First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

decrypting ssl traffic

Hi all,

I have been given 2 tasks using wireshark, and being a new user of the software, i am a tiny bit stumped about it.

The explanation of what we were meant to do is as follows: "Use the files located in LabFiles/Wireshark-TLS
Decrypt SSL traffic in the Wireshark interface
Identify the online service that was used to exfiltrate stolen data
Identify the flag in the POSTed data."

Our questions to do the task are the following:
1) "What domain was used to exfiltrate the data?"
2) "What is the Flag?"
3) "What is the unique ID that was assigned to the submitted data?"

ismaeel_ali's avatar
1
ismaeel_ali
asked 2019-11-10 14:29:25 +0000
grahamb's avatar
23.8k
grahamb
updated 2019-11-10 17:06:41 +0000
edit flag offensive 0 remove flag close merge delete

Comments

As this is a homework question we can't simply give you the answers, what have you tried?

grahamb's avatar grahamb (2019-11-10 17:07:33 +0000) edit
more
  • delete

I have tried to navigate wireshark and look online for solutions, to no avail. I thought a forum would be my next best bet. A-Levels they said, it will be fun they said. @grahamb

ismaeel_ali's avatar ismaeel_ali (2019-11-10 20:34:29 +0000) edit
more
  • delete

Presumably there was some intro to the subject in the class, have you reviewed that?

grahamb's avatar grahamb (2019-11-11 13:42:15 +0000) edit
more
  • delete

I was absent, and upon reviewing the notes and resources it still does not make sense. I emailed my teacher but she has not replied and I do not think I will be back in school for at least another 2 weeks. Do you perhaps know how to do it?

ismaeel_ali's avatar ismaeel_ali (2019-11-11 14:44:20 +0000) edit
more
  • delete

Its not for class I know what it's for. They are looking for people who can get a lot of information and learn very quickly with that information... All of the information on what to do is on their website or on google you don't need to ask these questions when the information is already there....

johnrown's avatar johnrown (2019-11-15 22:52:10 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Firstly we don't do SSL anymore, it's TLS as per the task you've been given.

To decrypt TLS sessions requires some keying material so that should have been provided. Adding the keying material to the appropriate preference settings in Wireshark allows decryption of the traffic in the capture file.

See the Wireshark Wiki page on TLS for more info on setting the required preferences.

grahamb's avatar
23.8k
grahamb
answered 2019-11-11 15:14:46 +0000
edit flag offensive 0 remove flag delete link
more

Comments

So i think i decrypted it, now what stands out about finding a domain that data was posted to?

ismaeel_ali's avatar ismaeel_ali (2019-11-11 15:24:01 +0000) edit
more
  • delete

I would use the Statistics -> Endpoints function to see what hosts have been communicating (with the IPv4 tab). Hopefully something will standout.

As the question asks about "POST" data, maybe add a display filter of http, or http.request.method == "POST"

grahamb's avatar grahamb (2019-11-11 16:08:30 +0000) edit
more
  • delete

thanks it works!, one last problem. I am trying to find the unique id assigned to data, how do i find that while analysis the packet? which section?

ismaeel_ali's avatar ismaeel_ali (2019-11-11 19:02:07 +0000) edit
more
  • delete

hey, did you solve 3) ? im finding myself stuck on this aswell..

a__lmonkey's avatar a__lmonkey (2019-11-12 15:39:02 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer