herman 48 Report post Posted August 25, 2015 Hi all, Recently I played around with some embedded devices (no, not the Hikvision). On one of them I found a private RSA key and a certificate file. These are used to implement HTTPS as far as I can see right now. It does not seem to be used for SSH authentication. Let's say I can take these files off the device and have a PCAP file with traffic between the device and a workstation configuring the device over HTTPS: How could I decode this? My current thought is looking into OpenSSL and some scripting or coding to load the private key and PCAP file, then decode it and store the output. Would this be the right way, is there something easier, any pitfalls? Thanks for thinking along Share this post Link to post
Francesco 580 Report post Posted August 25, 2015 Hi Herman, you may be able to decrypt it by setting the options in Wireshark -> Edit-> Preferences -> Protocols -> SSL -> and then you can add a list of RSA keys to use. Share this post Link to post
herman 48 Report post Posted August 25, 2015 Thanks! That sounds a bit faster ;-) I'll try it out if I find a way to receive a PCAP. Otherwise I create a lab later on as test. Your post reminds me I should actually read the Wireshark books I have, some day... Share this post Link to post
Francesco 580 Report post Posted August 25, 2015 Let us know if it works Share this post Link to post
GiRa 459 Report post Posted August 25, 2015 If you cannot decrypt the traffic with Wireshark, this means that the handshake between the party creates a session key with PFS. Probably using DH. 2 Share this post Link to post