Solved

Decrypting SSL traffic in wireshark

Posted on 2016-10-03
7
25 Views
Last Modified: 2016-11-30
Unable to view descrypted SSL traffic in wirehark.
I am hosting a web application locally which is internally hitting an external https url...
I want to capture the raw data that is being sent to this url.
I am able to see the encrypted SSL data in the column with protocol TLSv1.2 and Application Data

My application is running on jetty server on https port 443. for which i have generated a keystore.jks file.
I decrypted the file to obtain a .pem file using the last two lines in
http://crishantha.com/wp/?p=445  (Also decrypted this .pem file using openssl rsa -in private.pem -out ssl.key and used this in wireshark )
which i imported into wireshark -> preferences -> protocols -> SSL
as mentioned here :
http://www.root9.net/2012/11/ssl-decryption-with-wireshark-private.html
in Method 1
But nothing happened.

Also i tried what is mentioned in method 2 . Still the same...
The sslkeylog file does contain several entries beginning with CLIENT_RANDOM
But i dont even see the decrypted SSL tab in wireshark.
Also if i perform Follow SSL Stream it shows a blank page...

How do i capture the unencrypted data.
Data is being send from my machine to an https url

Also here is the output of version of wireshark  --version command for reference:

wireshark --version
Wireshark 2.2.0 (v2.2.0-0-g5368c50 from master-2.2)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
GLib 2.36.0, with zlib 1.2.5, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2.4, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP,
with QtMultimedia, without AirPcap.

Running on Mac OS X 10.11.4, build 15E65 (Darwin 15.4.0), with locale
en_US.UTF-8, with libpcap version 1.5.3 - Apple version 54, with GnuTLS 2.12.19,
with Gcrypt 1.5.0, with zlib 1.2.5.
Intel(R) Core(TM) i5-4278U CPU @ 2.60GHz (with SSE4.2)

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).

Open in new window

Thanks
0
Comment
Question by:Rohit Bajaj
  • 4
  • 3
7 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
Comment Utility
What do you see in the SSL Debug log?
0
 

Author Comment

by:Rohit Bajaj
Comment Utility
where do i generate or find out the SSL Debug Log ?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
On the same page where you tell Wireshark where you certs are there is a box to put in a log name.  Once you fill in the log name Wireshark will generate a log.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:Rohit Bajaj
Comment Utility
HI,
I have attached the ssl debug log
ssl-debug.log
0
 

Author Comment

by:Rohit Bajaj
Comment Utility
Hi any tips what could be missing in my setup or any ideas from logs ?
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
Comment Utility
Sorry, somehow missed the e-mail that this was updated.

I need to look at this in more detail, but it looks like it is encrypting some of the SSL traffic.

The traffic that it is not decrypting looks like the SSL session started before the capture was running.  Wireshark must capture the whole SSL session.  You'll see messages like "ssl_restore_master_key can't find master secret by Session ID"

The other thing I have to check is which cipher's wireshark can decrypt.  Some of ciphers exchange the keys encrypted bacyed on a dynamically generated keypair instead of being encrypted with the public key from the certificate.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
It looks like you started the capture after the SSL connection was up and running.

For one SSL connection you don't seem to have the correct private key.  Near the bottom of the debug log you can see "ssl_find_private_key_by_pubkey: lookup result: 0x0".  The result 0x0 means there was no private key found that matched the public key.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now