Defeating TLS with SSL-Logs.
#1
I found this tutorial which explains how to do this without a private key but I have a syntactical error of some kind:

https://jimshaver.net/2015/02/11/decrypt...-easy-way/

I was following it but I am doing something wrong.

It seems like a fairly credible tutorial to begin with.

The log file is somewhat saved where I want it to be I think.

Here's my ~/.bashrc:

[Image: show_This_To_Grey_Sec.png]

You can probably see my issue.

But I found a tutorial on how to do it that apparently works. Big Grin
Reply
#2
Please be sure that your thread title properly describes your topic, and never use ALL CAPS. That's low quality and I would expect more from you than that. For now, I edited this for you. But I'll have the thread removed next time it happends, I don't want any ALL-CAPS threads here on GreySec. This isn't twitter.

Anyway, moving on. I see, so if I understand this correctly. This will only work if the webserver has enabled SSL Key Session cache for the clients? In other words; SSL Tickets. To offer better performance at the cost of security? Well too be honest, I'll have to read this article more in-depth.

Nice share man! Interesting topic.
Reply
#3
(08-27-2018, 09:54 PM)Insider Wrote: Please be sure that your thread title properly describes your topic, and never use ALL CAPS. That's low quality and I would expect more from you than that. For now, I edited this for you. But I'll have the thread removed next time it happends, I don't want any ALL-CAPS threads here on GreySec. This isn't twitter.

Anyway, moving on. I see, so if I understand this correctly. This will only work if the webserver has enabled SSL Key Session cache for the clients? In other words; SSL Tickets. To offer better performance at the cost of security? Well too be honest, I'll have to read this article more in-depth.

Nice share man! Interesting topic.

Yeah apparently there are a lot of requirements that you need to have in order to achieve this:
Quote:
  • On Linux systems WireShark must be compiled against Gnu-TLS and GCrypt, not OpenSSL or some other encryption suite; not something to worry about on Windows systems.
  • The private key used to encrypt the data must be available on the system running Wireshark.
  • The private key file must be in the PEM or PKCS12 format; if it’s not you can use OpenSSL to convert what you have as appropriate, just Google it.
  • The private key file should only contain the private key, not the public key (aka the certificate). Files frequently contain both, check by viewing the file in a true text editor. You only need the text delimited by this; Header:—–BEGIN RSA PRIVATE KEY—– Footer:—–END RSA PRIVATE KEY—–
  • Any PEM private key file must not have a passphrase. It seems this is no longer an issue.
  • RSA keys must have been used to encrypt the data.[/color]
  • The capture must include both ‘sides’ of a conversation. In other words, the capture must include the full client and server exchange.
  • Important: The capture must include the initial SSL/TLS session establishment. In other words, the CLIENTHELLO and SERVERHELLO exchange. Beware captures taken where a session has been resumed. Ideally, ensure any capture either a) is of packets related to an entirely new device connecting or b) where a device that has already previously established a session is used, it is used after a considerable time after the last session was established.
  • Important: Ensure the use of a Diffie-Hellman Ephemeral (DHE/EDH) or RSA Ephemeral cipher suite is not negotiated between the two hosts. This is indicated by the use of a ServerKeyExchange message. There is no way to decrypt data where ephemeral ciphers are used.[/color]
Source: https://packetpushers.net/using-wireshar...s-packets/

Other interesting links:
https://wiki.wireshark.org/SSL
https://developer.mozilla.org/en-US/docs...Log_Format
https://security.stackexchange.com/quest...2350#42350
https://stackoverflow.com/questions/1581...ot-working
Reply
#4
look at subterfuge, it's a mitm tool using arp poisoning on a network
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  does netcat's SSL feature prevent the victim from tracking the hacker in any way? QMark 23 8,578 05-01-2020, 02:11 PM
Last Post: DeepLogic