This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

programatically export the ssl session key

0
1

i am new to wireshark and trying to get a little exposer. Is there any way to export SSL session key through command line.

Please help me....

\Thanks in advance... :)

asked 10 Apr '13, 07:08

Amby's gravatar image

Amby
1234
accept rate: 0%


3 Answers:

4

As @SYN-bit said, there is no CLI option to do that.

But, you could run tshark with a SSL debug file and then extract the SSL session keys from the debug file.

Use a command like this (not tested lately!).

tshark -n -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:x.x.x.x,443,http,rsa_private.key" -o "ssl.debug_file:ssl_debug.log" -r input.pcap -R "(tcp.port eq 443)"

Please replace x.x.x.x with the IP address of your server.

After tshark has finished, parse the file ssl_debug.log (with your preferred scripting language) and extract the SSL session keys. Search for the string below and extract the consecutive lines, which is the SSL session key in HEX.

ssl_save_session stored master secret

Example:

ssl_save_session stored master secret[48]:
f8 35 52 95 9e f0 dc 62 19 f6 c0 be cc 0c 32 fd 
84 d8 b1 2d 64 fa 51 b9 d6 25 2b 00 76 36 fd 4d 
20 a1 ea ff 6b 6a ed 56 b4 c2 fe f1 e8 87 65 2f 

Regards
Kurt

answered 10 Apr '13, 07:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Apr '13, 07:53

Guys i was able to generate SSL session key using the above hints that you gave i.e. by grepping "ssl_save_session stored session id" all i want to know that is there any chances that ssl session key what we generate from wire shark will not work to get the decrypted pcap data....

(14 May '13, 21:52) Amby

is there any chances that ssl session key what we generate from wire shark will not work to get the decrypted pcap data.

yes, if the key extraction (with a script) fails (missing some bytes, etc.). Does it work, if you extract the key manually and then use it in Wireshark?

(14 May '13, 23:40) Kurt Knochner ♦

2

As @Kurt pointed out, the SSL session keys are available in the ssl-debug file (nice one Kurt), it just needs to be reformatted.

I did a little CLI mungling and came with the following oneliner (on multiple lines for readability):

cat ssl_debug.log |\
 grep -A6 "ssl_save_session stored session id" |\
 sed -e 's/ //g' |\
 awk -F'|' '$1 ~ "ssl_save_sessionstoredsessionid" {printf("RSA Session-ID:");next} 
            $1 ~ "ssl_save_sessionstoredmastersecret" {printf(" Master-Key:");next} 
            $1 == "--" {printf("\n");next} 
            {printf("%s",$2)} 
            END {printf("\n")}'

Which transforms the following output in the ssl-debug file:

ssl_save_session stored session id[32]:
| fb cf 32 21 28 ed 0a 00 b2 72 d6 ac 85 84 3f 50 |ûÏ2!(í..²rÖ¬..?P|
| de cc dd 94 ac 33 26 15 23 18 96 39 f5 ba 18 9a |ÞÌÝ.¬3&.#..9õº..|
ssl_save_session stored master secret[48]:
| bd a6 ea 47 2f 6c 39 a9 fc fd 5d c7 9e b1 61 d1 |½¦êG/l9©üý]Ç.±aÑ|
| a4 ca e5 d9 24 fd de 80 0f 27 62 63 fd 6d f1 ee |¤ÊåÙ$ýÞ..'bcýmñî|
| 8e d2 46 b5 a6 41 2e 32 8e b8 57 44 c9 bf 7c f2 |.ÒFµ¦A.2.¸WDÉ¿|ò|

into:

RSA Session-ID:fbcf322128ed0a00b272d6ac85843f50deccdd94ac33261523189639f5ba189a Master-Key:bda6ea472f6c39a9fcfd5dc79eb161d1a4cae5d924fdde800f276263fd6df1ee8ed246b5a6412e328eb85744c9bf7cf2

Which is the format needed for Wireshark to be able to import the session keys to decrypt the SSL sessions in the file without the need for the private key.

(multiple session keys in the debug file will be converted)

answered 10 Apr '13, 08:11

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 10 Apr '13, 08:27

Thanks Kurt and SYN-bit for your quick responses. @SYN-bit can we generate the session key using batch scripting??

(10 Apr '13, 22:10) Amby

(please use "add a comment" to respond to given answers, see the FAQ for details)

Yes, you can use bash scripting to extract the session keys from a bunch of tracefiles. You can loop through your files with a "for" loop and then for each file call the command from @Kurt's answer and then call my command sequence to extract the session keys from the ssl-debug file.

(11 Apr '13, 01:13) SYN-bit ♦♦

using batch scripting??

by batch scripting, do you mean Windows batch scripting?

If yes, I recommend to look at powershell.
If no, please follow the instructions of @SYN-bit.

(11 Apr '13, 02:43) Kurt Knochner ♦

Nice catch @Kurt, I am not using windows much anymore, so I kinda have a bias in my answers.

@Amby, you could use Cygwin on windows to have a bash shell and the then you can use my 'script' on a Windows machine too. But powershell should be able to do the ssame, I am just not familiar enough with it to convert my 'script' into powershell commands...

(11 Apr '13, 02:54) SYN-bit ♦♦

I am not using windows much anymore

If VMware Workstation wasn't such a pain in the a.. on Linux (i.e. forced to recompile all modules after a kernel update, etc.), I would probably use Linux as a Desktop system ;-) Unless that changes, Windows 7 is my preferred VMWare Workstation Host, of course dual booted with Linux :-)

(11 Apr '13, 03:22) Kurt Knochner ♦

0

Unfortunately not, that has not (yet?) been implemented, so for now, you will need to use the Wireshark GUI to export the SSL session keys.

answered 10 Apr '13, 07:14

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%