I have private key. All i want is if i get an encrypted .pcap file, I should be able to decrypt it using private key and generate a decrypted .pcap file which i can share with other without sharing private key Please help me out. Thanks in advance.... asked 17 Apr '13, 21:36  Amby edited 17 Apr '13, 23:55  SYN-bit ♦♦ |
One Answer:
Wireshark can't uncrypt the pcap file, but you are able to export the SSL session keys for the SSL sessions in the file. These keys will only decrypt these specific sessions, so you can distribute them freely.
The 3rd party needs to:
There is no way yet to do this in tshark, but there is a workaround by using the ssl-debug file, see http://ask.wireshark.org/questions/20283/programatically-export-the-ssl-session-key answered 17 Apr '13, 23:54 SYN-bit ♦♦ to automate the task of sharing an encrypted ssl session, would it make sense to add an option for "exporting" the ssl session keys to a new pcapng option frame? This would eliminate the whole storing and loading of the keys and there would be only one file to exchange. (18 Apr '13, 01:39) Kurt Knochner ♦ Yes, that does make sense and has been discussed before @ Sharkfest. I expected it to be on the wireshark pcapng wishlist, but is wasn't there so I added it... (18 Apr '13, 01:51) SYN-bit ♦♦
Thanks (18 Apr '13, 01:56) Kurt Knochner ♦ |
I have got the same through VB scripting
Get the pcap file
Use the import1.rb (or vbscript) script to import it www.unleashnetworks.com/devzone/unsniff/...tegory:_ImportExport
Select the decrypted sessions and export them to another pcap file.
Code is something like
' ' detls - Strip a TLS pcap file into two capture files ' 1. A USNF file with only TLS decrypted application records xxx_strip_tls.usnf ' 2. A USNF file with only App (HTTP) plain text xxx_strip_app.usnf ' ' Pre-req : ' 1. Ensure the private key is specified in unencypted PKCS8 form via Unsniff ' 2. Ensure "Decrypt Upper Layers" is TRUE in Plugins>Configure>TLS '
' ----------------------- ' Check usage & arguments ' ----------------------- Set Stdout = WScript.StdOut
if WScript.Arguments.Count <> 2 then Stdout.WriteLine "Usage: detls <from-filename> <to-pattern>" WScript.Quit end if
FromFile = WScript.Arguments.Item(0)
NewDBName_TLS = WScript.Arguments.Item(1) + "_strip_tls.usnf" NewDBName_APP = WScript.Arguments.Item(1) + "_strip_app.usnf" NewDBName_TMP = WScript.Arguments.Item(1) + "_tmp.usnf"
' A Temp file backing the imported TLS pcap Set UnsniffDB_TMP = CreateObject("Unsniff.Database") UnsniffDB_TMP.New(NewDBName_TMP) UnsniffDB_TMP.Import "libpcap", FromFile
' Set up file to receive plaintext stream at TLS Layer Set UnsniffDB_TLS = CreateObject("Unsniff.Database") UnsniffDB_TLS.New(NewDBName_TLS)
' Set up file to receive plaintext stream at APP (HTTP) layer Set UnsniffDB_APP = CreateObject("Unsniff.Database") UnsniffDB_APP.New(NewDBName_APP)
' Examine each stream in imported file, look for decrypted stream ' Send streams processed at TLS layer to strip_tls, and HTTP layer to strip_app
Set STMIndex = UnsniffDB_TMP.StreamIndex For Each STM In STMIndex If InStr(STM.Description,"[Synt/Decrypted]") > 0 Then If STM.DestinationPort = 80 Then StdOut.WriteLine "Saving HTTP plaintext " & STM.ID & vbTab & STM.Description UnsniffDB_APP.AddStream(STM) Elseif STM.DestinationPort = 443 Then StdOut.WriteLine "Saving SSL/TLS plaintext " & STM.ID & vbTab & STM.Description UnsniffDB_TLS.AddStream(STM) End If End If Next
UnsniffDB_TMP.Close()
UnsniffDB_TLS.Save() Stdout.WriteLine "Plain text TLS layer stored in " & NewDBName_TLS
UnsniffDB_APP.Save() Stdout.WriteLine "Plain text APP/HTTP stored in " & NewDBName_APP
All,
I got through VB but i want it using CMD in Windows
' ' detls - Strip a TLS pcap file into two capture files ' 1. A USNF file with only TLS decrypted application records xxx_strip_tls.usnf ' 2. A USNF file with only App (HTTP) plain text xxx_strip_app.usnf ' ' Pre-req : ' 1. Ensure the private key is specified in unencypted PKCS8 form via Unsniff ' 2. Ensure "Decrypt Upper Layers" is TRUE in Plugins>Configure>TLS '
' ----------------------- ' Check usage & arguments ' ----------------------- Set Stdout = WScript.StdOut
if WScript.Arguments.Count <> 2 then Stdout.WriteLine "Usage: detls <from-filename> <to-pattern>" WScript.Quit end if
FromFile = WScript.Arguments.Item(0)
NewDBName_TLS = WScript.Arguments.Item(1) + "_strip_tls.usnf" NewDBName_APP = WScript.Arguments.Item(1) + "_strip_app.usnf" NewDBName_TMP = WScript.Arguments.Item(1) + "_tmp.usnf"
' A Temp file backing the imported TLS pcap Set UnsniffDB_TMP = CreateObject("Unsniff.Database") UnsniffDB_TMP.New(NewDBName_TMP) UnsniffDB_TMP.Import "libpcap", FromFile
' Set up file to receive plaintext stream at TLS Layer Set UnsniffDB_TLS = CreateObject("Unsniff.Database") UnsniffDB_TLS.New(NewDBName_TLS)
' Set up file to receive plaintext stream at APP (HTTP) layer Set UnsniffDB_APP = CreateObject("Unsniff.Database") UnsniffDB_APP.New(NewDBName_APP)
' Examine each stream in imported file, look for decrypted stream ' Send streams processed at TLS layer to strip_tls, and HTTP layer to strip_app
Set STMIndex = UnsniffDB_TMP.StreamIndex For Each STM In STMIndex If InStr(STM.Description,"[Synt/Decrypted]") > 0 Then If STM.DestinationPort = 80 Then StdOut.WriteLine "Saving HTTP plaintext " & STM.ID & vbTab & STM.Description UnsniffDB_APP.AddStream(STM) Elseif STM.DestinationPort = 443 Then StdOut.WriteLine "Saving SSL/TLS plaintext " & STM.ID & vbTab & STM.Description UnsniffDB_TLS.AddStream(STM) End If End If Next
UnsniffDB_TMP.Close()
UnsniffDB_TLS.Save() Stdout.WriteLine "Plain text TLS layer stored in " & NewDBName_TLS
UnsniffDB_APP.Save() Stdout.WriteLine "Plain text APP/HTTP stored in " & NewDBName_APP