SSL Encryption – Applications of Wireshark

Preface

If you’ve read my write-up on setting up a setting up an ssl server, don’t be fooled. We’ve created a fake ssl listener that just sits on top of our apache installation and can serve us the files. We’ll get to a full blown installation eventually, but let’s walk before we can run, shall we?

How can we use wireshark to decode https traffic?

I’ll refer again to this execellent article here to walk me through the process: http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/.

Basic HTTP transmission with gzip

First, let’s fire up wireshark and capture a normal http request. To make it easier on the eyes, we can use WireShark’s filtering to any packets other than those I’m trading with my vm, and while the data is gzipped during transmission, WireShark is nice enough to display the output to us inflated if we select the HTTP OK response sent by the server signalling that he is done transmitting:

2014-12-12_0636

 

SSL Transmission

Now, let’s take a look at same request using https over OpenSSL:

2014-12-12_0647

It’s clearly quite different, and makes no sense to the human eye. Bummer.

Decrypting SSL, the cheating way

Under wireshark preferences/protocols,  find the SSL protocol. This allows us to add an RSA keys list we can use to decrypt SSL traffic.

2014-12-12_0700

For this step, you’ll need the key you created on your virtual server- I have an FTP server running on my host machine so I’ll just grab it using the virtual server’s ftp command:

2014-12-12_0707

 

To set this guy up in wireshark, I need only add him to the RSA keys list like this:

2014-12-12_0710

Once I click apply here, I believe I needed to submit a second request to the server for wireshark to decode it inline. I did so, and suddenly I can see normal traffic again:

2014-12-12_0736_001

You’ll notice the new HTTP protocol item in the tree below the SSL layer, now that WireShark understands how to decipher it.

Taking this one step further, and following the SSL stream on that HTTP request will show us the entire conversation as below:

2014-12-12_0740

Neat! But what if you don’t have that server key? Well that’s why this post is kind of cheating. Next up, we’ll explore how to decipher SSL communciations without the server key!