Using Wireshark to decrypt tls encrypted file with private key

3

I have a packet encrypted with TLS in a .pcap file. I also have the private key in a .priv file. How can I decrypt the .pcap file using Wireshark? I tried going to edit -> preferences -> protocols -> ssl -> edit -> new, but i am not sure what to enter in for the ip address, port? How can I display the corresponding packet in Wireshark to find out the port and ip address? Is this the right way to decrypt the .pcap file in Wireshark using private key? Pls help! Thanks!

user37375

Posted 2014-01-21T06:49:23.793

Reputation: 31

I've always done this with a command line tool named ssldump: http://ssldump.sourceforge.net/

– Erwan Legrand – 2017-02-07T11:39:06.360

Answers

1

I haven't done this myself but after a google search I have found this tutorial. You don't need to do every step, jump right to the "decrypt https part":

http://blog.stalkr.net/2010/03/codegate-decrypting-https-ssl-rsa-768.html

I will add the relevant information nevertheless:

Decrypt https

Open Wireshark preferences file: on Linux: ~/.wireshark/preferences on Windows: C:\Documents and Settings\\Application Data\Wireshark\preferences

Inform Wireshark that you want it to desegment SSL records and application data, and give it the private certificate for the https server we observed (192.168.100.4):

ssl.desegment_ssl_records: TRUE ssl.desegment_ssl_application_data:
TRUE ssl.keys_list:
192.168.100.4,443,http,/home/stalkr/codegate/7/private.pem

Fix the path to private certificate accordingly, on Windows use regular slashes /.

Again, launch Wireshark and open the capture file. We can now see the application data: an HTTP GET request to index.html, and the response containing the flag. Blockquote

Have a look and let us know.

Note: All this information belongs to "StalkR's Blog" and I have added it here for convinience. Consider visiting the full blog entry since he may add some extra steps.

kiBytes

Posted 2014-01-21T06:49:23.793

Reputation:

any sources on how to do this in unix? – vbNewbie – 2016-10-11T16:09:24.243

This can be found in the UI under Edit > Preferences > Protocol > SSL – Erwan Legrand – 2017-02-07T11:51:28.633

Thanks greatly for the help! I understand it better, however when I tried putting the details, it doesn't covert to HTTP, it instead says Encryption Alert. I think I might be putting the wrong IP address and port no. Which src address do we use, for instance in the above picture how do we know to use 192.168.100.4 instead of 192.168.100.2 and is the port no. always 443? This video also helped me : http://www.youtube.com/watch?v=vQtur8fqErI and this link : http://wiki.wireshark.org/SSL . Pls clarify.

– user37375 – 2014-01-22T01:36:21.113

Asked: 2014-01-21T06:49:23.793

Viewed: 20 024 times

Active: 2014-10-02T13:37:51.600