First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

decode tls on mirror port?

Hi! I have a home appliance running on my local network. it's a rail mounted server - that is used to control my light and switches.

i am trying to sniff the network traffic that goes to and from the server.

So i mirrrored the port in my switch. and i am able to see the traffic when i connect to the mirror port with wireshark.

when i do a local http connect to the local ip address on the server i am able to see the trafic and see the http traffic and the json that is sent to and from the server.

i can also connect to the server using https - and by adding the sslkeylogfile. the decodes the tls - and works just fine.

now - my problem is that the server communicates with a cloud service and the cloud service calls the server - using https - which i am not able to decode.

is this at all possible? i would really like to see what goes to and from the servers webserver.

thanks in advance

hostrup's avatar
1
hostrup
asked 2022-11-22 10:11:52 +0000
edit flag offensive 0 remove flag close merge delete

Comments

You need a sslkeylogfile from either side of the TLS connection. Thus generated by the appliance / webserver or the cloud side.

If that TLS traffic passes your capture point (mirrored port) you can use the sslkeylogfile to decrypt.

André's avatar André (2022-11-22 22:37:10 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Assuming ephemeral encryption, you have to get the same information as found in the SSLKEYLOGFILE for the communication between server and cloud. That is a question for the supplier of the server/cloud service, not for Wireshark.

Jaap's avatar
13.7k
Jaap
answered 2022-11-22 13:26:11 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hi All! Thanks for your answers.

The server on my network ( the one i mirror - using wireshark ) is a black box. So the only access i have to the server is through it's configuration interface. the only ports that are open are: 80,443, and 4004.

Now the server allows you to "connect" it to the online service as well as disabling this - and only access it locally within the network.

I can access it both by iphone and with an android emulator. will it somehow be possible to fetch the needed certificate information on the android device / apk file? because then i would actually be able to test how i communicates with the server?

br

hostrup's avatar hostrup (2022-11-23 06:50:17 +0000) edit
more
  • delete

the only ports that are open are: 80,443, and 4004.

If you can use the unencrypted http (port 80), then analyzing will be easy.

will it somehow be possible to fetch the needed certificate information on the android device / apk file?

You need the session keys in the sslkeylogfile, not the certificate.

Only if you are able to configure the app (the TLS client) to generate this file then you will be able to decrypt the captured traffic.

There are some professional IDS solutions that basically operate as a man-in-the-middle to inspect, thus decrypt, the traffic.

André's avatar André (2022-11-23 17:51:03 +0000) edit
more
  • delete

Hi Andre! Thanks for you reply. unfurtunatly - the apps (APK and IOS ) both uses their own ssl/tls implementation - ignoring every attempt to proxy or even transparent proxy the content beeing sent :(.

so i guess i am a bit stuck for now :)

hostrup's avatar hostrup (2022-11-24 08:09:32 +0000) edit
more
  • delete

Hi Again all! Ok - so i managed to get access to the servers certificate store in ( jceks ) format. ( its a java server )

i also got the password for the key store - and can extract the keys - and i have converted from jceks to pk12 and saved it.

but i am still no able to decode the traffic. is there something i am missing here?

br

hostrup's avatar hostrup (2022-11-25 08:58:40 +0000) edit
more
  • delete

Using the private key only works if it is an old (and now unsafe) RSA key. Modern keys use Perfect Forward Secrecy (PFS), then this method does not work. That is why we suggested the use of SSLKEYLOGFILE.

See also https://wiki.wireshark.org/TLS

André's avatar André (2022-11-25 16:00:22 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer