2

There's an API server that only allows connections including specific SSL certificates. Talking about an Android application that has those certificates.

Using Fiddler without SSL decryption as a proxy between the app and the server, I can see the request being accepted by the server. Now how can I extract that certificate and use it to send requests to the API? Is it possible with Fiddler; or are other tools needed, like Wireshark?

I have tried Wireshark and exported Certificates, but using them with Fiddler still doesn't let me connect to the server.

Also, is this called SSL pinning from server side?

fbicknel
  • 103
  • 4
Ali Padida
  • 135
  • 9
  • This is very close, (maybe a duplicate?) of [your question from yesterday](https://security.stackexchange.com/q/226688/61443). – Mike Ounsworth Mar 03 '20 at 16:05

3 Answers3

6

While you can extract the client and server certificates when sniffing a TLS connection (at least with TLS 1.2 and lower) you cannot extract the matching private keys. But you need these private keys to authenticate against the peer. These private keys are only at the endpoint, i.e. in the android phone in case of the client certificate you want to use.

Also, is this called SSL pinning from server side?

No. Requesting and verifying a client certificate is called authentication with a client certificate, mutual authentication etc but not pinning.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Reissuing the requests sent from the application with Fiddler while the application was closed, went without any errors. Can't I just copy that request and send it in a programming language? – Ali Padida Mar 03 '20 at 15:39
  • @AliPadida: There is nothing magical fiddler is doing which could not be done in some programming language too. – Steffen Ullrich Mar 03 '20 at 17:21
  • Exactly this was the question, how can I extract the certificate that fiddler uses and put it inside a programming language to use. Which you said is not possible, as I understood. – Ali Padida Mar 03 '20 at 21:07
  • @AliPadida: What I said that you cannot extract the private key from just passively sniffing the traffic. You explicitly said that you did not do any SSL interception while at the same time you said that you can send the request from fiddler, which means that you somehow got access to the request without SSL interception. This implies essentially that the request was not SSL in the first place and thus no certificates involved. – Steffen Ullrich Mar 04 '20 at 05:18
  • Fiddler still shows the requests without any interceptions. Just a simple proxy. Reissuing applications's request, establishes a successful connection. But sending any request manually to the server, it rejects. All I wanted to do was to copy the contents of that successful request and reissue it using a programming language. – Ali Padida Mar 04 '20 at 10:02
  • @AliPadida: Again, if Fiddler shows the request without interception then no SSL interception is done, which also means that no certificates are involved in what you are doing and your question does not match your actual problem. – Steffen Ullrich Mar 04 '20 at 14:48
  • Fiddler shows SSL requests, but only ip address and host, if you try to check the request content, it shows SSL info. – Ali Padida Mar 04 '20 at 17:05
3

What you are doing with Fiddler and Wireshark is to extract the public key, not the private key. The public key is used to encrypt things, but not for decrypt. You will need the client private key for that.

If the certificate is bundled with the application, you can decompile the application and extract the private key. You should note that some applications will employ a lot of protection to the private key file (encryption, obfuscation), so extracting it will not be trivial. But can be done.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
2

Based on this, and your question yesterday, I think you would benefit from spending some time reading about how TLS certificates work, and in particular TLS client authentication certificates.

Both of your questions, I think, would be answered if you learn about the difference between certificates and private keys. In both cases, both Burp and Fiddler need both the certificate and the private key. You can not export the private key in Wireshark because if TLS was sending the private key over the network then it would not be very private :P You also can not replay TLS messages because that is an attack that TLS is designed to prevent.

Here are some articles that might help you with your learning:

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • Thank you for the resources. I will read them before asking any other questions in the future :P – Ali Padida Mar 03 '20 at 16:55
  • 1
    @AliPadida Your question is good! There are some tricky bits with how certificates work, so I want to be clear that it's not a bad question! That said, I think that you taking some time to learn the concepts will be better than us answering each of your questions one at a time. – Mike Ounsworth Mar 03 '20 at 16:58
  • You're right, I didn't think of this application's security level to this extent. Now I really need to learn a few topics. Thanks for the replies for both questions. – Ali Padida Mar 03 '20 at 21:05