SSL Encryption – Applications of Wireshark

Preface

If you’ve read my write-up on setting up a setting up an ssl server, don’t be fooled. We’ve created a fake ssl listener that just sits on top of our apache installation. And can serve us the files. We’ll get to a full blown installation eventually, but let’s walk before we can run, shall we?

How can we use wireshark to decode https traffic?

I’ll refer again to this execellent article here to walk me through the process: http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/.

Basic HTTP transmission with gzip

First, let’s fire up wireshark and capture a normal http request. To make it easier on the eyes, we can use WireShark’s filtering to any packets other than those I’m trading with my vm, and while the data is gzipped during transmission, WireShark is nice enough to display the output to us inflated if we selet the HTTP OK response sent by the server signalling that he is done transmitting:

2014-12-12_0636

 

SSL Transmission

Now, let’s take a look at same request using https over OpenSSL:

2014-12-12_0647

It’s clearly quite different, and makes no sense to the human eye. Bummer.

Decrypting SSL, the cheating way

Under wireshark preferences/protocols, if you find the SSL protocol, which allows us to add an RSA keys list we can use to decrypt SSL traffic.

2014-12-12_0700

For this step, you’ll need the key you created on your virtual server- I have an FTP server running on my host machine so I’ll just grab it using the virtual server’s ftp command:

2014-12-12_0707

 

To set this guy up in wireshark, I need only add him to the RSA keys list like this:

2014-12-12_0710

Once I click apply here, I believe I needed to submit a second request to the server for wireshark to decode it inline. I did so, and suddenly I can see normal traffic again:

2014-12-12_0736_001

You’ll notice the new HTTP protocol item in the tree below the SSL layer, now that WireShark understands how to decipher it.

Taking this one step further, and following the SSL stream on that HTTP request will show us the entire conversation as below:

2014-12-12_0740

Neat! But what if you don’t have that server key? Well that’s why this post is kind of cheating. Next up, we’ll explore how to decipher SSL communciations without the server key!

SSL encryption – Set up an SSL server

Analyzing SSL traffic

So, in an effort to get a good picture at how I can decrypt SSL traffic running through my machine, I’ve decided to set up my own little ubuntu SSL server in a VM so I can test what’s involved in getting wireshark to decrypt it.

Creating a test environment

Installing Ubuntu Server

The Ubuntu Server edition, as expected, installs flawlessly under a virtualbox VM. I took only the bare essentials when prompted during setup and let ubuntu decide how to handle my partitioning. I’m sure there are many other ways to do this, but I’ve always been keen on ubuntu so I thought I’d give them a shot. I got the download here: http://www.ubuntu.com/download/server.

Hosting a web server

Once all the whirring and buzzing is done I’m presented with a rather unclimactic prompt. Being a native windows user, I’ve not the slightest idea what to do with this, but a bit of googling (https://www.digitalocean.com/community/tutorials/how-to-configure-the-apache-web-server-on-an-ubuntu-or-debian-vps) keyed me into the fact I could run a couple of commands to get a server up.

sudo apt-get update
sudo apt-get install apache2

It’s actually that simple. once the apache2 install is completed, I can point to this machine from anywhere in my network and I got served my first page:

2014-12-11_0357

 

Again, being a Windows user thought despite often digging into and enjoying the feel of a console, there’s something about having a GUI that just puts me at ease. Again, google is my friend: http://askubuntu.com/questions/53822/how-do-you-run-ubuntu-server-with-a-gui

Let’s get a GUI for our server

I elected the xubuntu desktop (described as lightweight by this stranger I’ve never met. And installed it. Again super simple command:

sudo apt-get install ubuntu-desktop

Follow that up with a “reboot” and we’ve got ourselves a gui:

2014-12-11_0423

Where’s my HTTP root?

They’re nice enough to include that little detail in the landing page once the server is configured:

2014-12-11_0427

So let’s head over to /var/www to check it out. I’m going back into the terminal here because after screwing with the gui for a bit the terminal aspect suddenly appeals to me greatly. Try editing your index.html file via the gui if you’re defiant, else let’s just drop back to the console.

Editing the index.html

Just to be sure I have a basic understanding of the server, I want to edit my index.html file to ensure it’s really what’s being served. If you tried doing this from the gui you may have hit a pitfall or two because of the file’s permissions. So from the terminal lets navigate to /var/www/html and set the index.html permissions to 666.

Now we can nano in and make a little change:

2014-12-11_0500

Admittedly, this is not the best text editor I’ve ever worked with, and I’m sure there are better out there, but we’re not here to mess with that.

2014-12-11_0502

Great, the change was persisted. Now that we know we’re controlling a real live server, let’s set up some encryption.

Setting up SSL on our webserver

Again, seems almost too simple in our case- thanks to some directions I found here: http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/

 Create your Key

Creating the key is fairly straightforward, I used some basic stuff here:

openssl req -x509 -nodes -newkey rsa:1024 -keyout testkey.pem -out testcert.pem

Once fired, the command will request a handful of information about who you are and what your cert is representing. To RSA sign it (for use with wireshark later on ) there’s one more command to be run:

openssl rsa -in testkey.pem -out testkey.pem

Start the server

Now all we need to do is fire up the ssl server and he’ll begin taking requests on port 443, with the following command:

openssl s_server -key testkey.pem -cert testcert.pem -WWW -cipher RC4-SHA -accept 443

We’ll get angry warnings from our browsers trying to hit our pages because obviously this key/cert is BS. But in short, that’s how we get an SSL server up and running from start to finish, to produce some ssl encrypted output which is decrypted happily by our browser:

2014-12-11_0715

Obviously, since I haven’t actually patched SSL into apache, the image doesn’t quite make it across- but again that’s not the purpose of this exercise.

Future

In the next post I’ll go into detail about how we can use wireshark to first view the encrypted output, and thankfully, have wireshark decrypt it for us. We’ll take this a step further and see how it’s possible to decrypt traffic even without the server key that we just produced.

Juniper network client (ie: how can I get on my company’s VPN)

I tried with no success to download a trial version of F-Secure to test if it will work with my company’s VPN- as they say the do support it.

Naturally, I get no love when I try to login (Level-1 access, essentially worthless)

So, how is this fucking Juniper client validating that I don’t have the right version, and what can I do to beat him?

I figured watching his behavior under ProcMon would do the trick, but it’s led me to quite a few different interesting things.

I *think* the primary process that does host checking is dsHostChecker.exe, which you can find in the Juniper Client Install path. Or it’s roaming data path. Or whatever. These guys have got skills at being pains in the ass.

Directory of note:  \Users\%User%\AppData\Roaming\Juniper Networks

After observing him during the process, there are a few ways this guy can be validating-

1. Registry – my first guess, and he does do a *lot* of registry calls against my F-Secure keys. But what that doesn’t explain is:

Some obscure keys come up during the check, I’m going to list a few interesting ones here for my reference later:
HKLM\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Agent
2.POLUTIL – this guy lives as part of the F-Secure installation and can provide tidbits of information on the install state. This post seems to scratch the surface: (http://community.f-secure.com/t5/End-point/How-do-I-query-my-F-Secure/td-p/2163)

3. What I’m dreading, but what is possible, is that there is a management client installed as part of F-Secure which allows apps to “hook” into the DLLs and get information on what’s going on in there. If this is the case, I have a few options it means I’d have to hack a DLL in F-Secure 

Good luck.

Targeting whatsapp with wireshark

Why would I want to snoop WhatsApp traffic?

I’m aiming at the moment is to create a “whatsapp alarm” that will inform me and keep a log of when someone I’m stalking comes on and off of whatsapp. An app that used to do this for me what WhatsDog (http://www.appszoom.com/android-app/whatsdog-whatsapps-watchdog-kgyke-download.html) but for whatever reason this doesn’t work anymore. *update, it seems to be working now, might be worth a gander at the code to see how they’re doing this.

Creating a test-bed

I managed to get Android running on a VirtualBox instance using this great guide: http://www.fixedbyvonnie.com/2014/02/install-android-4-4-kitkat-windows-using-virtualbox/. If you’re using that guide make sure you enable virtualization at the BIOS level on your machine else you’ll get a kernel panic, as I did.

I quickly discovered that Whatsapp is using some combination of xmpp and encryption to transmit, so I’ll need to pull some shenanigans to be able to interpret the messages I catch going across the wire. I began with the ill-advised route of attempting to peek at their code and seeing what I could learn from it. In short, not much, but I learned a lot about other things along the way.

Decompiling and re-compiling apks

Using APKTool (https://code.google.com/p/android-apktool/) I was able to decompile their APK into smali and Java, which is great! Sadly though, the good bits of the decompiled code are heavily obfuscated and I’ve wasted a few hours trying to decipher it with no gains. Just looking at the code isn’t enough. If only I could debug it?

Debugging decompiled smali

It seems that this is possible, and there’s a nice link from the apktool page that talks about setting up smali debugging (https://code.google.com/p/android-apktool/wiki/SmaliDebugging). I followed this lead and looked around a bit to get it working with my VirtualBox machine. Specifically, a page from MatD gave me a solution that hooks my VirtualBox machine to my Windows PC:  http://www.mat-d.com/site/developing-android-apps-with-android-x86-and-virtual-box/. Hint: Use a bridged adapter for debugging! Hint 2: For those of us who aren’t native to linux, netcfg is the linux equivalent to winipcfg.

Based on the fact that I hadn’t found anyone who’d been successful in deciphering this madness, I moved on to attempting to MITM their https traffic. I’m just dicking around at this point.
Sadly, I lost patience trying to get my smali debugging doing something usefull, so moved on to look for other options.
  • A bit of googling taught me that whatsapp communications are encrypted via SSL. What a pain. To find this traffic with wireshark I can make a simple filter: (http contains whatsapp)
  • Other sources: This interesting article from 2012 authored by Wolf (http://werew01f.blogspot.com/2012/05/can-you-extract-message-and-photo-from.html) that describes an exploit that could be used to snatch images in the past.

MITM SSL Traffic

It turns out that this is pretty fucking difficult. I’m going to spend some time researching around the web because *surely* someone has managed to pull this off already. I know my job is doing it. Grabbing the Session ID First I need to find whatsapp traffic through wireshark. After a bit of trial-and-error I did track down some communications between my droid box and some whatsapp and whatsapp-related servers. The whatsapp servers that any one phone communicates with sure can bounce around a lot though. Why does this happen?

DNS Lookups

First of all, the randomness of the servers utilized by the whatsapp application is a result of the DNS lookups constantly shifting to create load balancing. I didn’t even know it was done like this in the real world, not a bad idea. They submit a name table so that when someone queries for one of their named boxes they may or may not get a different box.

More on SSL

Apparently, SSL connections are based on a session that gets cached on the server and can be handed back over to the client when they log back in. This explains why it’s hard to monitor someone’s whatsapp messages remotely. I might look into that later. Other interesting notes If you restore whatsapp via titanium and include the app data from a previously working instance, the whatsapp servers appear to be none the wiser. You may receive some message overlap, but eventually they figure out two devices are getting the same messages and your new device controls the account, knocking off your old one. If you try to use the old device it will work but knock the new one offline. This was interesting to me because it seems to invalidate various rumours that I’ve read around the net that the app somehow fixates on your MAC or device ID to validate your connection. I’ve backed up several different phone numbers into a spare real phone I have, as well as the emulator box and watch them trade control of my account all day.

Linq2Xsd and C# Code Generation

Ah, the benefits of open source. Today I decided to take off the gloves and dig into the Linq2Xsd project that we’ve been using at work. For a long time it’s served our purpose well unmodified, but as the schema grows in complexity it looks like it’s time to dig into the code.

My main problem is that our very (un)thoughtful contractors are generating multiple xsd schemas based on the same few basic files. Linq2Xsd doesn’t handle this elegantly, and will give me a string of validation errors when I try to generate them together, similar to

"c:\path\filename.xsd(##,##): error TX0001: The complexType 'AccountType' has already been declared.'

So what we’ve been doing is generating multiple code files for the multiple target schemas. This works to a degree, but since our base schemas have global types, rather than neatly namespaced types, we can forget about trying to put more than one generated code file in the same project. Forget about even referencing them from the same project! The global namespaces collide bigtime and cause me major headaches.

Error    18    The type 'SchemaType' exists in both 'c:\path\binary.dll' and 'c:\path\binary2.dll'

Bummer. So, I’ve got to do one of two things.

  1. Get the code generator to make these classes internal, and write a public wrapper for each that *isn’t* global.
  2. Get the code generator to wrap these classes in a namespace, so they won’t clash globally.

Option two sounds sweeter, and less manual. But how in the hell can I pull this off? I’ve never worked with or even seen code generation before. Opening up the source for Linq2Xsd is almost like reading COM code. Ack.

Even better, after a peek at the code though, I’ve realized that I can use the Linq to xsd config to handle this.

<?xml version="1.0" encoding="utf-8" ?>
<Configuration xmlns="http://www.microsoft.com/xml/schema/linq">
  <Namespaces>
    <Namespace Schema="http://www.Schema1" Clr="My.Schema1"/>
    <Namespace Schema="http://www.Schema2" Clr="My.Schema2"/>
    <Namespace Schema="" Clr="My"/>
  </Namespaces>
</Configuration>

Then I just run the app and pass the config into the command line…

LinqToXsd.exe MySchema.xsd /config:Linq2Xsd.config

and… works like a charm! My global namespaces will now be encased in a neat “My” namespace.

To think we’ve been fighting with this namespace issue for 2 years. Phew!

Google Maps Tile Aggregator

I recently found myself in need of a large, zoomed-in map for a project I’m working on. Of course, Google maps is my default map provider, but I was finding it tricky to get all of the image data I needed for certain zoom levels. I scoured the web and found a few good links on the subject, but I also found they didn’t do quite what I wanted. So, this project was created (and shared) for this purpose.

Basically you lookup your tile coordinates with a tool like this one: http://code.google.com/apis/maps/documentation/javascript/examples/maptype-base.html and you plug them into this program. Once the heavy lifting is done you’re free to save the image anywhere on your machine.

No limitations, no handholding. The default settings give a full zoom-level 12 image of Singapore, which is what I was originally after when I wrote this.

Map Image Aggregator

Got a map!

Just be careful with it because I’m not sure you’re legally allowed to do this.

Satellite Google Map of Singapore

Full-size Singapore!

As for the code itself, it’s nothing very special. I utilize a picture box for a preview/save and build the bitmap in-memory using a ThreadPool and as many requests as your system fancies. There’s a timer that refreshes the picture box to give a preview as more images come in. Code is written in VS2010 against the .NET4 framework.

code: http://www.mogness.com/files/GoogleMapsPullerCode.rar
bin x86:http://www.mogness.com/files/GoogleMapsPullerBinary.x86.rar
bin x64:http://www.mogness.com/files/GoogleMapsPullerBinary.x64.rar