Last weekend we hosted an It-Talks session on Wireshark. One of the demos we wanted to give was on how you can use wireshark to decrypt SSL traffic providing you have the private key.
As there where some issues with the demo I have setup this blog post and a demo video on how to do this.
The purpose of this tutorial is to show you the power of Wireshark, how you can decrypt traffic to see what your ISA publishing server sees and that you should realy pay great attention on where and how you store your private key certificates.
you can find a tutorial video at: http://www.it-talks.be/video/wireshark_ssl.rar
Decrypting ssl traffic is done in 3 steps.
Step1: exporting the SSL certificate to a pkcs12 certificate
Step2: export the private key from the pkcs12 cert to a single RSA private key file
To export the private key you will need to download a copy of openssl. There are many sites you can use to download this tool.
After downloading the tool use the following command to export the private key to an RSA file
openssl pkcs12 -in internal_demonet_local.pfx -out demokey.pem -nodes –nocerts
openssl <key type> –in <your cert file.pfx> –out <your output file> –nodes –nocerts
If you open the file in notepad you can see this is an RSA private key
Step3: Configure wireshark
Right click on a data packet and choose follow TCP stream. You will see the encrypted data reconstructured.
Click Edit > preferences
Drill down to protocols > SSL
Here you must fill in 2 fields:
- top field is the actual decryption data. You need to fill in a string as follows (all one long line no enters)
10.10.20.100,443,http,C:\Documents and settings\secadmin\Desktop\certificates\demokey.pem
-> 10.10.20.100 => the ip address of the SSL site you are accessing (not your ip the servers ip)
-> 443 => the servers destination port
-> http => the protocol (ensure you type lower case!)
-> path to your exported private RSA key
You will see some of the packets that where gray before are now decrypted and turn green HTTP
Right click a data packet and you will see follow ssl stream is now available.
The end result is the decrypted reconstructed webpage.