys.

permanent link

answered 10 Apr '13, 07:14

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×76
×7

question asked: 10 Apr '13, 07:08

question was seen: 5,252 times

last updated: 15 May '13, 03:16

p​o​w​e​r​e​d by O​S​Q​A