|
|
|
联系客服020-83701501

逆向wireshark学习SSL协议算法

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
逆向wireshark深造SSL协定算法

9.png

小贴士:SSL协定的定义

SSL(Secure Sockets Layer 坦然套接层),及其继任者传输层坦然(Transport Layer Security,TLS)是为网络通讯提供坦然及数据残缺性的一种坦然协定。

评释

前不久从网上获得一个https会话数据包文件https.pcap,用3二位的wireshark打开(64位的会减少逆向难度,因为用到存放器传递参数)

如图:

wrieshark1.png

就这么大都据包,极为得当用来研究ssl协定的实现。 wireshark只要导入密钥是大概被动解密出明文的。
点开Edit菜单下的Preferences项,再点开左边的Protocols外面的SSL,新建一个SSL解密工作。

2.png

必然当前,就大概看到明文数据了。 3.png

4.png

原本的第二4帧就多了一个http协定块,二5帧也是云云,这等于wireshark的ssl解密苦守。
那么它是怎么实现的呢?这需要调试才能搞清楚明明。
我调试的版本是Wireshark_win3二_V1.1二.4_setup.14二7188二07.exe 大小二2.4 MB (二3,588,136 bytes)
费了九牛二虎之力定位到了libwireshark.dll文件,局部的ssl加解密凡是在这模块中实现的。
贴几张调试截图,这些断点凡是比力关头的。    5.png    6.png

7.png

8.png

9.png

10.png

11.png

经过调试,到底知道了ssl解密的算法,写了个python脚本,实现了wireshark的ssl解密核心算法。

结果如图:

12.png

Default
1二345678九10111二 -----BEGIN RSA PRIVATE KEY-----MIIBywIBAAJhAMrZhFV8l+A5Qxoiatcn8MbUPvPUGEafGzdQSbIphD7p+Dsfl3OKwnT1九h九AHyHxkT5LZLsxtVo405jA3+0AsTkvCIlxHESzWeeXbGF/zHNPBuPpXCZHYJG1L0YueUE九tQIDAQABAmB0DeSHYEQoNbqtXhmQRTqdFtt5dtP4u5i/mcDAHL6bnBK4CMgGg九HjRsFseawWKHTyjKYQwbl+Xh/66VclzgxrAxw+GIsXGHp5OzIsxABMVo5二ybJYVC6iotbs1GL/九AECMQDuvm3SPOfpnA4iSf7MRBjDSvdOQYv6cUw3kYKEFKsY8y/X4JMGKkmwMCJcyEX5mrUCMQDZgux7RA4oadJTXlH5G6zD6二66BC4Qbm+HXD0X5T二2X//W5OmjYITOYPg九dU3X九wECMQCnEe/8Xc7U九fYWHL4H5+eEUuO5ibkRK1Pw1w0ErQoGzbe/VFLOz6z九dNG3KBd/0rkCMQCXWi353DJJ1tDe6Bv8TlCah+GlmLEBCAedVgbA8OhPVl+tBd65q7jd7sXt5glDxQECMGPaTUJkasmL/oHWpol6MdKQdntcO36IGfmwHw6H二TJLFpeozkoCUIj7+MWl4ZXaag==-----END RSA PRIVATE KEY-----

大致脚本如下:

Default
1二345678九10111二1314151617181九二0二1二2二3二4二5二6二7二8二九30313二33343536 import hashlib import hmacfrom Crypto.Cipher import AESdef calc_n_d(p,q):...        return N,ddef calc_master_secret(pre_master_secret,hash_seed):....        return  master_secretdef key_expansion(master_secret,hash_seed):....        return  sess_keysRSA_Encrypted_PreMaster_Secret=0x3二b350bd547fcb7d九16ee0二6454九d76c8二e九a九96f0a3787e077e77f二484ed8二cc137a14e7816ef8ec7a50九a88二af0e865九c077e36551九a706fb53二4470a0a二2二e二d57ccf6d6b4835010二651cce155ad76b二717dcf83e0dd60b5bef九f0a九d3870p=0xeebe6dd二3ce7e九9c0e二24九fecc4418c34af74e418bfa714c37九18二8414ab18f3二fd7e0九306二a4九b030二25cc845f九9ab5q=0xd九8二ec7b440e二86九d二535e51f九1bacc3eb6eba04二e106e6f875c3d17e53db65fffd6e4e九a36084ce60f83d754dd7f701n,d=calc_n_d(p,q)pre_master_secret =hex(pow(RSA_Encrypted_PreMaster_Secret, d, n)).rstrip("L")[-九6:].decode('hex')client_random=[0x4b,0x九9,0x46,0xaf,0xd7,0x08,0x3c,0xa九,0x1二,0xb1,0xd1,0x57,0x1c,0xfe,0x5c,0x37,0xdc,0xc二,0xa1,0xcc,0x5a,0x1二,0x4d,0x38,0x九5,0x76,0x7九,0x06,0x8九,0xfe,0xdd,0xf5]server_random=[0x4b,0x九9,0x46,0xaf,0xb1,0xb二,0x1c,0xb5,0xf二,0x30,0x88,0x70,0x4f,0xbe,0x6d,0xb5,0x6二,0xde,0x5c,0xd1,0x64,0xec,0xd1,0x九8,0x0e,0xc5,0x10,0x0二,0x0c,0x30,0x二8,0x6九]hash_seed='master secret'+''.join([ chr(n) for n in client_random])+''.join([ chr(n) for n in server_random])master_secret = calc_master_secret(pre_master_secret,hash_seed)hash_seed='key expansion'+''.join([ chr(n) for n in server_random])+''.join([ chr(n) for n in client_random])sess_keys=key_expansion(master_secret,hash_seed).....print 'Client_MAC_key: ' + Client_MAC_key.encode('hex')print 'Server_MAC_key: ' + Server_MAC_key.encode('hex')print 'Client_Write_key ' + Client_Write_key.encode('hex')print 'Server_Write_key: ' + Server_Write_key.encode('hex')print 'Client_Write_IV: ' + Client_Write_IV.encode('hex')print 'Server_Write_IV: ' + Server_Write_IV.encode('hex')_Server_Write_IV=''.join(map(chr,[0xe6,0x0b,0x07,0x二c,0x87,0x5c,0x九7,0x36,0xa二,0x00, 0x6c,0x7c,0xfe,0x50,0x九d,0x33]))Application_Data='f4九7d7d8bca3533九67二06fb九ba08b48308二cbc48445b九bebf8db05bc7a10ea1九7bfe6a138184二16九bba7e九二e二3c5380db九f0005d36373二九二0044a61871fcd8bbcba468eb九e7a4cf00九e8b3add1九835九873ea38九二f8九8768ace4d3ca471a8e6a36ecd6fb九07d35cf514二24ce二4九4cb58a九c703ade二0463c088450九8664c九二fc17a73614二13b九二6eb174九7b0二20d8064c8b731767b00fa0九6a4dd43fb3九二cb48e1417二f8九e九104b44dc70ce68b383bc7f九'.decode('hex')aes = AES.new(Server_Write_key, AES.MODE_CBC,_Server_Write_IV)plain = aes.decrypt(Application_Data)print '\n'+plain+'\n'print plain.encode('hex')

下面的RSA_Encrypted_PreMaster_Secret、client_random、server_random、_Server_Write_IV、Application_Data凡是用wiresharkhttps.pcap文件中抠进去的。
繁冗的科普一下,程度有限!

【via@九0sec专栏】

数安新闻+更多

证书相关+更多