Solved

Decrypting SSL traffic in wireshark

Posted on 2016-10-03
7
87 Views
Last Modified: 2016-11-30
Unable to view descrypted SSL traffic in wirehark.
I am hosting a web application locally which is internally hitting an external https url...
I want to capture the raw data that is being sent to this url.
I am able to see the encrypted SSL data in the column with protocol TLSv1.2 and Application Data

My application is running on jetty server on https port 443. for which i have generated a keystore.jks file.
I decrypted the file to obtain a .pem file using the last two lines in
http://crishantha.com/wp/?p=445  (Also decrypted this .pem file using openssl rsa -in private.pem -out ssl.key and used this in wireshark )
which i imported into wireshark -> preferences -> protocols -> SSL
as mentioned here :
http://www.root9.net/2012/11/ssl-decryption-with-wireshark-private.html
in Method 1
But nothing happened.

Also i tried what is mentioned in method 2 . Still the same...
The sslkeylog file does contain several entries beginning with CLIENT_RANDOM
But i dont even see the decrypted SSL tab in wireshark.
Also if i perform Follow SSL Stream it shows a blank page...

How do i capture the unencrypted data.
Data is being send from my machine to an https url

Also here is the output of version of wireshark  --version command for reference:

wireshark --version
Wireshark 2.2.0 (v2.2.0-0-g5368c50 from master-2.2)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
GLib 2.36.0, with zlib 1.2.5, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2.4, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP,
with QtMultimedia, without AirPcap.

Running on Mac OS X 10.11.4, build 15E65 (Darwin 15.4.0), with locale
en_US.UTF-8, with libpcap version 1.5.3 - Apple version 54, with GnuTLS 2.12.19,
with Gcrypt 1.5.0, with zlib 1.2.5.
Intel(R) Core(TM) i5-4278U CPU @ 2.60GHz (with SSE4.2)

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).

Open in new window

Thanks
0
Comment
Question by:Rohit Bajaj
  • 4
  • 3
7 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 41827366
What do you see in the SSL Debug log?
0
 

Author Comment

by:Rohit Bajaj
ID: 41827496
where do i generate or find out the SSL Debug Log ?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41828196
On the same page where you tell Wireshark where you certs are there is a box to put in a log name.  Once you fill in the log name Wireshark will generate a log.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Rohit Bajaj
ID: 41831147
HI,
I have attached the ssl debug log
ssl-debug.log
0
 

Author Comment

by:Rohit Bajaj
ID: 41843206
Hi any tips what could be missing in my setup or any ideas from logs ?
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 41843507
Sorry, somehow missed the e-mail that this was updated.

I need to look at this in more detail, but it looks like it is encrypting some of the SSL traffic.

The traffic that it is not decrypting looks like the SSL session started before the capture was running.  Wireshark must capture the whole SSL session.  You'll see messages like "ssl_restore_master_key can't find master secret by Session ID"

The other thing I have to check is which cipher's wireshark can decrypt.  Some of ciphers exchange the keys encrypted bacyed on a dynamically generated keypair instead of being encrypted with the public key from the certificate.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41843522
It looks like you started the capture after the SSL connection was up and running.

For one SSL connection you don't seem to have the correct private key.  Near the bottom of the debug log you can see "ssl_find_private_key_by_pubkey: lookup result: 0x0".  The result 0x0 means there was no private key found that matched the public key.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now