I recently was involved in an responding to an incident and one thing that was key to our investigation was decrypting SSL traffic. The attacker got a web shell on one of the servers and was mucking around with that. All of the traffic was over HTTPS, but we fortunately had the key. This allowed us to decrypt the traffic and view all of the commands issued. It was quite exciting being able to watch every step of the attack, so I would like to share the steps so that you can do it yourself!
A Recipe for Decrypting SSL in Wireshark
- 1: PCap file with HTTPS traffic
- 2: Encryption key
- 3: Wireshark
Sometimes it is hard to find encryption keys in your pantry so here are some common locations that they may be stored:
If you have apache and can’t find it, look in the configuration file (often found in /etc/apache2/) for the following: SSLCertificateKeyFile. It will be followed by the location.
- C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf (search this for the location)
- In IIS
After you have all your ingredients, add them one at a time into Wireshark.
Open your pcap (I assume you know how to do this)
Once you have that go to Edit > Preferences.
On this screen click on Protocols on the left and start typing SSL, which will get you there faster than scrolling.
Hit edit to add keys and you will see the following menu.
Set the IP address to your web server (or to 0.0.0.0 if you want it to try to decrypt all traffic). Set the port to the port it is running on. Set the protocol to HTTP (this tells it to decrypt it and analyze it like it is http traffic). Then add the key file and password if you have one. Once you hit ok then apply it should re-analyze the pcap for you and you should see decrypted traffic.
Hooray! That was easy and now everything should be decrypted. Except for when it isn’t.
When it isn’t
I set up a server on one of my VM’s to go through the process of implementing SSL and then capturing and decrypting traffic. It was a simple php login form that I borrowed and modified from here. I removed the MySQL portion since I wanted to just test SSL. Then I followed this guide to get everything set up for SSL. Once everything is good to go run Wireshark and capture login traffic. It will look all mangled like so:
Then we add the key as we did before and…
Nothing. Why is that? Well it turns out this session used Elliptical Curve Diffie-Hellman Key Exchange. This provides for perfect forward secrecy, so even though you can capture the session and have the key file, you will be unable to decrypt the traffic. This is both good and bad, it protects data that is captured in transit from future attacks, but it also prevents you from analyzing it. That is a risk calculation that you will need to make for your own environment.
Hopefully you get the chance to use it. Until next time, keep hacking!