0

I'm using Network Monitor 3.4 with the nmdecrypt expert. I'm opening a nimbuzz conversation node in the conversation window and i click Expert-> nmDecrpt -> run Expert

that shows up a window where i have to add the server certificate. I am not sure how to retrieve the server certificate for nimbuzz XMPP chat service. Any idea how to do this?

this question is a follow up question of this one.

Edit for some background so it might be that this is encrypted with the server pubkey and i cannot retrieve the message, unless i debug the native binary and try to intercept the encryption code. I have a test client (using agsXMPP) that is able to connect with nimbuzz with no problems. the only thing that is not working is adding invisible mode. It seems this is some packet sent from the official client during login which i want to obtain. any suggestions to try to grab this info would be greatly appreciated. Maybe i should get myself (and learn) IDA pro?

This is what i get inspecting the TLS frames on Network Monitor:

  Frame: Number = 81, Captured Frame Length = 769, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[...],SourceAddress:[....]
+ Ipv4: Src = ..., Dest = 192.168.2.101, Next Protocol = TCP, Packet ID = 9939, Total IP Length = 755
- Tcp: Flags=...AP..., SrcPort=5222, DstPort=3578, PayloadLen=715, Seq=4101074854 - 4101075569, Ack=1127356300, Win=4050 (scale factor 0x0) = 4050
    SrcPort: 5222
    DstPort: 3578
    SequenceNumber: 4101074854 (0xF4716FA6)
    AcknowledgementNumber: 1127356300 (0x4332178C)
  + DataOffset: 80 (0x50)
  + Flags: ...AP...
    Window: 4050 (scale factor 0x0) = 4050
    Checksum: 0x8841, Good
    UrgentPointer: 0 (0x0)
    TCPPayload: SourcePort = 5222, DestinationPort = 3578
  TLSSSLData: Transport Layer Security (TLS) Payload Data
- TLS: TLS Rec Layer-1 HandShake: Server Hello.; TLS Rec Layer-2 HandShake: Certificate.; TLS Rec Layer-3 HandShake: Server Hello Done.
  - TlsRecordLayer: TLS Rec Layer-1 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 42 (0x2A)
   - SSLHandshake: SSL HandShake ServerHello(0x02)
      HandShakeType: ServerHello(0x02)
      Length: 38 (0x26)
    - ServerHello: 0x1
     + Version: TLS 1.0
     + RandomBytes: 
       SessionIDLength: 0 (0x0)
       TLSCipherSuite: TLS_RSA_WITH_AES_256_CBC_SHA            { 0x00, 0x35 }
       CompressionMethod: 0 (0x0)
  - TlsRecordLayer: TLS Rec Layer-2 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 654 (0x28E)
   - SSLHandshake: SSL HandShake Certificate(0x0B)
      HandShakeType: Certificate(0x0B)
      Length: 650 (0x28A)
    - Cert: 0x1
       CertLength: 647 (0x287)
     - Certificates: 
        CertificateLength: 644 (0x284)
      - X509Cert: Issuer: nimbuzz.com,Nimbuzz,NL, Subject: nimbuzz.com,Nimbuzz,NL
       + SequenceHeader: 
       - TbsCertificate: Issuer: nimbuzz.com,Nimbuzz,NL, Subject: nimbuzz.com,Nimbuzz,NL
        + SequenceHeader: 
        + Tag0: 
        + Version: (2)
        + SerialNumber: -1018418383
        + Signature: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)
        - Issuer: nimbuzz.com,Nimbuzz,NL
         - RdnSequence: nimbuzz.com,Nimbuzz,NL
          + SequenceOfHeader: 0x1
          + Name: NL
          + Name: Nimbuzz
          + Name: nimbuzz.com
        + Validity: From: 02/22/10 20:22:32 UTC To: 02/20/20 20:22:32 UTC
        + Subject: nimbuzz.com,Nimbuzz,NL
        - SubjectPublicKeyInfo: RsaEncryption (1.2.840.113549.1.1.1)
         + SequenceHeader: 
         + Algorithm: RsaEncryption (1.2.840.113549.1.1.1)
         - SubjectPublicKey: 
          - AsnBitStringHeader: 
           - AsnId: BitString type (Universal 3)
            - LowTag: 
               Class:    (00......) Universal (0)
               Type:     (..0.....) Primitive
               TagValue: (...00011) 3
           - AsnLen: Length = 141, LengthOfLength = 1
              LengthType: LengthOfLength = 1
              Length: 141 bytes
            BitString: 
        + Tag3: 
        + Extensions: 
       - SignatureAlgorithm: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)
        - SequenceHeader: 
         - AsnId: Sequence and SequenceOf types (Universal 16)
          + LowTag: 
         - AsnLen: Length = 13, LengthOfLength = 0
            Length: 13 bytes, LengthOfLength = 0
        + Algorithm: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)
        - Parameters: Null Value
         - Sha1WithRSAEncryption: Null Value
          + AsnNullHeader: 
       - Signature: 
        - AsnBitStringHeader: 
         - AsnId: BitString type (Universal 3)
          - LowTag: 
             Class:    (00......) Universal (0)
             Type:     (..0.....) Primitive
             TagValue: (...00011) 3
         - AsnLen: Length = 129, LengthOfLength = 1
            LengthType: LengthOfLength = 1
            Length: 129 bytes
          BitString: 
  + TlsRecordLayer: TLS Rec Layer-3 HandShake:
Community
  • 1
lurscher
  • 162
  • 1
  • 3
  • 17

1 Answers1

2

Unless you are the server operators for Nimbuzz, you cannot get the private key, which is required to decrypt conversations.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • certainly that cannot be what nmdecrypt means with "server certificate". Hardly would make sense a certificate to be kept private – lurscher Apr 13 '12 at 22:03
  • 1
    According to this guide, the private key is **required** http://blogs.technet.com/b/askds/archive/2010/11/17/reading-ldap-ssl-network-traffic-with-netmon-3-4-and-nmdecrypt.aspx. I think the nmDecrpt docs/description is poorly written. – Zoredache Apr 13 '12 at 22:10
  • right, but wait! i have a test client (using agsXMPP) that is able to connect with nimbuzz. the only thing that is not working is adding invisible mode. It seems this is some packet sent from the official client during login which i want to obtain. You think its impossible to capture this packet? – lurscher Apr 13 '12 at 22:35
  • When I am trying to troubleshoot SSL to something I do not control, I generally need to setup an SSL proxy (stunnel) for that purpose. But it does require that any clients you are using do not have the server cert/ca hard coded. Or to put it differently, basically you need to perform an SSL MITM on yourself. – Zoredache Apr 13 '12 at 22:36
  • fantastic suggestion. What should i read for setting such thing? – lurscher Apr 13 '12 at 22:39
  • in any case, the option you suggest relies on it (the server pub key) not being hardcoded, meaning that it should be exchanged over the wire. Maybe its already in some of the conversation TLS nodes in Network Monitor? – lurscher Apr 13 '12 at 22:41
  • When a server key was hardcoded, I mean the public or ca certificate would be compiled into the application. Most DRM does something like this. Anyway, I described a stunnel SSL-to-SSL proxy in this answer. http://serverfault.com/a/247967/984 Once you did that, you could monitor the encrypted traffic on the proxy host. – Zoredache Apr 13 '12 at 22:53
  • thanks. Trying stunnel right now, i added two .conf files and trying to start two separate instances on each one but i don't see any error messages in the command prompt, just the first one seems to start – lurscher Apr 13 '12 at 23:43
  • 1
    You might be at a point where you should start a new question, about how to setup an SSL proxy, or how to solve the problem you are having getting stunnel running. – Zoredache Apr 13 '12 at 23:51