2

Situation

I have a client VM and server VM communicating using SSL. The client VM runs wireshark capture using CLI

Wireshark GUI is running locally on a different machine.

Steps

As USER on the client VM I initiated a RESTful HTTP session over SSL using python scripts.

I have captured the conversation using wireshark and now want to de-encrypt the application data.

I copied the captured file local machine and now want to analyse the application data.

I have ssh access only to the client VM and following the steps on https://wiki.wireshark.org/SSL leads me to believe that I should

1) Copy the contents of /home/USER./ssh/id_rsa on the client VM to the local machine.
2) Point to the file in the SSL preferences RSA keyfiles list. 3) In same SSL preferences configure IP address, port

Expected Result

I then expected to be able to view the encrpted data but I still see

Actual Result

enter image description here

My theory is that I am using the incorrect RSA_PRIVATE_KEY , so I want to confirm which key is used in the SSL session.

If the RSA PRIVATE KEY is correct what else should I check?

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
Dave
  • 367
  • 2
  • 5
  • 11

1 Answers1

1

You need the actual private key of the remote endpoint, where HTTP session over SSL connect to.

A good example there: How to Decrypt SSL and TLS Traffic Using Wireshark

1 - Start Wireshark and open the network capture (encrypted SSL should be similar to the following screen shot).

2 - From the menu, go to Edit > Preferences.

3 - Expand Protocols in the Preferences window.

4 - Scroll down and select SSL. Type a location and file name for a debug file in the SSL debug file field.

5 - In the RSA keys list field click Edit > New and add the following information:

Where:

IP address: is the IP Address of the server/appliance with the private key

Port: is usually 443 for SSL/TLS

Protocol: is usually HTTP

Key FIle: is the location and file name of the private key. This is the key used in the certificate key pair of SSL virtual server for which you are trying to decrypt the traffic. All the SSL key and certificates are saved on NetScaler appliance in config/ssl directory. To use the key to decrypt the traffic it should be saved to the local disk and this path should be specified while decrypting the traffic.

Password: enter the password that you assigned while exporting the server certificate.

6 - Decrypt the SSL traffic (decrypted SSL should be similar to the following screen shot).

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • regarding You need the actual private key of the remote endpoint, where HTTP session over SSL connect to. I believed that a private key was used on both sides of the conversation to decrypt messages. Is this wrong? – Dave Jun 12 '16 at 22:13
  • 1
    @Dave I understand what you mean, but in practice the handshake is done is rsa, but the client and server exchange a master key, a shared secret in the protocol. In the capture you can see it, as you decrypt by the endpoint private certificate, thus wireshark use it to follow the conversation, a deeper example there; http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-socket-layer-ssl/116181-technote-product-00.html#anc11 :) (That mean in big that from a server X, the encrypted data will change depending on the remote host after the handshake) – yagmoth555 Jun 13 '16 at 02:21