On this post I would like to show how to decrypt packets that flow on established SSL sessions using Wireshark, in order to do it we require to know both the certificate and private key information of the server.
Is very important for this experiment to not use Diffie Hellman or Eliptic Curves as algorithms on the key exchange negotiation, mainly because they require the knowledge of some session keys that is possible to obtain but it will be part of next posts.
Please follow next steps to reproduce this experiment.
- Generate a self signed certificate
$ openssl req -x509 -newkey rsa:4096 \ -keyout key.pem.secured \ -out cert.pem -days 365
- Unencrypt the private key using the following command
$ openssl rsa -in key.pem.secured -out key.pem
- Create an index.html to have some traffic on this port
- Start an SSL socket with ciphers for key exchange that do not use Diffie-Hellman or Eliptic Curves. With openssl is possible also to simulate an HTTP server, for this experiment we will use the port 44433
$ openssl s_server -cert cert.pem \ -key key.pem \ -accept 44433 \ -WWW -no_dhe -no_ecdhe
- Configure wireshark to capture traffic on the port 44433.
- Start traffic using any browser
- The client will show that the cipher suite used RSA as the key exchange mechanism
- Wireshark will show to this point just encrypted data
- Verify that your wireshark was installed with support for crypto libraries.
- Configure certificate and key on the SSL protocol as follows
- Edit → Preferences → Protocols → SSL. Press “Edit…”
- Click on “New”
- Add the following information along with the private key of the server.
- After configuring the private key, filtering for http traffic we should be able to see the unencrypted data.