Hello,
Here is the sample script to do this :
I am also working on a blog post on this topic, there are a lot of people who want to share PCAPs but not expose the private key.
'
' detls - Strip a TLS pcap file into two capture files
' 1. A USNF file with only TLS decrypted application records xxx_strip_tls.usnf
' 2. A USNF file with only App (HTTP) plain text xxx_strip_app.usnf
'
' Pre-req :
' 1. Ensure the private key is specified in unencypted PKCS8 form via Unsniff
' 2. Ensure "Decrypt Upper Layers" is TRUE in Plugins>Configure>TLS
'
' -----------------------
' Check usage & arguments
' -----------------------
Set Stdout = WScript.StdOut
if WScript.Arguments.Count <> 2 then
Stdout.WriteLine "Usage: detls <from-filename> <to-pattern>"
WScript.Quit
end if
FromFile = WScript.Arguments.Item(0)
NewDBName_TLS = WScript.Arguments.Item(1) + "_strip_tls.usnf"
NewDBName_APP = WScript.Arguments.Item(1) + "_strip_app.usnf"
NewDBName_TMP = WScript.Arguments.Item(1) + "_tmp.usnf"
' A Temp file backing the imported TLS pcap
Set UnsniffDB_TMP = CreateObject("Unsniff.Database")
UnsniffDB_TMP.New(NewDBName_TMP)
UnsniffDB_TMP.Import "libpcap", FromFile
' Set up file to receive plaintext stream at TLS Layer
Set UnsniffDB_TLS = CreateObject("Unsniff.Database")
UnsniffDB_TLS.New(NewDBName_TLS)
' Set up file to receive plaintext stream at APP (HTTP) layer
Set UnsniffDB_APP = CreateObject("Unsniff.Database")
UnsniffDB_APP.New(NewDBName_APP)
' Examine each stream in imported file, look for decrypted stream
' Send streams processed at TLS layer to strip_tls, and HTTP layer to strip_app
Set STMIndex = UnsniffDB_TMP.StreamIndex
For Each STM In STMIndex
If InStr(STM.Description,"[Synt/Decrypted]") > 0 Then
If STM.DestinationPort = 80 Then
StdOut.WriteLine "Saving HTTP plaintext " & STM.ID & vbTab & STM.Description
UnsniffDB_APP.AddStream(STM)
Elseif STM.DestinationPort = 443 Then
StdOut.WriteLine "Saving SSL/TLS plaintext " & STM.ID & vbTab & STM.Description
UnsniffDB_TLS.AddStream(STM)
End If
End If
Next
UnsniffDB_TMP.Close()
UnsniffDB_TLS.Save()
Stdout.WriteLine "Plain text TLS layer stored in " & NewDBName_TLS
UnsniffDB_APP.Save()
Stdout.WriteLine "Plain text APP/HTTP stored in " & NewDBName_APP
It is VBScript but you can also do this in Ruby. To run this :
1. Set the private key information via Unsniff GUI (ie map hostname+port to private-key file). If you want to automate this too, you can simply specify the mapping in %APPDATA%/Unleash Networks/Unsniff/Cfg/ssltls.cfg
2. Run the script like so (assuming you saved the script as detls.vbs)
cscript detls.vbs mycapfile.tcpd cleartext_
2. This will create two files :
cleartext_strip_tls.usnf
cleartext_strip_app.usnf
The APP capture file will contain HTTP as if the TLS layer never existed.
Also download the latest Unsniff 1444, a couple of tweaks were made recently to TLS decryption.