PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Security Weekly] decrypting HTTPS/SSL traffic

From: Carlos Perez <carlos_perez () darkoperator com>
Date: Sat, 26 Jul 2014 13:09:33 -0400
My guess is that OpenSSL is not negotiating an alternate key and is using a weak cipher suite while the browser and 
apache is negotiating a different keying for the secure channel say like Diffie-Hellman where a different key would be 
negotiated. If the session is negotiated say with RSA there should be no problem for your demo but most browsers will 
try a more secure connection first with the ones offered by the sever.


On Jul 26, 2014, at 11:36 AM, Nich Ramsey <ncr.soul () gmail com> wrote:

Might be getting different results in the browser because of cert pinning. So even though you're using the same cert 
outside the browser, maybe because the browser doesn't have your site stored as a recognized pair?

Pure speculation on my part, but I'll definitely keep an eye on this conversation.

Were you getting the results using a self-signed cert or one from a certificate authority? Just in case an interested 
party wanted to duplicate your results.


On Jul 26, 2014 8:29 AM, "Nich Ramsey" <ncr.soul () gmail com> wrote:
That's what I thought, I knew I had to be misunderstanding the question. There was no way someone as talented as you 
wasn't in the know.

So you're getting different results with tshark than you do with wireshark or sslstrip?


On Jul 26, 2014 7:26 AM, "Robin Wood" <robin@digi.ninja> wrote:




On 25 July 2014 22:07, Nich Ramsey <ncr.soul () gmail com> wrote:
Isn't this essentially what sslstrip is doing? Or am I misunderstanding the question?


You missed the point of the question, I'm asking why the difference in the results I'm getting not what tools are 
available.

Robin

 

On Jul 25, 2014 2:05 PM, "Robin Wood" <robin@digi.ninja> wrote:



I'll start by saying I asked this in March so it's been a while since I was playing with all this. Guess the mail 
got stuck somewhere.

What I was trying to do was just see how easy it was to decrypt traffic if the certificate could be aquired. This 
was before Heartbleed but going back to it now I'm sure there are plenty of certificates lying around now. I know 
they can be used to set up fake sites but being able to decrypt as well is just a useful extra skill.

Robin


On 25 Jul 2014 16:00, "Ron Bowes" <ron () skullsecurity net> wrote:
What's your ultimate goal? I usually find it easier to man in the middle SSL connections if that's an option.


On 25 Jul 2014 06:06, "Robin Wood" <robin () digininja org> wrote:
I'm trying to look at decrypting HTTPS/SSL traffic. I've created a
server using openssl:

openssl s_server -www -cipher AES256-SHA -key server.pem -cert
server.crt -accept 443

and connect to it using

echo -e  "GET / HTTP/1.0\r\n" | openssl s_client  -connect localhost:443

I'm then sniffing the traffic using tshark

tshark -o "ssl.desegment_ssl_records: TRUE" -o
"ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:
127.0.0.1,443,http,/etc/ssl/mine/server.pem" -o "ssl.debug_file:
./wireshark-log" -i lo -R "tcp.port == 443" -2

This has the same server.pem file as the server so it should be able
to decrypt things without any problems.

Watching the wireshark-log file this works fine and I get cleartext in the log.

Same if I connect through curl or wget.

If I then try through either Firefox or Chrome I get a load of output
in the log but no decrypted data. What would cause this?

If I use Apache to run the server rather than openssl I don't get any
decryption regardless of what client I get.

What am I doing wrong?

I'm getting most of my info from Mark's article from 2010, I've had to
tweak a few bits but there is a difference between what I'm getting
and what Mark got.

http://securityweekly.com/2010/10/tsharkwireshark-ssl-decryption.html

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: