Using wireshark to snoop encrypted traffic and capture files

This applies to your own web session; it won’t work if you don’t control the browser.  Otherwise you need a man-in-the-middle proxy. The procedures devoted to creating a secure key log file work on Linux and might work on BSD or Mac OS X.

Sometimes you need to look at the plaintext of your own TLS (formerly SSL) sessions.  I was thinking of hacking the SSL library to get the keys out, but it turns out that has already been done, and is installed in the stock NSS library since version 3.14. Other programs using the NSS library will also use SSLKEYLOGFILE. You could also use firefox extensions such as  Live HTTP headers or maybe scriptish/greasemonkey to grab the data before it gets encrypted.

Anyway, here is how you make wireshark decrypt an SSL session and save all of the files which were returned.  These procedures ensure that the secret key files will be gone once you close the shell terminal window, wireshark, and firefox.

Create a secure temporary file, open it in bash for reading and writing as file descriptor 3, and delete it.  From bash reference manual, exec builtin:  “If no command is specified, redirections may be used to affect the current shell environment.”

$ f=$(mktemp); ls -l $f; exec 3<>$f; rm $f; ls $f; lsof -d3 -a -p$$
-rw-------. 1 edward edward 0 Sep 30 13:09 /tmp/tmp.VQw5BPHFlc
ls: cannot access /tmp/tmp.VQw5BPHFlc: No such file or directory
COMMAND … FD … NAME
bash    … 3u … /tmp/tmp.VQw5BPHFlc (deleted)

Quit from firefox (that is absolutely essential), and restart it as a child of this bash, with SSLKEYLOGFILE environment variable set to access file descriptor 3.  For convenience, set ffpid to the process ID of firefox. (The &>/dev/null redirection of stdout and stderr is necessary since the $(…) command substitution would otherwise wait for firefox to exit. “There are two formats for redirecting standard output and standard error: &>word , and >&word . Of the two forms, the first is preferred. This is semantically equivalent to >word 2>&1 .”)

$ ffpid=$( SSLKEYLOGFILE=/dev/fd/3 firefox &>/dev/null & echo $! )

Start wireshark with file descriptor 3 inherited from bash and with umask set to create user only accessible files, because you plan to save confidential files.

$ wspid=$( umask 077; wireshark &>/dev/null & echo $! ) 

Observe that both processes have inherited fd 3:

$ lsof -d3 -a -p$ffpid -p$wspid -p$$
 COMMAND   … FD … NAME
 bash      … 3u … /tmp/tmp.VQw5BPHFlc (deleted)
 firefox   … 3u … /tmp/tmp.VQw5BPHFlc (deleted)
 wireshark … 3u … /tmp/tmp.VQw5BPHFlc (deleted)

Next tell wireshark to look for keys by opening and reading /dev/fd/3:

Edit -> Preferences -> Protocol -> SSL

Set the Pre Master Secret log filename field to /dev/fd/3

wireshark will open, read, and close /dev/fd/3 whenever it needs to learn a key.

$ strace -p $wspid -e open,read,close
 open("/dev/fd/3", O_RDONLY)             = 14
 read(14, "# SSL/TLS secrets log file, gene"..., 4096) = 4096
 read(14, "d570ba9a80f1cf21339b84f7a0292a32"..., 4096) = 4096
 read(14, "f877f2b17761c2bc39e852c2abb0a896"..., 4096) = 4096
 read(14, "2ec71ec4c692ae0fe0344562376230\nC"..., 4096) = 3317
 close(14)                               = 0
 

Start a wireshark capture, filtering for HTTPS traffic only:

Capture options -> Capture filter -> tcp port https

Then access the web page and view images, etc. that you want to save.  To save the images in wireshark:

File -> Export Objects -> HTTP

and wait until the list of objects is filled. Then you can save some or all HTTP objects to disk.

Sources:

https://developer.mozilla.org/en-US/docs/NSS_Key_Log_Format

http://ask.wireshark.org/questions/13855/tool-for-saving-files-html-php-etc-from-capture

http://www.reddit.com/r/netsec/comments/1kuevc/extracting_encryption_keys_from_firefox_and_using

Advertisements
Posted in Uncategorized | Leave a comment

http://svn.ghostscript.com/ghostscript/trunk/gs/toolbin/pdfinflt.ps

Package to permit ghostscript to unpack compressed pdf files.

Link | Posted on by | Leave a comment

Notes from Fedora 19 Core i7 Z77 virtualization

Simple enough goal:  run win7 under Fedora 19 on a new system (Intel Core i7-3770, Z77 chipset) and be able to use a brother ADS-2000 scanner and its windows drivers, which require direct access to a USB-2 port.  I checked that the i7-3770 has virtualization features, but I didn’t realize I would also need to check the chipset.  Intel says the Z77 chipset does not support Vt-d.  A few people (who? look in browser history, later) say they got it to work, and linux kernel reports that there is an iommu.

This blog is intended to be a web-log, a place to refer to pages I’ve read and to preserve the important point I was looking for.  Like does I/O virtualization work with the Z77 chipset, even though Intel says it doesn’t?  Or maybe it works sometimes, or some chips work and some don’t depending on some detail of the chip fab process…

 

Also I want to record, for each X, how I managed to get X to work under the latest released Fedora when X does not work out of the box.

Posted in Uncategorized | Leave a comment