Cloud Native应用交付

  • 首页
  • 关于本站
  • 个人介绍
  • Downloads
  • Repo
    • Github
    • Container
  • F5
    • F5 Python SDK
    • F5-container
    • F5-LBaaS
  • 社交
    • 联系我
    • 微信/微博
    • 公众号
    • 打赏赞助
行至水穷处 坐看云起时
Cloud Native Application Services: cnadn.net
  1. 首页
  2. 协议原理
  3. 正文

Your Browser Knows All Your Secrets.通过浏览器来做SSLdump!【转】

2013年08月26日 7124点热度 0人点赞 0条评论

This is a "guest diary" submitted by Sally Vandeven. We will gladly forward any responses or please use our comment/forum section to comment publically. Sally is currently enrolled in the SANS Masters Program.

I got to wondering one day how difficult it would be to find the crypto keys used by my browser and a web server for TLS sessions.  I figured it would involve a memory dump, volatility, trial and error and maybe a little bit of luck.  So I started looking around and like so many things in life….all you have to do is ask.  Really.  Just ask your browser to give you the secrets and it will!  As icing on the cake, Wireshark will read in those secrets and decrypt the data for you.   Here’s a quick rundown of the steps:

Set up an environment variable called SSLKEYLOGFILE that points to a writable flat text file.  Both Firefox and Chrome (relatively current versions) will look for the variable when they start up.  If it exists, the browser will write the values used to generate TLS session keys out to that file.

The file contents looks like this:

SSL Key File

 

64 byte Client Random Values
96 byte Master Secret
16 byte encrypted pre-master secret
96 bytes pre-master secret

The Client_Random entry is for Diffie-Hellman negotiated sessions and the RSA entry is for sessions using RSA or DSA key exchange.  If you have the captured TLS encrypted network traffic, these provide the missing pieces needed for decryption.  Wireshark can take care of that for you.  Again, all you have to do is ask.

Wireshark SSL Session

 

This is an encrypted TLS session, before giving Wireshark the secrets.

Point Wireshark at your file $SSLKEYLOGFILE.  Select Edit -> Preferences -> Protocols -> SSL  and then OK.

Wireshark SSL Configuration

 

To see the decrypted data, use the display filter “ssl && http”.  To look at a particular TCP session, right click on any of the entries and choose to “Follow  SSL Stream”.  This really means “Follow Decrypted SSL Stream”.   Notice the new tab at the bottom labeled “Decrypted SSL data”.  Incidentally, if you “Follow TCP Stream” you get the encrypted TCP stream.

wireshark decrypted session

 

Wireshark’s awesome decryption feature.

Below is a sample of a decrypted SSL Stream.  It contains a login attempt with username and password, some cookies and other goodies that web servers and browsers commonly exchange.

Reassembled SSL Sesion

 

Remember: if you have a file with keys in it and the captured data on your system then anyone that can get their hands on these can decrypt too.  Hey, if you are a pen-tester you might try setting be on the lookout for an $SSLKEYLOG variable on your targets.  Interesting.

Give it a try but, as always, get written permission from yourself before you begin. Thanks for reading.

 

This exploration turned into a full blown paper that you can find here:
http://www.sans.org/reading-room/whitepapers/authentication/ssl-tls-whats-hood-34297

 

相关文章

  • 注意:2019/2/1即将实施的DNS Flag Day带来的影响
  • 支持 edns client subnet dig下载
  • HTTP2 explained
  • OSPF grace-restart
  • 林夏写的DNS DOS防范文档,比较落地哦
本作品采用 知识共享署名-非商业性使用 4.0 国际许可协议 进行许可
标签: 暂无
最后更新:2013年08月26日

纳米

linjing.io

打赏 点赞
< 上一篇
下一篇 >

文章评论

razz evil exclaim smile redface biggrin eek confused idea lol mad twisted rolleyes wink cool arrow neutral cry mrgreen drooling persevering
取消回复

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据。

纳米

linjing.io

☁️迈向Cloud Native ADC ☁️

认证获得:
TOGAF: ID 152743
Kubernetes: CKA #664
Microsoft: MCSE MCDBA
Cisco: CCNP
Juniper: JNCIS
F5:
F5 Certified Solution Expert, Security
F5 Certified Technology Specialist, LTM/GTM/APM/ASM
F5 Certified BIG-IP Administrator
  • 点击查看本博技术要素列表
  • 归档
    分类
    • Automation
    • Avi Networks
    • Cisco ACI
    • CISCO资源
    • F5 with ELK
    • F5-Tech tips
    • F5技术
    • Juniper
    • Linux
    • NGINX
    • SDN
    • ServiceMesh
    • WEB编程
    • WINDOWS相关
    • 业界文章
    • 交换机技术
    • 化云为雨/Openstack
    • 协议原理
    • 容器/k8s
    • 我的工作
    • 我的生活
    • 网站技术
    • 路由器技术
    • 项目案例
    标签聚合
    network F5 k8s nginx docker bigip api neutron envoy istio DNS gtm irule flannel openstack
    最近评论
    纳米 发布于 1 个月前(08月18日) 已回复邮件
    11 发布于 1 个月前(08月16日) 多谢大佬的资料 2023-8-16 9:53 邮箱:mab**ng@sina.cn
    纳米 发布于 3 个月前(07月07日) 感谢感谢支持。忙于一些工作,确实更新少了一些。
    yyds 发布于 3 个月前(07月07日) 大佬终于更新啦 ,顶 !
    纳米 发布于 11 个月前(10月31日) 已提供谢谢
    浏览次数
    • Downloads - 87,636 views
    • 迄今为止最全最深入的BIGIP-DNS/GTM原理及培训资料 - 84,996 views
    • Github - 84,948 views
    • 联系我 - 81,893 views
    • F5常见log日志解释 - 62,988 views
    • Sniffer Pro 4 70 530抓包软件 中文版+视频教程 - 54,825 views
    • 这篇文档您是否感兴趣 - 47,322 views
    • 迄今为止最全最深入的BIGIP-DNS/GTM原理及培训资料 - 43,756 views
    • F5利用Elastic stack(ELK)进行应用数据挖掘系列(2)-DNS - 32,111 views
    • F5利用Elastic stack(ELK)进行应用数据挖掘系列(1)-HTTP - 31,232 views
    链接表
    • Jimmy Song‘s Blog
    • SDNap
    • SDNlab
    • SDN论坛
    • Service Mesh社区
    • 三斗室
    • 个人profile

    COPYRIGHT © 2022 Cloud Native应用交付. ALL RIGHTS RESERVED.

    Theme Kratos Made By Seaton Jiang

    京ICP备14048088号-1

    京公网安备 11010502041506号