We’ve written how  EDH (Ephemeral Diffie Hellman) offers perfect forward secrecy in the sense that if even if you got your hands on some keying material such as a private key file, you cant decrypt past captured traffic. With DHE, what’s done is done, baby.

But.

A post on the Wireshark Q&A site wondered if you controlled the client or the server and could output the so called master secret, can you then decrypt the SSL/TLS traffic? The answer is absolutely!

If you had the master secret, it does not matter what key exchange algorithm you use. The only question left is : Do you support decryption of the cipher!

Differences with Wireshark

Unsniff supports entering a master secret directly. Wireshark allows you to enter something called a ‘unencrypted pre master secret’, we think if you can instrument the client anyway – why not just print out the master secret. Unsniff also doesnt care about the session id as a way of mapping flows to keys – the mapping is much weaker. You can arrange to split your PCAPs into flows -> key mapping instead.

Sample run with ECDHE-RSA-RC4-128-SHA (what gmail prefers)

Use the s_client tool to generate a trace run by connecting and typing “GET /”

dhinesh@dhinesh-System-dev:~$ openssl s_client -host gmail.com  -port 443
 CONNECTED(00000003)
 depth=1 C = US, O = Google Inc, CN = Google Internet Authority
 verify error:num=20:unable to get local issuer certificate
 ..
---
 No client certificate CA names sent
 ---
 SSL handshake has read 2110 bytes and written 348 bytes
 ---
 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
 Server public key is 1024 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
 SSL-Session:
 Protocol  : TLSv1.1
 Cipher    : ECDHE-RSA-RC4-SHA
 Session-ID: 19AA250D4CF5142DB5E6FCEF07738070F6B0977647BF8C32EC1B75CC85A4FC3D
 Session-ID-ctx:
 Master-Key: 05FCDE36BE947C1A8981F0F400524C57DB632B323F144A87A2F73FC258E8AC032EE06DB36B9D3C68C3C7621E8AEC7601
 Key-Arg   : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 TLS session ticket lifetime hint: 100800 (seconds)
 TLS session ticket:
 0000 - eb 3e 92 dc ef ab dd 75-1f 2b ce 7e 22 58 99 94   .>.....u.+.~"X..
 ---
 GET /
 HTTP/1.0 302 Found
 Location: https://www.google.co.in/
 Cache-Control: private
 Content-Type: text/html; charset=UTF-8
 Content-Length: 222
 X-XSS-Protection: 1; mode=block
 X-Frame-Options: SAMEORIGIN
..

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">

Notice that big string in bold. That is called the master secret. That’s all you need.

If you have Trisul running in your egress point, grab a PCAP of the above session. Or alternatively run a tcpdump before the s_client tool.

Enter the master secret

Self evident, just use the highlighted buttons.

Create a mapping for server ip/port to master key file.

 Run Unsniff on the PCAP

If you clicked on Pull Packets in Trisul, it will automatically open Unsniff the run the decryption for you. Alternately, load the PCAP into Unsniff via File -> Import -> From Libpcap

PDUs

The place to observe the action in Unsniff is in the PDU tab. This may be a little confusing for folks familiar with Wireshark’s link packet based views. What Unsniff does it shows you complete SSL “records” – so an Application Data encrypted record maps cleanly into a “decrypted” record. This is shown with an icon on the left side.

Decrypted PDUs show up with ICON at left

 Stream based view

Switch to the streams tab for two extra streams generated from the SSL stream.

1. Decrypted stream stopping at the TCP layer
2. Decrypted stream going all the way to the HTTPS (or whatever else) layer

Streams tab show entire decrypted session data

Unsniff is still heavily developed

We’ve received a bunch of emails asking about Unsniff. We are still heavily improving it, unfortunately the documentation and new website is still some time off due to our big Trisul releases. The latest versions for example have top notch reconstruction – even of Video Chats with playback of VP8 and MPEG4-TS, unidirectional streams from satellite connections and more.  Check it out now.

We are excited to announce our latest version of Trisul Network Analytics – Release 3.0 is available on www.trisul.org

With Trisul 3.0 you have almost all bases covered as far as access to network security monitoring and audit data is concerned. The key features in this release are :

1. SSL Certificates are stored in summary and full text search form
2. HTTP headers are stored in full text search (FTS) form
3. A brand new FTS search screen generates live faceted results
4. 3 new SSL counter groups to track ciphers in use, orgs, and CAs
5. Port independent tracking of SSL, HTTP, and FTP traffic

Head on over to http://www.trisul.org/releases/ for more details and links to documentation.

Use with Unsniff Network Analyzer

Unsniff Network Analyzer has recently undergone a number of key revisions silently. The most recent improvement being reconstruction of video chat using VP8 and MPEG-4TS codecs. We’ve also added unidirectional reconstruction which is useful for satellite applications.

Use Trisul to monitor continuously and pull in packets to Unsniff to complete your analysis.

There was a question in the Wireshark Q&A site that prompted this post. A user wanted to pull out IP Addresses but only from the “Answer Records” section of DNS.  All the information in Authority or Additional records section were to be ignored. The picture below describes what he was trying to accomplish with tshark.

Types of scripting

The problem is TShark does not actually expose an object model to a scripting language. The user gets the values of the fields “dns.qry.name” and “dns.resp.addr” which are tagged fields using the display filter format. Without doubt, this is a powerful capability of TShark but extending this to support adhoc scripting requirements is difficult. The solution is to dump the entire packet as text and parse if offline – a difficult ask.

How would you accomplish this with a scriptable object model ?

Unsniff Network Analyzer exposes an object model to scripting languages like Ruby and VBScript. So you can put together a quick script to walk down the protocol try which ever way you want. Lets do this example in Ruby.

require 'win32ole'
 
raise "Usage: pdns <pcap-file>"  unless ARGV.length == 1
 
UnsniffDB = WIN32OLE.new("Unsniff.Database")
UnsniffDB.New("temp.usnf")
UnsniffDB.Import("libpcap",ARGV[0])
 
UnsniffDB.PacketIndex.each do |pkt|
next unless  pkt.Description =~ /QUERY Response/
 
dnslayer = pkt.FindLayer("DNS")
answers = dnslayer.FindField("Answer Records")
 
next if answers.nil?
 
print "\n\nDNS Records in pkt #{pkt.ID} #{pkt.Description}\n"
 
answers.SubFields.each do |rec|
print  rec.FindField("Type").Value.ljust(30)
print  rec.FindField("Name").Value.ljust(20)
print  rec.FindField("RDATA").Value.ljust(20)
print  "\n"
end
 
end
 
UnsniffDB.Close()
File.delete("temp.usnf")

Once you get hold of the packets you want, you use the same field names in the GUI to navigate the protocol tree. The key pieces in the above ruby code are :

• Import the pcap file

UnsniffDB.Import("libpcap",ARGV[0])

• Iterate over all packets and only work on QUERY Response. The same string is shown in the user interface, so it is easy to remember this string.

UnsniffDB.PacketIndex.each do |pkt|
next unless  pkt.Description =~ /QUERY Response/

• Find the “Answer Records” section in the “DNS” layer and process each record

dnslayer = pkt.FindLayer("DNS")
answers = dnslayer.FindField("Answer Records")
..
answers.SubFields.each do |rec|

Running this

If you run the above script

ruby pdns.rb mycapture.pcap

You get something like this

DNS Records in pkt 5 QUERY Response ad.doubleclick.net
CNAME. Canonical name         ad.doubleclick.net  dart.l.doubleclick.net
A.  IPv4 address              dart.l.doubleclick.net74.125.236.188
A.  IPv4 address              dart.l.doubleclick.net74.125.236.187

DNS Records in pkt 6 QUERY Response www.espncricinfo.com
CNAME. Canonical name         www.espncricinfo.comwwwakamai.espncricinfo.com
CNAME. Canonical name         wwwakamai.espncricinfo.comcontent.cricinfo.com.edgesuite.net
CNAME. Canonical name         content.cricinfo.com.edgesuite.neta1850.g.akamai.net
A.  IPv4 address              a1850.g.akamai.net  67.148.47.42
A.  IPv4 address              a1850.g.akamai.net  67.148.47.40

Add Unsniff to your toolkit

The beauty of Unsniff is you can script higher layer objects the same way using the UserObjects model. For example you can save all Images matching a certain name or size or whatever. Check out the samples here

• Download Unsniff Network Analyzer for free here