PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Security Weekly] decrypting HTTPS/SSL traffic

From: Robin Wood <robin@digi.ninja>
Date: Sat, 26 Jul 2014 19:56:05 +0100
A few people have suggested that type of thing could be the problem. I'll
try again and configure Apache to start with weak ciphers.

Seems like one of those things that I assumed was simple but isn't when
actually put into practice.

Robin
On 26 Jul 2014 19:02, "Carlos Perez" <carlos_perez () darkoperator com> wrote:


My guess is that OpenSSL is not negotiating an alternate key and is using
a weak cipher suite while the browser and apache is negotiating a different
keying for the secure channel say like Diffie-Hellman where a different key
would be negotiated. If the session is negotiated say with RSA there should
be no problem for your demo but most browsers will try a more secure
connection first with the ones offered by the sever.

On Jul 26, 2014, at 11:36 AM, Nich Ramsey <ncr.soul () gmail com> wrote:

Might be getting different results in the browser because of cert pinning.
So even though you're using the same cert outside the browser, maybe
because the browser doesn't have your site stored as a recognized pair?

Pure speculation on my part, but I'll definitely keep an eye on this
conversation.

Were you getting the results using a self-signed cert or one from a
certificate authority? Just in case an interested party wanted to duplicate
your results.
On Jul 26, 2014 8:29 AM, "Nich Ramsey" <ncr.soul () gmail com> wrote:


That's what I thought, I knew I had to be misunderstanding the question.
There was no way someone as talented as you wasn't in the know.

So you're getting different results with tshark than you do with
wireshark or sslstrip?
On Jul 26, 2014 7:26 AM, "Robin Wood" <robin@digi.ninja> wrote:





On 25 July 2014 22:07, Nich Ramsey <ncr.soul () gmail com> wrote:


Isn't this essentially what sslstrip is doing? Or am I misunderstanding
the question?


You missed the point of the question, I'm asking why the difference in
the results I'm getting not what tools are available.

Robin




On Jul 25, 2014 2:05 PM, "Robin Wood" <robin@digi.ninja> wrote:


I'll start by saying I asked this in March so it's been a while since
I was playing with all this. Guess the mail got stuck somewhere.

What I was trying to do was just see how easy it was to decrypt
traffic if the certificate could be aquired. This was before Heartbleed but
going back to it now I'm sure there are plenty of certificates lying around
now. I know they can be used to set up fake sites but being able to decrypt
as well is just a useful extra skill.

Robin
On 25 Jul 2014 16:00, "Ron Bowes" <ron () skullsecurity net> wrote:


What's your ultimate goal? I usually find it easier to man in the
middle SSL connections if that's an option.
On 25 Jul 2014 06:06, "Robin Wood" <robin () digininja org> wrote:


I'm trying to look at decrypting HTTPS/SSL traffic. I've created a
server using openssl:

openssl s_server -www -cipher AES256-SHA -key server.pem -cert
server.crt -accept 443

and connect to it using

echo -e  "GET / HTTP/1.0\r\n" | openssl s_client  -connect
localhost:443

I'm then sniffing the traffic using tshark

tshark -o "ssl.desegment_ssl_records: TRUE" -o
"ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:
127.0.0.1,443,http,/etc/ssl/mine/server.pem" -o "ssl.debug_file:
./wireshark-log" -i lo -R "tcp.port == 443" -2

This has the same server.pem file as the server so it should be able
to decrypt things without any problems.

Watching the wireshark-log file this works fine and I get cleartext
in the log.

Same if I connect through curl or wget.

If I then try through either Firefox or Chrome I get a load of output
in the log but no decrypted data. What would cause this?

If I use Apache to run the server rather than openssl I don't get any
decryption regardless of what client I get.

What am I doing wrong?

I'm getting most of my info from Mark's article from 2010, I've had
to
tweak a few bits but there is a difference between what I'm getting
and what Mark got.

http://securityweekly.com/2010/10/tsharkwireshark-ssl-decryption.html

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


 _______________________________________________

Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: