1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Decrpyting TSL

Discussion in 'General Programming Chat' started by Veehmot, Mar 4, 2016.

  1. Veehmot

    Veehmot Newbie

    Joined:
    Mar 4, 2016
    Messages:
    4
    Likes Received:
    0
    I'm trying to decrypt some software (not a webpage or browser) that uses TSL 1.2. I'm using Wireshark to listen to packets flowing and I can see there's an TSL exchange at the start of the software, and then all the packets are encrypted.

    I would like to see what the server is responding to the POST requests the software makes. I have read about mitm attacks, but I'm not sure if its doable for what I want to accomplish, or how to proceed.

    The machine is mine, I don't have access to the software source code, nor to the server that servers the HTTP requests. I'm on Windows 8.1.
     
  2. qrazy

    qrazy Senior Member

    Joined:
    Mar 19, 2012
    Messages:
    1,115
    Likes Received:
    1,723
    Location:
    Banana Republic
    You could try with tools such as Cain and Abel, IIRC, you might need 2 machines with Ethernet for ARP spoofing at your end.
     
  3. 9to5destroyer

    9to5destroyer Jr. VIP Jr. VIP

    Joined:
    Nov 14, 2011
    Messages:
    359
    Likes Received:
    206
    have you tried using fiddler and trusting its cert to decrypt.
     
  4. kahuna74

    kahuna74 Regular Member

    Joined:
    Aug 19, 2014
    Messages:
    270
    Likes Received:
    102
    Gender:
    Male
    Occupation:
    Software Developer
    Location:
    Grand Rapids, MI
    You're not going to be able to decrypt TLS. What I would do is set up a proxy like charles web debugging proxy, install it's cert in your certificate chain and you can see the traffic after that.
     
  5. Veehmot

    Veehmot Newbie

    Joined:
    Mar 4, 2016
    Messages:
    4
    Likes Received:
    0
    Thanks for your help. I was able to successfully route the HTTP/S traffic to Charles, but the software won't trust the Charles CERT. I believe I should use a mitm-attack in order to make the client and server believe they are genuine. Do you think that will work?
     
  6. Veehmot

    Veehmot Newbie

    Joined:
    Mar 4, 2016
    Messages:
    4
    Likes Received:
    0
    Looks like the application has SSL Pinning in place. Since this is a Android app running on an emulator, I've tried some unpinners based on Cydia and XPosed, but to no avail. The app refuses to accept my proxy certificate. I don't have any experience with SSL/TSL so I guess i will give up for now until I can understand the problem.
     
  7. kahuna74

    kahuna74 Regular Member

    Joined:
    Aug 19, 2014
    Messages:
    270
    Likes Received:
    102
    Gender:
    Male
    Occupation:
    Software Developer
    Location:
    Grand Rapids, MI
    I've successfully decrypted https from apps on my iphone by installing charles cert in my certificate chain on my phone, setting up the proxy on my laptop and routing all http and https traffic from my phone to my laptop. Not the prettiest setup, but it worked for me. Sometimes it was a pain in the ass because I had a VPN running on my laptop too, and that complicated things.
     
  8. kahuna74

    kahuna74 Regular Member

    Joined:
    Aug 19, 2014
    Messages:
    270
    Likes Received:
    102
    Gender:
    Male
    Occupation:
    Software Developer
    Location:
    Grand Rapids, MI
    To add to my last post, the laptop is the "man in the middle". So yeah, that's your basic man in the middle attack right there, except you're intentionally doing it by installing a certificate on your device. I'm not sure about android, but on iPhone, the cert installs fine, and is part of the trusted cert chain so my apps don't complain about it.
     
  9. Veehmot

    Veehmot Newbie

    Joined:
    Mar 4, 2016
    Messages:
    4
    Likes Received:
    0
    Yes, but this app in particular uses certificate pinning, which means that it won't accept any cert installed, just a single one.
     
  10. FJX

    FJX Regular Member

    Joined:
    Oct 13, 2011
    Messages:
    358
    Likes Received:
    188
    Location:
    0x90
    Then extract the app with something like apktool. Check the smali code and Ctrl + F keywords such as "cert", "x509", etc. See how the whole code behaves - what returns or call to that class/function. From there you can make your own modifications. Rebuild and sign the app and see what happens. Remember even if it has cert pinning in the end the "client-side" is in your control and you can modify it to not care about what cert the client is using.