About Vivek Rajagopalan

Vivek Rajagopalan is the lead developer behind the Unsniff Network Analyzer, Trisul, and Unbrowse SNMP products.

TLS 1.2 support in new build of Unsniff Network Analyzer

TLS1.2 support available in Unsniff Network Analyzer

We are pleased to announce the availability to TLS 1.2 analysis and decryption in the latest builds of Unsniff Network Analyzer.

The main changes are :

  • Change in the way the PRF (Pseudo Random Function) works in TLS1.2
  • Addition of SHA256
  • Change in the way the IV (Initialization Vector) is derived for block ciphers such as AES-256-CBC
  • Currently we support the AES suites like   TLS_RSA_WITH_AES_256_CBC_SHA256
  • DHE ciphers are also supported by directly entering the master secret

TLS 1.2 support in Unsniff Network Analyzer 1.8.1542

Other changes

  • The Session ID is shown differently, we show first and last digits so it is easier for you to search in application logs for the master secret
  • A help dialog box is added that helps you convert between PKCS12 – PEM – PCKS8 formats

We will be adding other ciphers such as the AES-GCM  mode soon.  We encourage users to give feedback about how they are using Unsniff. Specifically we’d like to know the following when working with DHE aided by application logging the master secrets.

  • It is extremely tedious to search for SessionID matches against the master secret. How do you log the master secrets ?
  • Would you like the ability for Unsniff to automatically match the master secrets with the Session ID ? This could take some work. Is this useful ?

 

Stay tuned as we announce the next build which will have the AES-GCM support.

Head on over to the Downloads page to get the latest Unsniff Network Analyzer free download.

New build of Unsniff Network Analyzer available

Happy New Year 2014 !

We are pleased to announce a new build of Unsniff Network Analyzer 1.8.0.1539. Please download it from http://unleashnetworks.com/downloads.html

Whats new ?

The new build features the following :

  1. An improved key management interface
  2. Better support for viewing and scrolling large images extracted in the User Objects tab. The previous builds would perform very slowly on Windows 7 and 8 when viewing large images.
  3. Save multiple user objects to a folder now has an option to automatically open the folder where these are saved
  4. Support for ascending and descending sort on any column in the User Objects sheet
  5. Better support to import a range of packets from a PCAP file.

If you haven’t used Unsniff in a while it is time to try it out now. There have been tons of improvements in 2013 especially in the forensics area.

Enjoy !

 

 

Decrypting Diffie Hellman Ephemeral with the Master Key

We’ve written how  EDH (Ephemeral Diffie Hellman) offers perfect forward secrecy in the sense that if even if you got your hands on some keying material such as a private key file, you cant decrypt past captured traffic. With DHE, what’s done is done, baby.

But.

A post on the Wireshark Q&A site wondered if you controlled the client or the server and could output the so called master secret, can you then decrypt the SSL/TLS traffic? The answer is absolutely!

If you had the master secret, it does not matter what key exchange algorithm you use. The only question left is : Do you support decryption of the cipher!

 

Differences with Wireshark

Unsniff supports entering a master secret directly. Wireshark allows you to enter something called a ‘unencrypted pre master secret’, we think if you can instrument the client anyway – why not just print out the master secret. Unsniff also doesnt care about the session id as a way of mapping flows to keys – the mapping is much weaker. You can arrange to split your PCAPs into flows -> key mapping instead.

Sample run with ECDHE-RSA-RC4-128-SHA (what gmail prefers)

Use the s_client tool to generate a trace run by connecting and typing “GET /”

dhinesh@dhinesh-System-dev:~$ openssl s_client -host gmail.com  -port 443
 CONNECTED(00000003)
 depth=1 C = US, O = Google Inc, CN = Google Internet Authority
 verify error:num=20:unable to get local issuer certificate
 ..
---
 No client certificate CA names sent
 ---
 SSL handshake has read 2110 bytes and written 348 bytes
 ---
 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
 Server public key is 1024 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
 SSL-Session:
 Protocol  : TLSv1.1
 Cipher    : ECDHE-RSA-RC4-SHA
 Session-ID: 19AA250D4CF5142DB5E6FCEF07738070F6B0977647BF8C32EC1B75CC85A4FC3D
 Session-ID-ctx:
 Master-Key: 05FCDE36BE947C1A8981F0F400524C57DB632B323F144A87A2F73FC258E8AC032EE06DB36B9D3C68C3C7621E8AEC7601
 Key-Arg   : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 TLS session ticket lifetime hint: 100800 (seconds)
 TLS session ticket:
 0000 - eb 3e 92 dc ef ab dd 75-1f 2b ce 7e 22 58 99 94   .>.....u.+.~"X..
 ---
 GET /
 HTTP/1.0 302 Found
 Location: https://www.google.co.in/
 Cache-Control: private
 Content-Type: text/html; charset=UTF-8
 Content-Length: 222
 X-XSS-Protection: 1; mode=block
 X-Frame-Options: SAMEORIGIN
..

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">

Notice that big string in bold. That is called the master secret. That’s all you need.

If you have Trisul running in your egress point, grab a PCAP of the above session. Or alternatively run a tcpdump before the s_client tool.

Enter the master secret

Self evident, just use the highlighted buttons.

Create a mapping for server ip/port to master key file.

 Run Unsniff on the PCAP

If you clicked on Pull Packets in Trisul, it will automatically open Unsniff the run the decryption for you. Alternately, load the PCAP into Unsniff via File -> Import -> From Libpcap

PDUs

The place to observe the action in Unsniff is in the PDU tab. This may be a little confusing for folks familiar with Wireshark’s link packet based views. What Unsniff does it shows you complete SSL “records” – so an Application Data encrypted record maps cleanly into a “decrypted” record. This is shown with an icon on the left side.

Decrypted PDUs show up with ICON at left

 Stream based view

Switch to the streams tab for two extra streams generated from the SSL stream.

  1. Decrypted stream stopping at the TCP layer
  2. Decrypted stream going all the way to the HTTPS (or whatever else) layer

Streams tab show entire decrypted session data

Unsniff is still heavily developed

We’ve received a bunch of emails asking about Unsniff. We are still heavily improving it, unfortunately the documentation and new website is still some time off due to our big Trisul releases. The latest versions for example have top notch reconstruction – even of Video Chats with playback of VP8 and MPEG4-TS, unidirectional streams from satellite connections and more.  Check it out now.