Project 6x: Reading SSL Traffic with Wireshark (15 points)

What You Need for This Project

• Windows 7 computer with Internet access
• Wireshark (Download here)
• Google Chrome (Download here)

Warning!

This is something useful to do for testing, but you shouldn't use a computer with this modification for anything personal like shopping.

That's why you need to make a restore point before starting this project and restore it settings when you are done.

Creating a Restore Point

In the "Restore system files and settings" box, click Next.

In the "System Properties" box, click the Create button.

In the "Create a restore point" box, type a name of "YOURNAME-PROJ6x", as shown below.

Click Create.

Setting Up the Project

1. Create a non-Administrator User Account
   1. Open the Control Panel (Start › Control Panel)
   2. If your Control Panel is in Category view, click on "Add or remove user accounts"
      

      ---

      Otherwise, click on "User Accounts"…
      

      …followed by "Manage another account".

      

   3. Click "Create a new account"
      

   4. Give this new user account a name of YOURNAME-BROKEN, as shown below.
      
      Make sure you make this account a Standard user, NOT an Administrator.

      Click "Create Account".

   Once this is done, you will need to restart your Windows 7 computer to continue. You will not need to log into your Unprivileged account just yet.
2. Next, we need to open a Command Prompt window. Click on the Start button, then type cmd into the Search programs and files box, like so:
   

3. Execute the following commands:

   SETX SSLKEYLOGFILE C:\keys\session-keys.log
MKDIR \keys
ECHO.> \keys\session-keys.log

4. Restart your computer again. This time, log into your Unprivileged user account which you will be using for the rest of the Project.

5. Confirm that session keys are being logged

6. Open Google Chrome, then go to gmail.com to initiate a secure connection
7. Open Windows Explorer, then navigate to C:\keys and open the session-keys file
   

   You should see something similar to this:

   

Reading YAHOO.com Traffic with Wireshark

1. In Chrome, go to YAHOO.COM, then click "Email"
2. Left-click on the padlock icon on the left side of the address bar, then left-click "Connection".
   

   Notice the message saying "The connection uses TLS 1.0". When Yahoo upgrades to TLS 1.2, the way AOL did, this project will stop working.

3. Open Wireshark. In the menu bar, go to Edit › Preferences.
   

   In the Preferences window, expand "Protocls" in the left side and scroll down to SSL.

   

   In the (Pre)-Master-Secret log filename: field, type C:\keys\session-keys.log then press OK

4. Start capturing packets with Wireshark
   

5. Type tcp.port == 443 && http.request.method == "POST" in the Filter textbox, then click "Apply".
   

6. In Google Chrome, try to log in with the following credentials:
   • Username or email: Your real name
   • Password: YOURNAME-SECRET-PASSWORD (replace YOURNAME with your real name)
   The password will be rejected. Go back to Wireshark.
7. There should be a single packet listed for the active filter. At the bottom, click on the tab labeled "Decrypted SSL Data"
   

   If you scroll down on this panel, you should see the username and password you provided to YAHOO, like so:

   

   Take a screenshot showing the username and password you supplied to YAHOO.com to turn in for credit for this assignment.

Saving the Screen Image

On your keyboard, press the PrntScrn key.

Click Start, type in PAINT, and open Paint.

Press Ctrl+V to paste in the image of your desktop.

YOU MUST SUBMIT WHOLE-DESKTOP IMAGES TO GET FULL CREDIT.

Save the image with a filename of "Proj 6xa from YOUR NAME".

Attempting to Read Gmail Traffic with Wireshark

Let's take a look at the Connection settings for Gmail.

Or to break it down:

• Protocol: TLS 1.2
• Key exchange mechanism: ECDHE_RSA
• Encryption method: RC4 (128-bit)
• Message Authentication: SHA1

Let's try to read our Username and Password with Wireshark again. You should end up with this:

"Oh no, what went wrong?" Don't panic, this is the expected outcome.

Let's change our filter to show all traffic between our home computer and Gmail's network: tcp.port == 443 && ip.addr == 74.125.0.0/16

If you read through the captured packets, you will find that all of our network traffic is still encrypted (which means, you cannot locate your username and password). You may be wondering, why was YAHOO readable when Gmail isn't readable?

Let's examine the Connection settings of both websites:

The difference is that YAHOO used RSA as its key exchange mechanism, while Gmail used something called ECDHE in addition to RSA.

With plain RSA, your browser uses the server's public RSA key to decide on a shared key for encrypting and decrypting messages. Thus, if somebody had the server's RSA private key, they would be able to read any previously captured SSL traffic. Since Wireshark has your client-side private key, we are able to read our own AOL passwords, but nobody else's.

When ECDHE and RSA are used together, the server generates a random (and hopefully unpredictable) private key for your packets, and signs that key with their RSA key. It then sends you the public key that corresponds to the private key it just generated. As a result, your encryption/decryption key is not determined by the public RSA key of the webserver. Each user has a different session key (they are not reused for multiple users) and the keys are destroyed after each session. Thus, if somebody had the server's RSA private key, they would not be able to read previously captured SSL traffic if ECDHE_RSA is used.

This property (not being able to intercept past communications with a copy of one party's private key) is called forward secrecy.

Restoring Your System

In the "Restore this computer to an earlier point in time" box, click "Open System Restore".

In the "Restore system files and settings" box, click Next.

In the "Restore your computer to the state it was in before the selected event" box, click Next.

In the "Confirm your restore point" box, click Finish.

In the "Once started, System Restore cannot be interrupted. Do you want to to continue?" box, click Yes.

Your computer will restart.

Log in as usual.

You should see a message saying "System restore completed successfully", as shown below.

Saving the Screen Image

On your keyboard, press the PrntScrn key.

Click Start, type in PAINT, and open Paint.

Press Ctrl+V to paste in the image of your desktop.

YOU MUST SUBMIT WHOLE-DESKTOP IMAGES TO GET FULL CREDIT.

Save the image with a filename of "Proj 6xb from YOUR NAME".

Turning in Your Project

Source

Written by Scott Arciszewski and Sam Bowne

Last Modified: 11-24-13 1:48 am