Saturday, January 24, 2009

Decrypt HTTPS traffic with Wireshark

Wireshark is a useful tool in troubleshooting. However, if the traffic was encrypted (such as https between CUPS and Exchange), it's unreadable unless you can decrypt it.



Look at packet 11 in sniffer capture above. Application data was encrypted. There's not too much useful data in it.

To decrypt this data, we need the "private key" of the server certificate. You cannot get the private key from client side (such as web browsers). To get the private key, you need access to the server.

Step 1. Export the server certificate with private key

1-1: Go to IIS Admin > Right-click "Defautl Web Site" > Properties > "Directory Security" > "View Certificate".

1-2: Go to "Details" tab > "Copy to File" > Choose "Yes, export the private key"


1-3: You'll save the file in PKCS #12 (.PFX) with all three options UNCHECKED


1-4: You'll have to provide a password to protect the file. Because private key is a very sensitive information.


1-5: Save the file (system will add ".pfx" extension to the file name)


Now we have a PKCS #12 file (.pfx file).

Step 2: Extract the private key from .pfx file

openssl pkcs12 -in test.pfx -nocerts -out privateKey.pem -nodes

The command above take "test.pfx" as the input file, extract the private key, save it unencrypted in "privateKey.pem" file. You'll be asked for the password (where you entered on step 1-4).

Where to find openssl? Google!

Step 3: Go to Wireshark > Edit > Preferences > Protocols > SSL. In "RSA keys list", type the following:

10.88.229.196,443,http,C:\privateKey.pem

Where "10.88.229.196" is the server IP. "443" is the port number (HTTPS). "http" is the protocol you want Wireshark decode to. "C:\privateKey.pem" is the file name of the private key. "SSL debug file" is optional.


Step 4: Once you click OK, you'll notice the changes on Wireshark screen. Now the data was decrypted!

10 comments:

  1. awesome information.

    is there a way to get the private key from cucm so we can read the encrypted data exchanged between the cucm cluster.

    -senthil

    ReplyDelete
  2. It depends on what kind of certificate you're using on CUCM. If it's a 3rd-party signed cert (such as Verisign), you (or the CUCM admin) should have the private key in that cert file.

    If you're using the self-signed cert (which is the default), you need to get, you need to get root access to the box. I can't post the details here, but you should be able to google it. :)

    Once you got root access, you may use the commands below:

    cd /usr/local/platform/.security/tomcat/keys
    openssl pkcs8 -nocrypt -in tomcat_priv.pem -out tomcat.rsa.key

    tomcat.rsa.key is the file you want

    ReplyDelete
  3. Cool. Tried it but I get an error from wireshark when trying to decode https access to ccmadmin page (ssl debug info says not enogh data to generate key)

    Same thing when trying to decode CUCM -> CUPS.

    Any idea ?

    ReplyDelete
  4. You have to capture the initial "handshake" of the SSL.

    Try close *all* applications. Start capture. Then start application.

    ReplyDelete
  5. Did that already, closed the browser.
    Now... I started an IE and it worked.
    (I use Firefox by default)

    Bad thing is, it does not decode CUCM -> CUPS.
    Somehow the SSL decoding thing depends on the
    way the client talks to the server, it seems.

    -Carlos

    ReplyDelete
  6. hi! i have acces only to client side, can i got the certificate from the client?
    thancks

    ReplyDelete
  7. No, you cannot. This is the purpose of security.

    ReplyDelete
  8. what if you don't have the private key? How do governments decrypt these data?

    ReplyDelete
  9. You cannot decrypt without private key. That's the point of security.

    ReplyDelete