Re: [Security Weekly] decrypting HTTPS/SSL traffic

[Kevin Shaw <kevin.lee.shaw () gmail com>]

Robin,

You can plug the certificates into wireshark and read the traffic.
On Jul 25, 2014 5:05 PM, "Robin Wood" <robin@digi.ninja> wrote:

> I'll start by saying I asked this in March so it's been a while since I
> was playing with all this. Guess the mail got stuck somewhere.
>
> What I was trying to do was just see how easy it was to decrypt traffic if
> the certificate could be aquired. This was before Heartbleed but going back
> to it now I'm sure there are plenty of certificates lying around now. I
> know they can be used to set up fake sites but being able to decrypt as
> well is just a useful extra skill.
>
> Robin
> On 25 Jul 2014 16:00, "Ron Bowes" <ron () skullsecurity net> wrote:
>
> > What's your ultimate goal? I usually find it easier to man in the middle
> > SSL connections if that's an option.
> > On 25 Jul 2014 06:06, "Robin Wood" <robin () digininja org> wrote:
> >
> > > I'm trying to look at decrypting HTTPS/SSL traffic. I've created a
> > > server using openssl:
> > >
> > > openssl s_server -www -cipher AES256-SHA -key server.pem -cert
> > > server.crt -accept 443
> > >
> > > and connect to it using
> > >
> > > echo -e  "GET / HTTP/1.0\r\n" | openssl s_client  -connect localhost:443
> > >
> > > I'm then sniffing the traffic using tshark
> > >
> > > tshark -o "ssl.desegment_ssl_records: TRUE" -o
> > > "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:
> > > 127.0.0.1,443,http,/etc/ssl/mine/server.pem" -o "ssl.debug_file:
> > > ./wireshark-log" -i lo -R "tcp.port == 443" -2
> > >
> > > This has the same server.pem file as the server so it should be able
> > > to decrypt things without any problems.
> > >
> > > Watching the wireshark-log file this works fine and I get cleartext in
> > > the log.
> > >
> > > Same if I connect through curl or wget.
> > >
> > > If I then try through either Firefox or Chrome I get a load of output
> > > in the log but no decrypted data. What would cause this?
> > >
> > > If I use Apache to run the server rather than openssl I don't get any
> > > decryption regardless of what client I get.
> > >
> > > What am I doing wrong?
> > >
> > > I'm getting most of my info from Mark's article from 2010, I've had to
> > > tweak a few bits but there is a difference between what I'm getting
> > > and what Mark got.
> > >
> > > http://securityweekly.com/2010/10/tsharkwireshark-ssl-decryption.html
> > >
> > > Robin
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail securityweekly com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail securityweekly com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail securityweekly com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com