Welcome the the first article in the new Unsniff Network Analyzer Tips section.

In this article we look at a common problem many network analysts face when dealing with SSL/TLS decryption.

• You got the server admin to enter the private key
• You were able to decrypt the traffic you wanted
• The server admin now leaves the room and takes the key with him

With Unsniff there are two options :

• Simple save the result. The USNF file format stores the decrypted result and you do not need the key anymore.
• If you want to use Wireshark, you need a libpcap format file. Unsniff allows you to copy the plain text TCP streams and paste them as libpcap files. You can then fire up Wireshark to examine the plaintext pcap file.

Let us look at how you can export the plain text into libpcap format.

For more details check out this article

1. Use the private key to decrypt live or captured traffic.

    Click on the SSL icon
    Enter the Server IP and Port and specify the private key file

2. Enable "Analyze Upper Layers of TLS" option

    Click on  Plugins > Configure
    Locate the TLS section and set the "Analyzer Upper Layers" to True
    

3. Import the capture file

    Click on the Import from TCPDUMP icon

4. Locate the plaintext sessions (completely stripped of TLS)

    Switch to the sessions sheet. Unsniff lists all the TCP sessions seen as top level objects. You can click the + button to view the packets that made up the session. For TLS, Unsniff creates two extra 'synthetic' TCP sessions for each TLS TCP session. The screenshot below shows the original session and the two 'synthetic' i.e. fake sessions.

 Note that the decrypted session now has port 80 instead of port 443. It is as if we never used SSL! 

5. Copy / Paste the session(s) stripped of TLS

    You can simply save the selected session (Copy / Paste as new ). This can be read by Wireshark.

Gory Detail

When you read in the exported plain text file, you will notice the following

1.  Has no ethernet layer (we dont need it),
2.  Has really large IP packets (we map an entire TLS record)

The IP packet in the above screenshot is 7053 bytes long.  It is impossible to derive a plaintext stream out of a TLS encrypted connection and still maintain a strong correlation with the original link layer packets.  In short , we are trying to take a record based protocol and fragment it into IP datagrams.

Unsniff maps each decrypted TLS application data record into an IP packet and adds the required 3-way handshake and RST packets to build a fairly accurate representation. There is just enough information in the decrypted plaintext stream to help reconstruct the contents.

The following screenshot shows the TLS records. You need to switch to the PDU sheet to see them

Any questions, feel free to ask in the Forums