Wireshark – Passiv SSL Decrypt

There are two ways of doing SSL decrypt, one where you are in control of the end-client, and has the possible to capture the complete key exchange. This is the only way to decrypt cipher with DH in the name. The other is the passive way, and you might have a pcap of traffic and you have the private key.

This is quick tutorial on passive decrypt with private key.

If you want to try it yourself, you can start with the LAMP stack VM provided by Turnkey.
Lampstack @ turnkeylinux.com

You only need to change one part, disabling ciphers an pick one you know you can do passive decrypt on. If you have a working web server with SSL, disabling cipher with DH in the name should be enough.

File: /etc/apache2/mods-enabled/ssl.conf

## Disable all CipherSuite execpt the one we want.
-SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256
+SSLcipherSuite AES128-SHA

Remove the line in red, and add the line in green, and restart apache.

Now you should get the private key used. This need to be added to Wireshark.
Edit->Preference
Under protocols you should select SSL.

A debug file is smart to add, this way you can go through and find out what is happening if it doesn’t succeed. But you just create an empty file, and put it into the (Pre)-Master-Secret log filename.

The private key needs to have a .pem ending and needs to look something like this. From the LAMP stack, this can be extracted from the /etc/ssl/private/cert.pem

—–BEGIN PRIVATE KEY—–
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgGR9EXjHqFjkq
….
3Na3f/8fjxGq+A7axImJVyk=
—–END PRIVATE KEY—–

Then you can add it to the RSA keys list. The IP address can use “any” or use the server IP of the server your trying to decrypt traffic from. Port in this scenario should be 443 (https) and the protocol is http.

When you close all windows, wireshark will try to decrypt the traffic.
Follow TCP stream is not smart, but use Follow http stream work really good.

Here you can clearly see we have http request / respons in clear http format.

One quick note, if you have problem. After the keys has been added to wireshark. Try reopen the pcap. Go back to the SSL option page and just press ok, this should trigger a decrypt process… I’ve seen a couple of time where wireshark is having problem and everything just fails even if you done everything correctly.

Leave a Comments