Dear Team, I have 2 IIS which IIS8 running on Windows 2012 and IIS7.5 running on Windows 2008R2, today I need to do some troubleshooting for the encrypted http. The strange thing is I can decrypt the HTTP data in IIS7.5 but CAN'T decrypt in IIS8, could you please assist on this? I just put both captures/debug files and decryption key into Skydrive, the link is http://1drv.ms/1icxA3G. For IIS7.5 the related files are: IIS7.5.pcapng and IIS7.5_with_Windows2008R2_debug.txt.zip. For IIS8 the related files are: IIS8_with_Windows2012.pcapng and IIS8_with_Windows2012_debug.txt. The decrypting key filename is: comp01.key Thanks, Sam asked 09 Sep '15, 02:19  Metasploit edited 09 Sep '15, 02:36 |
One Answer:
Without having seen the SSL debug logs or the pcap file, I simply guess that IIS8 uses different ciphers, which are based on Diffie Hellman (DHE, DHCE). If so, bad luck! You can't decrypt TLS sessions with a server RSA key that use DHE/DHCE ciphers, as that's exactly why they have been developed (well not exatly because of that, but ... ;-)) Regards answered 11 Sep '15, 14:12  Kurt Knochner ♦ |
Hi Kurt,
Would you mind to check my captures and debugs? it's here http://1drv.ms/1icxA3G .
Thanks, Sam
Hi Kurt, I checked the captures again, seems IIS8 using EC Diffie-Hellman. Is there a plan to add this capability? I mean decryption of ECDHE cipher. Thanks, Sam
There is no plan, because it's technically impossible.
You can only decrypt the traffic, if the client (browser) reveals the negotiated session key (master secret).
see here:
Regards
Kurt
Hi Kurt,
Million thanks, I got it and works like a charm!
Best Regards, Sam
Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).