BLOG     |     FORUM
Welcome, Guest
Username: Password: Remember me
All your questions answered real quick by Unleash Networks Engineers.
  • Page:
  • 1

TOPIC: Command line to decrypt HTTPS from pcap file

Command line to decrypt HTTPS from pcap file 12 years 9 months ago #521

  • Sylvain
  • Sylvain's Avatar
Hi to all,

I am about to testing unsniff features and what I need is :
- use only command line to run software
- open a pcap file (get from tcpdump or windump)
- given a private key, decrypt HTTPS streams
- save decrypted file to a new pcap file

I have seen in this article it should be possible using the unsniff GUI but is it possible using command line options and scripts ?

Thank you for your replies,

Best regards

Sylvain
The administrator has disabled public write access.

Re:Command line to decrypt HTTPS from pcap file 12 years 9 months ago #522

Hello,

Yes it is possible to do this without the GUI. You need to write a tiny VBScript or Ruby program. The heavy lifting is still done by the same C++ backend as the GUI, so the performance will be good.

The outline is :

1. Get the pcap file

2. Use the import1.rb (or vbscript) script to import it www.unleashnetworks.com/devzone/unsniff/...tegory:_ImportExport

3. Select the decrypted sessions and export them to another pcap file.


You have to only specify the keys using the GUI or you can even automate that by placing your own server ip/port to key file mapping in the ssltls.repo file. You can find this file in %APPDATA%/Unleash Networks/Unsniff/Cfg


I can provide you a sample script to do this later today.

Thanks,
Vivek R
Unleash Networks
Support : www.unleashnetworks.com/forums
The administrator has disabled public write access.

Re:Command line to decrypt HTTPS from pcap file 12 years 9 months ago #525

Hello,

Here is the sample script to do this :

I am also working on a blog post on this topic, there are a lot of people who want to share PCAPs but not expose the private key.
' 
' detls - Strip a TLS pcap file into two capture files
'	1. A USNF file with only TLS decrypted application records xxx_strip_tls.usnf
'	2. A USNF file with only App (HTTP) plain text xxx_strip_app.usnf
'
' Pre-req :
'	1. Ensure the private key is specified in unencypted PKCS8 form via Unsniff 
'	2. Ensure "Decrypt Upper Layers" is TRUE in Plugins>Configure>TLS
'

' -----------------------
' Check usage & arguments
' -----------------------
Set Stdout = WScript.StdOut

if WScript.Arguments.Count <> 2 then
	Stdout.WriteLine "Usage: detls <from-filename> <to-pattern>"
	WScript.Quit
end if

FromFile      = WScript.Arguments.Item(0)

NewDBName_TLS     = WScript.Arguments.Item(1) + "_strip_tls.usnf"
NewDBName_APP     = WScript.Arguments.Item(1) + "_strip_app.usnf"
NewDBName_TMP	  = WScript.Arguments.Item(1) + "_tmp.usnf"


' A Temp file backing the imported TLS pcap 
Set UnsniffDB_TMP = CreateObject("Unsniff.Database")
UnsniffDB_TMP.New(NewDBName_TMP)
UnsniffDB_TMP.Import "libpcap", FromFile

' Set up file to receive plaintext stream at TLS Layer
Set UnsniffDB_TLS = CreateObject("Unsniff.Database")
UnsniffDB_TLS.New(NewDBName_TLS)

' Set up file to receive plaintext stream at APP (HTTP) layer
Set UnsniffDB_APP = CreateObject("Unsniff.Database")
UnsniffDB_APP.New(NewDBName_APP)


' Examine each stream in imported file, look for decrypted stream
' Send streams processed at TLS layer to strip_tls, and HTTP layer to strip_app

Set STMIndex = UnsniffDB_TMP.StreamIndex
For Each STM In STMIndex
	If InStr(STM.Description,"[Synt/Decrypted]") > 0 Then
		If STM.DestinationPort = 80 Then
			StdOut.WriteLine "Saving HTTP    plaintext " & STM.ID & vbTab & STM.Description 
			UnsniffDB_APP.AddStream(STM)
		Elseif STM.DestinationPort = 443 Then
			StdOut.WriteLine "Saving SSL/TLS plaintext " & STM.ID & vbTab & STM.Description 
			UnsniffDB_TLS.AddStream(STM)
		End If
	End If
Next


UnsniffDB_TMP.Close()

UnsniffDB_TLS.Save()
Stdout.WriteLine "Plain text TLS layer stored in " & NewDBName_TLS

UnsniffDB_APP.Save()
Stdout.WriteLine "Plain text APP/HTTP  stored in " & NewDBName_APP




It is VBScript but you can also do this in Ruby. To run this :

1. Set the private key information via Unsniff GUI (ie map hostname+port to private-key file). If you want to automate this too, you can simply specify the mapping in %APPDATA%/Unleash Networks/Unsniff/Cfg/ssltls.cfg


2. Run the script like so (assuming you saved the script as detls.vbs)
cscript detls.vbs  mycapfile.tcpd  cleartext_

2. This will create two files :

cleartext_strip_tls.usnf
cleartext_strip_app.usnf

The APP capture file will contain HTTP as if the TLS layer never existed.

Also download the latest Unsniff 1444, a couple of tweaks were made recently to TLS decryption.
Vivek R
Unleash Networks
Support : www.unleashnetworks.com/forums
The administrator has disabled public write access.

Re:Command line to decrypt HTTPS from pcap file 6 years 4 months ago #4647

  • JimmyDoor
  • JimmyDoor's Avatar
Very interesting for me, I'm not a professional developer, I seek interesting posts like www.tumblr.com/dashboard/blog/micahlentz this for my work!
The administrator has disabled public write access.

Command line to decrypt HTTPS from pcap file 5 years 6 months ago #4667

  • KevinJAvila
  • KevinJAvila's Avatar
Before applying any kind of command line to decrypt the HTTPs you need to be careful and knowledge of descriptions is must from the pcap file. You can check the complete guide of this command line on best essay writing service review where you can get some help about this topic as well.
The administrator has disabled public write access.
  • Page:
  • 1
Moderators: vivek [unleash]
Time to create page: 0.047 seconds