Analyzing SSL traffic
So, in an effort to get a good picture at how I can decrypt SSL traffic running through my machine, I’ve decided to set up my own little ubuntu SSL server in a VM so I can test what’s involved in getting wireshark to decrypt it.
Creating a test environment
Installing Ubuntu Server
The Ubuntu Server edition, as expected, installs flawlessly under a virtualbox VM. I took only the bare essentials when prompted during setup and let ubuntu decide how to handle my partitioning. I’m sure there are many other ways to do this, but I’ve always been keen on ubuntu so I thought I’d give them a shot. I got the download here: http://www.ubuntu.com/download/server.
Hosting a web server
Once all the whirring and buzzing is done I’m presented with a rather unclimactic prompt. Being a native windows user, I’ve not the slightest idea what to do with this, but a bit of googling (https://www.digitalocean.com/community/tutorials/how-to-configure-the-apache-web-server-on-an-ubuntu-or-debian-vps) keyed me into the fact I could run a couple of commands to get a server up.
sudo apt-get update
sudo apt-get install apache2
It’s actually that simple. once the apache2 install is completed, I can point to this machine from anywhere in my network and I got served my first page:
Again, being a Windows user thought despite often digging into and enjoying the feel of a console, there’s something about having a GUI that just puts me at ease. Again, google is my friend: http://askubuntu.com/questions/53822/how-do-you-run-ubuntu-server-with-a-gui
Let’s get a GUI for our server
I elected the xubuntu desktop (described as lightweight by this stranger I’ve never met. And installed it. Again super simple command:
sudo apt-get install ubuntu-desktop
Follow that up with a “reboot” and we’ve got ourselves a gui:
Where’s my HTTP root?
They’re nice enough to include that little detail in the landing page once the server is configured:
So let’s head over to /var/www to check it out. I’m going back into the terminal here because after screwing with the gui for a bit the terminal aspect suddenly appeals to me greatly. Try editing your index.html file via the gui if you’re defiant, else let’s just drop back to the console.
Editing the index.html
Just to be sure I have a basic understanding of the server, I want to edit my index.html file to ensure it’s really what’s being served. If you tried doing this from the gui you may have hit a pitfall or two because of the file’s permissions. So from the terminal lets navigate to /var/www/html and set the index.html permissions to 666.
Now we can nano in and make a little change:
Admittedly, this is not the best text editor I’ve ever worked with, and I’m sure there are better out there, but we’re not here to mess with that.
Great, the change was persisted. Now that we know we’re controlling a real live server, let’s set up some encryption.
Setting up SSL on our webserver
Again, seems almost too simple in our case- thanks to some directions I found here: http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/
Create your Key
Creating the key is fairly straightforward, I used some basic stuff here:
openssl req -x509 -nodes -newkey rsa:1024 -keyout testkey.pem -out testcert.pem
Once fired, the command will request a handful of information about who you are and what your cert is representing. To RSA sign it (for use with wireshark later on ) there’s one more command to be run:
openssl rsa -in testkey.pem -out testkey.pem
Start the server
Now all we need to do is fire up the ssl server and he’ll begin taking requests on port 443, with the following command:
openssl s_server -key testkey.pem -cert testcert.pem -WWW -cipher RC4-SHA -accept 443
We’ll get angry warnings from our browsers trying to hit our pages because obviously this key/cert is BS. But in short, that’s how we get an SSL server up and running from start to finish, to produce some ssl encrypted output which is decrypted happily by our browser:
Obviously, since I haven’t actually patched SSL into apache, the image doesn’t quite make it across- but again that’s not the purpose of this exercise.
In the next post I’ll go into detail about how we can use wireshark to first view the encrypted output, and thankfully, have wireshark decrypt it for us. We’ll take this a step further and see how it’s possible to decrypt traffic even without the server key that we just produced.