This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decryption with SSL/TLS pre-master

0

Hey All,

I am looking for a way to decrypt non-browser based traffic (i.e. e-mail, Citrix ICA, SFTP) on my local machine utilizing pre-master secrets. I know this is possible when utilizing the SSLKEYLOGFILE as described here, http://www.root9.net/2012/11/ssl-decryption-with-wireshark-private.html.

The above link only appears to work for browser based traffic. My question is, how can I do the same level of decryption using Wireshark and pre-master secrets for non-browser based traffic?

Thank you for the help!

asked 12 Jan '14, 09:33

Brooks's gravatar image

Brooks
6223
accept rate: 0%

Kurt,I can obtain the first part of the requirement the Session-ID from the Wireshark trace. The master key will be the tough part. I am a bit new to OpenSSL, but it appears possible to extract the master key by parsing through memory. The article link below provides more information on that topic,

http://www.cloudshield.com/blog/advanced-malware/how-to-decrypt-openssl-sessions-using-wireshark-and-ssl-session-identifiers/

Jmayer, thank you for the comment. I do not have access to the source code for the applications, so I will be unable to add any additional code.

(14 Jan '14, 15:02) Brooks

I know its late but If you have the source code of the application then you can extract the master key from the SSL structure which is used to make the ssl system calls like ssl_write and so on..

(19 Feb '15, 02:03) koundi

3 Answers:

0

How are you going to get the session keys? The applications you mentioned (most certainly) won't export the session keys, as some browsers do!?!

answered 12 Jan '14, 10:36

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

I am a bit new to OpenSSL, but it appears possible to extract the master key by parsing through memory

Yes, that's possible, but only 'easy' if the client software is using the OpenSSL library (easy because other people have documented what to look for). For other Software (ICA, SFTP?, etc.) you will have to do the reverse engineering yourself to get that key. Not impossible, but quite some work.

(14 Jan '14, 16:03) Kurt Knochner ♦

0

First you will have to find out which of these communication methods use ssl/tls for encryption at all. sftp definitely doesn't, I don't know about the others. The you will need to find out which library is being used to implement ssl/tls. If that library is loaded dynamically, create you own copy of that library and add code to export the (pre-) master secret. Build and the modified lib and replace the existing one with your own build.

answered 12 Jan '14, 14:37

jmayer's gravatar image

jmayer
262
accept rate: 0%

0

SFTP does not use SSL/TLS but SSH, that cannot be decrypted with the same methods as SSL.

The link you gave is dead, but it was likely describing a method where you run a NSS browser (Firefox) with SSLKEYLOGFILE. From the comments it seems that you think that SSL Session-ID are the only means to match a master-key, but this is not the case. The CLIENT_RANDOM value can be used instead of the Session-ID.

For applications not using NSS, but OpenSSL, you can use a debugger or interpose the SSL library as documented here. Whether it is HTTP, SMTP, IMAP or FTP, these all use SSL for transport encryption so the same methods apply.

answered 16 Feb '15, 00:11

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%