Monday, 11 August 2014

Decrypting HTTPS using Wireshark

TShark 1.2.15, Oracle Enterprise Linux 6.5
If you are on a web server that is serving SSL, then you can use tshark on that server to decrypt the traffic off the wire. Copy the RSA private key file that your web service is using to /root/private-rsa.key in PKCS#1 format (PKCS#1 files begin with “——-BEGIN RSA PRIVATE KEY——-”), then run:
tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:,443,http,/root/private-rsa.key" -o "ssl.debug_file:rsa_private.log" -R "(tcp.port eq 443)" port 443
Note that tshark has to capture the beginning of an SSL session in order to decrypt it. If your SSL client machine is Windows, you can force a new SSL session by doing the following:
  1. Internet Explorer > Internet Preferences
  2. On the General tab, click Delete…, and delete everything
  3. On the Content tab, click “Clear SSL state”
If you find that tshark is not showing HTTP traffic, meaning it’s still encrypted, then check the decryption log rsa_private.log
Another option is to capture the traffic with tcpdump or tshark and decrypt it later using Wireshark. To do that, in Wireshark,
  1. Capture HTTPS traffic on server/load balancer using tcpdump or tshark:
    tcpdump -s 0 -w /tmp/ssl.cap

    tshark -F pcapng -w /tmp/ssl.pcapng port 443
  2. Edit > Preferences
  3. Expand Protocols
  4. Select SSL
  5. Click Edit… beside RSA keys list:
  6. Click New
  7. For IP address, enter 0.0.0.0 (sometimes you have to explicitly put in the server/load balancer IP address here)
  8. For Port, enter 0 (sometimes you have to explicitly put in the server/load balancer SSL port here)
  9. For Protocol, enter http
  10. For Key File, select the RSA private key file which you copied from the web server or load balancer
  11. For Password, enter the password needed for the private key file (if there is not one, leave this field empty)
  12. Click OK
  13. Back on the SSL Preferences page, for SSL debug file, enter C:\rsa_debug.txt
  14. Make sure “Reassemble SSL records spanning multiple TCP segments" is checked
  15. Make sure “Reassemble SSL Application Data spanning multiple SSL records" is checked
  16. Click OK to close the SSL Preferences page
  17. Load your capture file from the web server or load balancer. As long as the SSL session initiation is in the capture, Wireshark should be able to decrypt the HTTPS packets and show the HTTP protocol information.