How to dissect the MMS pdu encrypted with TLS?

Question

Hi everyone,

in my client/server application I'm sending some MMS packets ecnrypted in the TLS session. I'm able to decrypt the TLS data, and take a look at the plain text in the segments with the "Follow SSL stream" function (according to the instructions in https://ask.wireshark.org/questions/4229/follow-ssl-stream-using-master-key-and-session-id).

I'm looking for a way to present the MMS data properly, with the common protocol structure visualization, not only a textual presentation.

alt text

I would like to see the MMS protocol menu instead of "Encrypted Application Data"

I've already tried with no success what has been write here: https://ask.wireshark.org/questions/6298/wireshark-cannot-dissect-mms-packets-that-dont-begin-with-initiate

I'm using Wireshark 1.12.

Marc

Accepted Answer

I found the solution!

In the SSL protocol preferences -> RSA keys list -> Edit the protocol I choosed was wrong. The correct one is tpkt, not mms. Now I can see all the decrypted MMS structured payload.

alt text

SOLUTION RECAP

create a .log file with SSL session id and pre master secret key. Use the format:
```
RSA Session-ID:xxxx Master-Key:xxxx
```

don't forget the CRLF at the end of the line. You should obtain something like:

    RSA Session-ID:B5AEB800F43F96A9BAD007A5D26423E43479B904166FA72A4789DEA15A830E26 Master-Key:454AD3030F0AE8234508DF959EF533675E225BBB388EE5F80A20A007BAB63E1ABB972F39401796FB02F27AF95AB083A4

(one line only)

Go to SSL protocol preferences.

Link the .log file you've created in the (Pre)-master secret log filename form
For this step we need the private keys of machines involved in the SSL session.

The .pem file with the private key should look like this:

    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAtIvaDmeOGleYuxT01GfAmgugHVlqCOFfGYqy3gxMWt/fxO/7
    s7BJzqnhAFOWBjmBAdj7hHmPyCoJM7/MdCDJt1y7d20BJAGxD0ZQ4kxzGZDCjc5z
    ....... some 20-100 lines of base64 encoded data ...............
    Jh2kZkKoVG3Qr+66IlBDuVllIbwQU0F1fYy2FTjZL4vbmdupwHUyTnPK57vP8RJ7
    cpc1qwLZxfurxZfhI9gxXOO5eUg1WBupw029SSoSafYBqO4a9wg1OA==
    -----END RSA PRIVATE KEY-----

If the .pem file format is:

    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,CB7BE7B5A318ACE6
ScuaEtGA1xy7iVvvntc4hZ9Kl0VOKmA9sOcfP1CnrUVpAuLoHPEXTsc10smlXwsl
 [...]
yy7ANfGCZTWaWP89uOIwlXK0n8hHZjTjw5axBuWXvgWHNbvein7tsg==
-----END RSA PRIVATE KEY-----</code></pre><p>the key is protected with a passphrase, and wireshark can't decipher it. We have to create a plain text key file. We can use openssl:</p><pre><code>    openssl rsa -in &lt; old-keyfile &gt; -out &lt; new-keyfile &gt;</code></pre><p>when asked, insert the passphrase you used to create the original .pem file.</p><p>Now go to <em>RSA keys list-&gt;Edit</em> and create 2 rules, one for each "way" of the SSL communication. Insert the Ip address of the sender, the TCP port, the application protocol used (<strong>TKPT</strong> in this case) and the private key plain text .pem file</p><p>At this point you will be able to see corretly the decrypted MMS structured pdu, not only the deciphered data in the <em>Follow SSL stream</em> function .</p><p>References:</p><ul><li><a href="https://ask.wireshark.org/questions/4229/follow-ssl-stream-using-master-key-and-session-id">Session id + master secret procedure</a></li><li><a href="http://blogs.technet.com/b/nettracer/archive/2013/10/12/decrypting-ssl-tls-sessions-with-wireshark-reloaded.aspx">Adding RSA keys</a></li></ul></div><div class="answer-controls post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>answered <strong>06 Nov '14, 03:08</strong></p><img src="https://secure.gravatar.com/avatar/c7306c011d7f22a048e2cd12e503ae8d?s=32&amp;d=identicon&amp;r=g" class="gravatar" width="32" height="32" alt="Marc184&#39;s gravatar image" /><p><span>Marc184</span><br />

31●1●1●4

accept rate: 100%