This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypt SSL traffic within PCAP.

0

I have a PCAP that includes SSL traffic that I would like to decrypt in order to retrieve a flag. I was able to find the server certificate which I exported into a .der file. I am able to convert from .der to .pem and am able to view the .pem which resembles a public key. If I attempt to use this to decrypt the traffic it does not. So I believe that I need to move to another step but am unable to find that step. I believe the next step involves using the random bytes value from the handshake within the SSL section of the server hello packet. I just do not know how to perform this task. I am hoping someone can shed some light.

asked 29 Sep '16, 10:46

jdpadro's gravatar image

jdpadro
6223
accept rate: 0%

Check that: (1) RSA private keys can only decrypt sessions which use RSA for key exchange, (EC)DHE cipher suites do not qualify. (2) does the private key really match the server certificate? Furthermore, you cannot just pick random bytes from the handshake and calculate the (pre-)master secret, for that you would need more data (which is RSA-encrypted in the case of a RSA key exchange, or the private DH exponents which you are unlikely to have in possession).

(29 Sep '16, 11:05) Lekensteyn