Network - Wireshark decrypts SSL Traffic

最新推荐文章于 2021-10-28 17:08:16 发布
最新推荐文章于 2021-10-28 17:08:16 发布
阅读量836 收藏
点赞数
分类专栏: Vulnerability Analysis

Step one – set up an SSL-protected server to use as a testbed

To illustrate the process, we’re going to use OpenSSL to generate a certificate and act as a web server running HTTP over SSL (aka HTTPS) – it’s quite straightforward.

To begin with, we need to get ourselves a self-signed certificate that our HTTPS server can use. We can do this with a single command:

┌─[lab@core]─[/tmp/ssldemo]
└──╼ openssl req -x509 -nodes -newkey rsa:1024 -keyout testkey.pem -out testcert.pem
Generating a 1024 bit RSA private key
......................++++++
...............++++++
writing new private key to 'testkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:XX
State or Province Name (full name) [Some-State]:XX
Locality Name (eg, city) []:XX
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XX
Organizational Unit Name (eg, section) []:XX
Common Name (e.g. server FQDN or YOUR name) []:XX
Email Address []:
┌─[lab@core]─[/tmp/ssldemo]
└──╼ ll
total 8.0K
-rw-r--r-- 1 lab lab 924 Oct 18 06:19 testcert.pem
-rw-r--r-- 1 lab lab 916 Oct 18 06:19 testkey.pem

OpenSSL will ask you for some input to populate your certificate with; once you’ve answered all the questions, the output of this command is two files, testkey.pem (containing a 1024 bit RSA private key) and testcert.pem (containing a self signed certificate). PEM (Privacy Enhanced Mail) format files are plaintext, and consist of a BASE64 encoded body with header and footer lines. You can look at the contents of your key and certificate files in more detail like this:

┌─[lab@core]─[/tmp/ssldemo]
└──╼ openssl rsa -in testkey.pem -text -noout
┌─[lab@core]─[/tmp/ssldemo]
└──╼ openssl x509 -in testcert.pem -text -noout

We need to perform one tiny tweak to the format of the private key file (Wireshark will use this later on, and it won’t work properly until we’ve done this):

┌─[lab@core]─[/tmp/ssldemo]
└──╼ openssl rsa -in testkey.pem -out testkey.pem
writing RSA key

Now we’re ready to fire up our HTTPS server:

┌─[lab@core]─[/tmp/ssldemo]
└──╼ openssl s_server -key testkey.pem -cert testcert.pem -WWW -cipher RC4-SHA -accept 443
Using default temp DH parameters
ACCEPT
bind: Permission denied
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   0 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   0 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

The -key and -cert parameters to the s_server command reference the files we’ve just created, and the -WWW parameter (this one is case sensitive) causes OpenSSL to act like a simple web server capable of retrieving files in the current directory (I created a simple test file called myfile.html for the purposes of the test).

The -cipher parameter tells the server to use a particular cipher suite – I’m using RC4-SHA because that’s what’s used when you go to https://www.google.com. The RC4-SHA cipher suite will use RSA keys for authentication and key exchange, 128-bit RC4 for encryption, and SHA1 for hashing.

Having got our server up and running, we can point a browser at https://myserver/myfile.html and retrieve our test file via SSL (you can ignore any warnings about the validity of the certificate). If you’ve got this working, we can move on to…

Step two – capture some traffic with Wireshark

Fire up Wireshark on the server machine, ideally with a capture filter like “tcp port 443” so that we don’t capture any unnecessary traffic. Once we’re capturing, point your browser (running on a different machine) at https://myserver/myfile.html and stop the capture once it’s complete.

Right-click on any of the captured frames and select “Follow TCP stream” – a window will pop up that’s largely full of SSL-protected gobbledegook.

configuring Wireshark for decryption

Close the TCP Stream window and select Preferences from Wireshark’s Edit menu. Expand the “Protocols” node in the tree on the left and scroll down to SSL (in newer versions of Wireshark, you can open the node and type SSL and it will take you there).

Once SSL is selected, there’s an option on the right to enter an “RSA keys list”. Enter something like this:

ssl decrypt

ssl decrypt

References

https://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/
http://support.citrix.com/article/CTX116557

Nixawk
关注
专栏目录
Use Wireshark To Decrypt SSL
agoago_2009的专栏
06-04 741
1.http://support.citrix.com/article/CTX135121  2.http://www.backtrack-linux.org/forums/forum.php?s=7c1db433453d171daee8a92642bd62f8  3.http://wiki.wireshark.org/SSL
Use Wireshark to Decrypt HTTPS
rztyfx的专栏
04-27 1844
Not matter you are a network app developer or network administrator, you may need to debug or troubleshoot encrypted network protocol HTTPS. Wireshark is a powerful and useful tool that we use in tr
Wireshark will decrypt the TLS (HTTPS) traffic and save the plain text: 將TLS (https) decrypt 並保存明文
agathakuan的博客
10-28 9596
使用 SSL/TLS 協議傳輸的封包在 handshake 之後以加密形式傳輸,即使wireshark 抓包也無法看到內容,本文介紹使TLS 封包解為明文的方法
SSL连接建立过程分析(5)
jiangxinyu的专栏
08-24 4456
SSL连接建立过程分析(5)本文档的Copyleft归yfydz所有,使用GPL发布,可以自由拷贝,转载,转载时请保持文档的完整性,严禁用于任何商业用途。msn: yfydz_no1@hotmail.com来源:http://yfydz.cublog.cn2.14 SSL_readSSL结构(struct ssl_st)中的s2,s3指针分别指向SSL2和SSL3的状态结构,这些状态结
https(ssl)协议以及wireshark抓包分析与解密
热门推荐
Q1n6
11-30 11万+
根据之前一篇安全协议的分析中分析了ssl协议,先回顾下ssl协议的内容然后用wireshark来抓包看具体流量包内容。          SSL协议栈位置介于TCP和应用层之间,分为SSL记录协议层和SSL握手协议层。其中SSL握手协议层又分为SSL握手协议、SSL密钥更改协议和SSL警告协议。SSL握手协议作用是在通信双方之间协商出密钥,SSL记录层的作用是定义如何对上层的协议进行封装。S
国密SSLwireshark解析脚本gmssl-wireshark-main.zip
最新发布
05-24
《深入理解国密SSLWireshark解析脚本——gmssl_wireshark-main.zip详解》 国密SSL,全称为“国家商用密码SSL”,是中国自主研发的网络安全协议,旨在保护国内互联网通信的安全性和隐私性。它基于国际SSL/TLS协议...
wireshark-gm-wireshark
07-25
Wireshark-GM-Wireshark 是一个专为中国用户定制的Wireshark版本,它集成了许多方便国内用户的功能和优化。Wireshark是一款全球知名的网络封包分析软件,广泛用于网络故障排查、性能分析以及网络安全检测。在这个...
s7comm-plus-dll-0-0-8-wireshark-3-4.zip
08-04
标题中的"s7comm-plus-dll-0-0-8-wireshark-3-4.zip"表明这是一个与Wireshark相关的插件,专门用于解析S7comm+协议的版本0.0.8,兼容Wireshark 3.4版本。这个压缩包包含了两个子文件,分别是64位和32位的DLL文件,...
kali-wireshark抓取客户端访问ftp的用户名和密码-运维安全详细笔记
06-30
Wireshark 是一个功能强大且免费的网络协议分析器,可以捕获和显示网络中的数据包。Wireshark 可以对网络流量进行截获、分析和展示,从而帮助用户诊断和解决网络问题。 三、实验环境 实验环境中,我们使用了三台...
跟踪 SSL 流 - Wireshark 数据包分析实战(第 3 版) - 知乎书店1
08-03
在本节中,我们将探讨如何使用 Wireshark 跟踪并解析 SSL(Secure Socket Layer)或 TLS(Transport Layer Security)流量,这对于理解加密通信的细节至关重要。 SSL/TLS 是互联网上广泛应用的安全协议,它为数据...
计算机网络自顶向下方法第六版配套资源全套
heureuxchaquejour的博客
10-22 1万+
文章目录计算机网络自顶向下方法第六版配套材料说明所有内容 计算机网络自顶向下方法第六版 英文电子书PDF文字版 配套材料 说明 所有免费材料可以在以下链接访问: http://wps.pearsoned.com/ecs_kurose_compnetw_6/216/55463/14198700.cw/index.html 付费材料在文件夹中,有些材料不是PDF,是HTML网页,就直接转换成P...
Wireshark使用实例(HTTP/DNS/SSL)English version
Slayer_Zhao的博客
09-27 3169
Wireshark is a freepacket snifferavailable for major operating systems, such as Windows (64 bit/32 bit), MacOS, and Linux. Apacket snifferis a piece of software that captures packets being sent fr...
7.3. s_server / s_client
weixin_34234829的博客
12-13 1696
7.3.1.SSL POP3 / SMTP / IMAP SSL POP3 / SMTP / IMAP 端口号 POP3 995 SMTP 465 IMAP 993 openssl s_client -connect localhost:110 -starttls pop3 如果提示 CONNECTED(00000003) 侧省...
Wireshark分析实际报文理解SSL(TLS)协议
村中少年的专栏
12-19 4043
通过实际的报文数据分析SSL,TLS协议,加深对于协议流程的理解
解密HLS中的AES加密
幽雨雨幽
05-24 4338
解密HLS中的AES加密 主题加密解密 如果m3u8文件中包含#EXT-X-KEY字段,那么可以断定这个HLS中的ts文件是被加密的,如: #EXTM3U #EXT-X-VERSION:3 #EXT-X-TARGETDURATION:11 #EXT-X-MEDIA-SEQUENCE:0 #EXT-X-KEY:METHOD=AES-128,URI="https://drm.f...
python urllib.request ssl失败_解决requests报ssl错误的方法
weixin_39784774的博客
12-03 1068
下面这幅图大家会不会觉得很眼熟?没错,这个就是SSL证书验证导致的报错。这个时候我们应该如何解决呢?首先我们要看下是不是打开抓包工具,如果打开了抓包工具,那么请先关闭它,因为开启它之后运行python会自动改变端口,造成ssl错误。直接在请求时关闭证书验证,即在请求的时候带上 verify =False,代码如下图:response = requests.get("url", verify = F...
android.mk 条件编译,android openSSL 的苦逼历程
weixin_35899659的博客
05-26 1241
20180801 调试 Socket1、按照以前的环境设置,出错了!cd /Users/dhbm/Desktop/lxn/lxntransfer/testsopenssl s_server -key server-key.pem -cert server-cert.pem返回:Using default temp DH parametersACCEPT2、还是先对付XCode 的程序,链接后...
wireshark解密用临时秘钥加密的ssl/tls数据包
gufachongyang02的专栏
08-09 1万+
wireshark解密用临时秘钥加密的ssl/tls数据包
hadoop-wireshark
01-27
hadoop-wireshark是一个用于解析Hadoop通信协议的工具。它可以帮助用户分析Hadoop集群中的数据流通信。根据提供的引用内容,有两个版本的hadoop-wireshark可供使用。 引用提到的hadoop-wireshark V0.8支持解析HDFS数据流通信协议,并且可以直接下载安装,无需编译。你可以通过以下链接下载安装包: [https://github.com/liukeyou/hadoop-wireshark/blob/master/setup/Output/hadoop-wireshark.exe?raw=true](https://github.com/liukeyou/hadoop-wireshark/blob/master/setup/Output/hadoop-wireshark.exe?raw=true) 引用提到的hadoop-wireshark是一个针对wireshark 1.10.8的插件,支持解析Hadoop的通信协议,包括HDFS、YARN、HIVE和MapReduce。它适用于Hadoop版本2.2、2.3、2.4和2.4.1,以及HBase版本0.96.x和0.98.x。该插件是x64版本的安装包,如果需要其他版本或最新更新,可以在GitHub上查找。 你可以根据自己的需求选择合适的hadoop-wireshark版本,并按照相应的安装说明进行安装和配置。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值