ferefrenzy.blogg.se

This entry was a little confusing as we were already using the universal IP and port. However, two lines down in the log we saw “couldn’t find key for this server, try the universal port 0 and the universal IP 0.0.0.0”. Now tshark’s log file no longer said “unable to load PEM”, but instead it said “key loaded successfully”. Tshark -n -o “ssl.desegment_ssl_records: TRUE” -o “ssl.desegment_ssl_application_data: TRUE” -o “ssl.keys_list: 0.0.0.0,0,data,rsa_private.key” -o “ssl.debug_file: SSL-Decrypt.log” -r all.pcap -R “(tcp.stream eq 1)” With our new PKCS#1 format private key (rsaprivate.key), the tshark command line became: Openssl pkcs8 -in private.key -out rsaprivate.key -nocrypt Step one was to convert the PKCS#8 private key to PKCS#1 format. The other format is PKCS#8 format and Wireshark won’t load keys in that format. Wireshark and Tshark want the private key in PKCS#1 format which is the “- BEGIN RSA PRIVATE KEY-” format. Long story short, ‘-BEGIN PRIVATE KEY -” and “-BEGIN RSA PRIVATE KEY-–” are NOT the same thing. We had the right private key but every time we started tshark it recorded “unable to load PEM” in the log file. The first problem we ran into was the format of our private key. Tshark -n “ssl.desegment_ssl_records: TRUE” -o “ssl.desegment_ssl_application_data: TRUE” -o “ssl.keys_list: 0.0.0.0,0,data,private.key” -o “ssl.debug_file: SSL-Decrypt.log” -r all.pcap -R “(tcp.stream eq 1)” We decided to use TSHARK because it has the ability to decrypt SSL and you can use Wireshark display filters. SSLDUMP is one option, but I am really only interested in the text in the HTTP Payload and SSLDUMP give you a lot more information. Finding a needle in that haystack when it is all encrypted is the hard part. I’d suggest something a little better, but you can make full packet capture work on a shoestring budget. But for a few hundred bucks you can have TERABYTES of drive space on an old laptop with DAEMONLOGGER running. You are capturing EVERY packet that goes in and out of your network, right? Yeah, I know you have a HUGE internet pipe. We learned a bit along the way so I’m passing it along here.įirst, full packet capture rocks. This week Doug Burks and I needed to decrypt a few gigabytes of SSL traffic to find a TCP stream that contained a key word.