Vivek Rajagopalan is the a lead developer for Trisul Network Analytics. Prior products were Unsniff Network Analyzer and Unbrowse SNMP. Loves working with packets , very high speed networks, and helping track down the bad guys on the internet.
Verify if the specified key file is unencrypted PKCS#8
This is the number one problem people face when using Unsniff for decrypting SSL/TLS. The private key needs to be in unencrypted PKCS#8 format. Prior versions of Unsniff happily allowed you to specify a key in any format, but would log an error message “Invalid Key Material …..” when the time comes to use it.
TLS Extensions
Here is a screenshot of Unsniff’s support for TLS extensions. Most but not all extensions are completely decoded (not just shown as TLV blobs Type-Length-Value).
But we already have Wireshark
We all use and love Wireshark. But if you work with SSL/TLS a LOT then you need to give Unsniff Network Analyzer a try. It could be useful to have it around in your toolbox along with Wireshark. Specifically, Unsniff could save you bunch of time because (1) it can produce bounce diagrams that you otherwise need to draw by hand (2) it can reassemble upper layer content like web pages (3) it tracks entire SSL records not just ethernet link layer packets (4) scriptable using Ruby (5) share decrypted packet captures without sharing the private keys.
A deeper analysis of the SSL/TLS renegotiation flaw using the packet captures provided by the researchers.
The big security news this past week was the SSL Renegotiation Flaw found by researchers Marsh Ray and Steve Dispensa at Phone Factor. Here is what they say :
The SSL authentication gap allows an attacker to mount a man-in-the-middle attack, and affects the majority of SSL-protected servers on the Internet. Specifically, the vulnerability allows the attacker to inject malicious data and commands into the authenticated SSL communications path. This can often be done without either the client or server (e.g. web server and browser) being able to detect the attack.
What is really cool with this vulnerability is that the researchers have released packet captures of it in action.
Grab the packet captures, a whitepaper, and protocol diagrams from Phone Factor’s site.
Analyzing the packet captures
In this post,let us see how we can analyze these and similar packet captures. There is plenty of heavy lifting to be done, so we will be breaking open a tool called Unsniff. Laura Chappell over at Chappell Seminars has a similar post on analyzing the traces using Wireshark.
Among all the captures released, client_init_renego_bis.pcap seems to demonstrate the attack the best. To make this exercise easy we first decrypt the capture file using Unsniff’s TLS decryption capabilities and save it in Unsniff’s native USNF format.
The USNF format
The USNF format is a great way to share decrypted SSL/TLS packet captures without supplying the private key. No, the private key is not secretly tucked away in the file. It is simply not required after the initial decryption.
Step 2 : Download the capture file in USNF format from here
Step 3 : Open the file and play with the Packets, PDU, and Sessions tabs.
Packets : A list of link layer packets like you would see with Wireshark.
Sessions : A list of TCP streams.
PDUs : A list of reassembled and decrypted SSL records.
The Packets tab is not very interesting here because SSL records bear no relationship to link layer packet boundaries. So lets focus on the PDU and Sessions tabs.
Analyzing the streams
Switch to the sessions tab and note that the Sessions tab shows 6 TCP streams. But the original pcap file contained only 2 streams (from victim to MITM and from MITM to server). Unsniff creates two extra streams for every SSL/TLS stream. This is an great way to strip and analyze encrypted or tunneled streams.
The two extra streams are :
The decrypted SSL stream (with all the handshakes in it. Decrypted but with signature and block cipher padding intact)
The decrypted upper layer HTTP stream (with only the application data)
View HTTP data from the perspective of Server and MITM
Lets first look at the HTTP data from the HTTP server’s perspective.
Move to the Sessions tab and make sure the Stream sheet is activated. You may also have to rt-click and switch to UTF-8.
Click on Stream 5 ( HTTP data as seen by the server)
Click on Stream 6 (HTTP data sent by the victim)
Going deeper with the Bounce View
The real juicy part is ofcourse the protocol exchanges between the victim, the MITM, and the server. The ideal tool for this is called the “PDU Bouncer’. Activate it by Right-Clicking on a PDU and selecting Bounce View. This creates a bounce diagram containing all the PDUs that went back and forth on the same TCP stream in time order. For example : Right click on PDU #2 to bring up the diagram shown on the right.
Three-way Bounce
What is really cool about this bounce diagram is that you can select two PDUs from different streams and you will then get a three-way (or even 4 way diagrams).
This is exactly what we need, the victim, the MITM, and the server PDUs all laid out in a protocol diagram. Switch to the PDU view, right click and select PDUs 2 and 14. Now bring up the PDU bouncer.
Lets see what we get.
Stage 1
Shows the MITM (192.168.80.17) intercepting the Client Hello from the victim and then establishing a separate connection to the server with the intention of patching on the client later. The session ID can be seen to be 1C144B..
Stage 2
This shows the MITM sending the evil payload (PDU#28). Note the evil payload is an incomplete HTTP request sent with the hope that the victim will complete it. Once the payload is sent, you can see a new session being renegotiated. This new session is passed on to the client, from which point on the MITM stays away. The damage having been done ! Pure evil.
You can generate a PDF for any bounce diagram via Right Click + Print + Select CutePDF.
The authors themselves have a pretty comprehensive whitepaper including a protocol diagram of their own in the package (http://www.phonefactor.com/sslgap/). The purpose of this post is to introduce a new tool you may wish to consider adding to your security toolbox in addition to the ubiquitous and lovable Wireshark.
Unsniff Network Analyzer 2.0 also features remote analysis in line with the NSM principles advocated in the Tao of Network Security Monitoring book. You can download the latest beta builds as they become available from http://www.unleashnetworks.com/downloads. Please support the product by testing out the beta builds.