Tutorial: Transport Layer Security (TLS), Secure Socket Layer (SSL)

This tutorial discusses the plugin sslDecode.

Preparation

Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$

Then compile the following plugins

$ t2build tranalyzer2 basicFlow tcpStates sslDecode txtSink
...
BUILD SUCCESSFUL

$

If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:

$ mkdir ~/data ~/results
$

Download the sample pcap here: . Now you’re all set.

sslDecode

Let’s look at the plugin configuration first:

$ sslDecode
$ vi src/sslDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

// OpenVPN
#define SSL_ANALYZE_OVPN       0 // analyze OpenVPN (Experimental)

// SSL/TLS
#define SSL_EXT_LIST           1 // output the list and number of extensions
#define SSL_MAX_EXT            8 // maximum number of extensions to store

#define SSL_EC                 1 // output the list and number of Elliptic Curve
#define SSL_MAX_EC             6 // maximum number of EC to store

#define SSL_EC_FORMATS         1 // output the list and number of Elliptic Curve point formats
#define SSL_MAX_EC_FORMATS     6 // maximum number of EC formats to store

#define SSL_PROTO_LIST         1 // output the list and number of protocols
#define SSL_MAX_PROTO          6 // maximum number of protocols to store
#define SSL_PROTO_LEN         16 // maximum number of characters per protocols

#define SSL_CIPHER_LIST        1 // output the list and number of supported ciphers
#define SSL_MAX_CIPHER        30 // maximum number of ciphers to store

#define SSL_ANALYZE_CERT       1 // analyze certificates

#if SSL_ANALYZE_CERT == 1

#define SSL_CERT_SERIAL        1 // print the certificate serial number
#define SSL_CERT_FINGPRINT     1 // 0: no certificate fingerprint, 1: SHA1, 2: MD5
#define SSL_CERT_VALIDITY      1 // print the certificate validity (Valid from/to)
#define SSL_CERT_SIG_ALG       1 // print the certificate signature algorithm
#define SSL_CERT_PUBKEY_ALG    1 // print the certificate public key algorithm
#define SSL_CERT_ALG_NAME_LONG 0 // use short (0) or long (1) names for algorithms
#define SSL_CERT_PUBKEY_TS     1 // print the certificate public key type and size

#define SSL_CERT_SUBJECT       2 // 0: no information about the certificate subject,
                                 // 1: print the whole subject as one string,
                                 // 2: print selected fields only
#define SSL_CERT_ISSUER        2 // 0: no information about the certificate issuer,
                                 // 1: print the whole issuer as one string,
                                 // 2: print selected fields only

#if ((SSL_CERT_SUBJECT == 2) || (SSL_CERT_ISSUER == 2))
#define SSL_CERT_COMMON_NAME   1 // print the common name of the issuer/subject
#define SSL_CERT_ORGANIZATION  1 // print the organization name of the issuer/subject
#define SSL_CERT_ORG_UNIT      1 // print the organizational unit name of the issuer/subject
#define SSL_CERT_LOCALITY      1 // print the locality name of the issuer/subject
#define SSL_CERT_STATE         1 // print the state or province of the issuer/subject
#define SSL_CERT_COUNTRY       1 // print the country of the issuer/subject
#endif // ((SSL_CERT_SUBJECT == 2) || (SSL_CERT_ISSUER == 2))

// TODO in order to analyze ALL certificates, we need to reassemble packets...
#define SSL_RM_CERTDIR         1 // remove SSL_CERT_PATH before starting
#define SSL_SAVE_CERT          0 // save certificates
#define SSL_CERT_NAME_FINDEX   0 // prepend the flowIndex to the certificate name

#if SSL_SAVE_CERT == 1 || SSL_CERT_FINGPRINT == 1
#define SSL_BLIST              0 // Search for blacklisted certificates
#define SSL_BLIST_LEN         41 // Max length for blacklist descriptions
#define SSL_JA3                1 // Output JA3 fingerprint (hash and description)
#define SSL_JA3_STR            0 // Also output JA3 fingerprint before hashing
#define SSL_JA3_DLEN         512 // Max length for JA3 descriptions
#define SSL_JA3_STR_LEN     1024 // Max length for uncompressed JA3 signatures (ja3_str)
#endif // SSL_SAVE_CERT == 1 || SSL_CERT_FINGPRINT == 1

#define SSL_CERT_PATH "/tmp/TranCerts/" // folder for saved certificates
#define SSL_CERT_EXT  ".pem"            // extension for saved certificates

#endif // SSL_ANALYZE_CERT == 1

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

Run t2 on the supplied pcap.

$ t2 -r ~/data/ -w ~/results/ -s
$

So what does the aggregated sslStat tells us?

$ tawk -V sslStat
The sslStat column is to be interpreted as follows:

   bit | sslStat | Description
   =============================================================================
     0 | 0x0001  | Message had mismatched version
     1 | 0x0002  | Record was too long (max 16384)
     2 | 0x0004  | Record was malformed, e.g., invalid value
     3 | 0x0008  | Certificate had expired
     4 | 0x0010  | Connection was closed due to fatal alert
     5 | 0x0020  | Connection was renegotiated (existed before)
     6 | 0x0040  | Peer not allowed to send heartbeat requests
     7 | 0x0080  | Cipher list truncated... increase SSL_MAX_CIPHER
     8 | 0x0100  | Extension list truncated... increase SSL_MAX_EXT
     9 | 0x0200  | Protocol list truncated... increase SSL_MAX_PROTO
    10 | 0x0400  | Protocol name truncated... increase SSL_PROTO_LEN
    11 | 0x0800  | EC or EC formats list truncated... increase SSL_MAX_EC or SSL_MAX_EC_FORMATS
    12 | 0x1000  | Certificate is blacklisted
    13 | 0x2000  | Weak cipher detected (Null, DES, RC4 (RFC7465), ADH, 40/56 bits)
    14 | 0x4000  | Weak protocol detected (SSL 2.0, SSL 3.0)
    15 | 0x8000  | Weak key detected
$ cd ~/results
$ tcol

Don’t forget to reset the plugin configuration for the next tutorial.

$ t2conf sslDecode --reset && t2build sslDecode
...
$

Have fun analyzing.