2

I am trying to reverse engineer a decoder. To do so I need to sniff the packets that the decoder receives from an Android application installed on my phone, this application is what controls the decoder.

I tried using Wireshark at first, but it turned out that the packets are sent over SSL, so they are all encrypted. I then tried to sniff my TCP packets using MITMproxy, which didn't work since it doesn't sniff TCP packets, it only logs packets sent over HTTP.

After reading the answers to the following question

How can I capture all traffic network by mitmproxy?. I decided to give Wireshark a second try.

To do this I need to know the location of the private key which I have no idea about. I know what a private key is, but I don't know where I can find it? or which private key we're talking about?

I would appreciate some help with this, this is my first time working with packets sniffing.

yosra
  • 121
  • 4
  • 1
    The private key is stored on the device you are trying to reverse engineer. You'd need access to its file system (and possibly some knowledge on its architecture). – Esa Jokinen May 16 '19 at 10:50
  • @EsaJokinen Thank you for your response! It's a decoder that has a web server inside of it. – yosra May 16 '19 at 10:54
  • 2
    Apart from that the private key might not be sufficient at all but you'll need the (pre-)master secret of the specific connection. In general - this question is too broad. It is well documented on the internet how to do decrypt SSL with wireshark once you have the necessary secrets. How to get to the secrets (and if this is even possible) fully depends on the exact applications which are involved, i.e. things like "web server" does not help. And this would be out of scope here too, but you might try [reverseengineering.se]. – Steffen Ullrich May 16 '19 at 10:56
  • 1
    Apart from that, mitmproxy can also do more than just HTTPS, see [tcpproxy](https://mitmproxy.readthedocs.io/en/v2.0.2/features/tcpproxy.html). – Steffen Ullrich May 16 '19 at 10:59
  • @SteffenUllrich Thank you I will post on reverse Engineering and see if it's possible to get the key. – yosra May 16 '19 at 11:04
  • "I know what a private key is, but I don't know where I can find it?". Are you sure you know what a private key is? – Axel2D May 16 '19 at 15:59
  • @Axel2D yeap! a certificate contains 2 keys: the private one which you'll keep for yourself, and the public one which will be used for encryption (it depends of course on the protocol we're talking about, so this is valid if the protocol uses public key encryption), in this case to decrypt the message we must use the private key. – yosra May 17 '19 at 08:49
  • @Axel2D but it seems impossible for me to get the private key of my server! so I'm trying to incorporate a proxy between my server and my phone, and use the private key that the proxy will generate to decrypt the messages. Do you have an idea of how I can do this with wireshark, because I need to get the whole flow of packets that will be exchanged not only the http/https packets – yosra May 17 '19 at 08:52
  • You might be able to accomplish this using mitmproxy, but Wireshark has no functionality like this. Typically you could install a trusted root CA certificate on the client which connects to the proxy, and the proxy connects to the remote server using a totally separate TLS connection. Since you are connecting using an app, it might not use the root certificates at all; instead using its own magic to verify the server as well that you can not circumvent. – trognanders May 18 '19 at 18:25

0 Answers0