Can we decrypt captured malware (Meterpreter) HTTPS/SSL traffic with the keys from memory?

Question

A machine on our network was compromised with Meterpreter.

We have traffic captures from the entire period of the compromise and a memory dump of the infected machine at a time when the connection was established.

Can we decode the HTTPS/SSL traffic we have captured?

---

So far we have used Volatility's dumpcerts plugin to extract some public certs but no private ones are apparent. Surely the private keys must be in memory somewhere since the connection was still established?

The TLS version is TLSv1 1.0. The algorithm identifier is sha256WithRSAEncryption.

Answer 1

Yes, you can extract the keys. The private key and symmetric key are present in the memory of the crypto library (e.g. OpenSSL). You have to extract the symmetric key in order to decrypt the TLS traffic. OpenSSL keeps this in the struct SSL->session->master_key. If you don't know exactly what library is being used, a simple brute-force approach would be to extract all buffers of appropriate size from memory, and attempt to decrypt the TLS stream with each one until it succeeds.

You can also use GDB, as described in Extract pre-master keys from an OpenSSL application, which can provide you with the pre-master secret that you can plug into Wireshark. While that answer focuses on live memory dumps, it should work just as well if you have a coredump. Use Volatility to dump the process memory which is linked to the TLS library, which you can then use GDB on. If OpenSSL is not compiled with debugging symbols, you may have to resort to a brute force method.

Answer 2

It depends somewhat on the kind of data you still got in your memory and the negotiated TLS-Features during the Handshake. Wireshark can assist you in the decryption of the Traffic if you can provide it with, for example, the mastersecret of the TLS-Channel.