Using Unsniff to analyze SSL and TLS streamsClick for PDF Version "Using Unsniff to analyze SSL / TLS " (694 kb)
A number of applications today use SSL and TLS as a security layer. Unsniff allows authorized users to analyze these applications by decrypting the SSL/TLS streams in real time. This is done without interrupting the SSL streams in any way. Unsniff can also strip out the SSL/TLS layer completely and analyze the application protocols as if the security layer never existed. If you are working with a secure web server, you can analyze the HTTPS protocol, including the ability to reconstruct complete web pages.
References : RFC2246 (TLS 1.0), RFC2459 (X.509v3), PKCS Standards (RSA Website)
Working with PDUs and Streams
Analyzing upper layer protocols
Howto : Analyzing a secure Microsoft IIS web server
Howto : Analyzing a secure Apache web server
Howto : Analyzing protocols tunneled via stunnel
Use PDU and Stream analysis to perform more efficient and accurate analysis
PDU AnalysisSSL/TLS is a record oriented protocol that runs on top of TCP. These SSL/TLS records (or PDUs) can be upto 16K bytes in length. They also do not respect link layer packet boundaries. You can have multiple SSL/TLS records per ethernet packet or a single record spread over multiple packets. Unlike older protocol analyzers, Unsniff analyzes PDUs (protocol data units) as first class entities. This means that you do not have to dig through ethernet (or other link layer) frames while trying to locate SSL / TLS records.
To view entire SSL/TLS records switch to the PDU sheet
Stream AnalysisUnsniff also allows you to monitor entire SSL / TLS streams as first class entities. You can see entire SSL/TLS sessions being established and completed in real time in the Streams sheet. The main advantage of stream monitoring is you can instantly zone in on the exact stream you want. You can even copy-paste entire streams into another capture file or iterate through streams via the scripting interface.
To view SSL/TLS streams switch to the "Sessions" sheet
The servers digital certificate plays a pivotal role in the authentication and encryption of data. The SSL client and server quickly agree on a shared secret (the master secret) using public-key cryptography. When provided with the servers keying material, Unsniff can decrypt the data transferred. Unsniff has built in full stream and PDU analysis which are able to support the SSL / TLS record layer very well.
When the right keying material is available
This section explains how you can setup Unsniff to decrypt SSL/TLS if you have access to the right keying material.
Step by step instructionsThis section contains detailed instructions for setting up Unsniff to decrypt SSL / TLS.
Click on Plugins->Customize or the Customize Plugins toolbar icon. Ensure that the “Decrypt SSL/TLS” option is set to “True”
Obtaining the server private keyIf you are developing or testing protocols you can request the private key file from the system administrator. Unsniff expects the server private key to be in "unencrypted PKCS #8" format. You may have to convert your key to this format; Click on these links for specific instructions for Apache, Microsoft IIS, STUNNEL
Private Key Formats
There are three main key formats :
Using OpenSSL to convert between private key formats
To convert the private key into PKCS#8 format you need to use OpenSSL.
Enter the private key information for the server into UnsniffCollect information about the IP address and TCP port on which your SSL / TLS enabled server is running. Now you are ready to enter this information into Unsniff.
Enter the server information into Unsniff
Select Tools->TLS->Manage Private Keys from the main Unsniff menu. This opens the “SSL/TLS Key Manager” Dialog.
Select New to open the “Enter New Key” dialog. Specify the IP Address, Port and the PKCS#8 private key file in this dialog and click OK.
Start capturing and analyzing SSL / TLSNow you are ready to start analyzing SSL / TLS. Just click on the "Start Capture" button or import a capture file in tcpdump format. Unsniff will automatically decrypt and present you with clear text protocol data in real time.
Flags mark decrypted packets and PDUs
Decrypted packets and PDUs are flagged with special icons in the packet sheet. Observe the "key" icons on the left side of the packets sheet.
Enable the application analysis feature
You must first ensure that you have enabled the "SSL/TLS Application Analysis" feature. This feature is disabled by default due to the overheads involved with this feature.
Specify the SSL / TLS ports used by the application
Unsniff can analyze any application that uses SSL/TLS. If you want to perform application analysis, you must tell Unsniff what port number corresponds to your secure application. You have to use the Access Point Manager for that purpose. For example : HTTPS (secure HTTP based on SSL/TLS) runs on TCP port 443. You can specify addition ports or new protocols If the upper layer protocol is not supported by Unsniff, you need not have an entry.
To customize SSL/TLS ports:
View application streams and user objects
Once everything is in place, Unsniff will automatically generate a new stream in the Streams Sheet that represents a real-time stripped version of the encrypted stream. You can expand the stream and view packets, or view the user objects in that stream and so forth.
Example: Capture a HTTPS session and view the reconstructed web page. Read more about Unsniff powerful HTTP analysis capabilities here.
Export the servers private key to PFX format
Microsoft Windows allows you to export your IIS private key and digital certificate in a format called PFX. It is roughly equivalent to the PKCS#12 format used by apache.
To export your servers private key follow the step-by-step instruction provided by Microsoft in this Technet article. Remember the password you used to export the private key. You will need it later !
How to back up a server certificate in Internet Information Services 5.0
Convert the PFX format private key to PKCS #8
Once you have the key material in PFX format, you must convert it into PKCS#8 format required by Unsniff.
First convert PFX to PEM
openssl pkcs12 -in MyCert.PFX -nocerts -nodes -out MyCert.PEM
* You will have to enter the password used to protect the server private key.
Next convert PEM to PKCS#8
openssl pkcs8 -in MyCert.PEM -topk8 -nocrypt -out MyCert.PK8
The file MyCert.PK8 is the key file you must use with Unsniff.
Locate the apache SSL certificate key (private key) file
Convert the apache PEM format to PKCS#8
You need the secure webserver password to proceed. This is the password used to protect the server private key.
openssl pkcs8 -in myapachekey.pem -topk8 -out outkey.pk8 -nocrypt
* You will have to enter the password used to protect the server private key.
STUNNEL is an excellent piece of software that allows you to secure arbitrary TCP connections inside a secure SSL tunnel. It is widely used to provide security to client-server systems that do not have it built in. Unsniff can look into these encrypted tunnels and provide complete visibility to the protocols that are carried inside them.
Locate the server private key
Stunnel can be started with the private key specified on the command line or reading the private key location from the stunnel.conf configuration file. The private key is in PEM format.
Convert the PEM format to PKCS#8
Use the following command to convert the private key to PKCS#8 format required by Unsniff.
openssl pkcs8 -in stunnel.pem -topk8 -out outkey.pk8 -nocrypt
* You will be asked for the password if the stunnel.pem key is password protected
How can I debug errors encountered during SSL/TLS analysis ?Any error encountered during SSL/TLS analysis such as invalid key material or unsupported cipher is sent to the Unsniff Log Window. You can view the log window, via the "View->Log Window" menu. By default the log window only shows Major and Critical error messages. You can adjust the setting via "Tools->Configure->Miscellaneous", then select from the logging options.