Monday, March 15, 2010

Write-up Codegate 2010 #7 - Decrypting HTTPS SSL/TLSv1 using RSA 768bits with Wireshark

Last week-end, I was a challenger at Codegate 2010 Capture the Flag with team Nibbles. Well organized by Koreans guys (who didn't sleep a lot either ;), the CTF proposed quality challenges and I thought it would be a great subject for a few posts.

Challenge #7 was a network capture file (ssl.pcap) containing an encrypted https session. The hint was: does the modulus look familiar?. The goal is obviously to decrypt the https to find the flag. Let's see how we can do that!

Steps:
  1. Extract public certificate
  2. Identify encryption
  3. Create private certificate
  4. Decrypt https

1. Extract public certificate


Launch Wireshark and open the capture file. Browse the packets to the TLSv1 Server hello. Open the SSL layer, expand TLSv1 Record Layer containing certificate, select the certificate and use right-click/Export selected packet bytes to save the X.509 certificate in binary DER as public.der.


2. Identify encryption


Using OpenSSL suite, you can see information contained in certificate:
$ openssl x509 -inform DER -in public.der -text
[...]
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (768 bit)
                Modulus (768 bit):
                    00:ca:d9:84:55:7c:97:e0:39:43:1a:22:6a:d7:27:
                    f0:c6:d4:3e:f3:d4:18:46:9f:1b:37:50:49:b2:29:
                    84:3e:e9:f8:3b:1f:97:73:8a:c2:74:f5:f6:1f:40:
                    1f:21:f1:91:3e:4b:64:bb:31:b5:5a:38:d3:98:c0:
                    df:ed:00:b1:39:2f:08:89:71:1c:44:b3:59:e7:97:
                    6c:61:7f:cc:73:4f:06:e3:e9:5c:26:47:60:91:b5:
                    2f:46:2e:79:41:3d:b5
[...]

The interesting thing here is that the public-key algorithm is RSA, the modulus 768 bits and specifically it's RSA-768 which has been factored!
RSA-768 = 334780716989568987860441698482126908177047
          949837137685689124313889828837938780022876
          14711652531743087737814467999489
          × 3674604366679959042824463379962795263227
          915816434308764267603228381573966651127923
          3373417143396810270092798736308917

Conclusion: we are able to create our own private certificate, valid to decrypt the SSL.

3. Create private certificate


Thanks to Mister P and Q's Excellent Solution to Didier Stevens' Authenticode Challenge, it was really easy.

I used their CreatePEM.cpp, turned it back into a C program, included e_os.h from OpenSSL and added P & Q of RSA-768bits which gave me create_private.c. Make sure you also have OpenSSL development files installed (package libssl-dev on Debian), then compile with:
$ gcc -lssl -o create_private create_private.c

Then run it to generate private.pem, the private certificate in PEM format:
$ ./create_private
$ ls -l private.pem
-rw-r--r-- 1 stalkr stalkr 692 2010-03-15 16:17 private.pem

4. Decrypt https


Open Wireshark preferences file:
  • on Linux: ~/.wireshark/preferences
  • on Windows: C:\Documents and Settings\<user>\Application Data\Wireshark\preferences

Inform Wireshark that you want it to desegment SSL records and application data, and give it the private certificate for the https server we observed (192.168.100.4):
ssl.desegment_ssl_records: TRUE
ssl.desegment_ssl_application_data: TRUE
ssl.keys_list: 192.168.100.4,443,http,/home/stalkr/codegate/7/private.pem
Fix the path to private certificate accordingly, on Windows use regular slashes /.

Again, launch Wireshark and open the capture file. We can now see the application data: an HTTP GET request to index.html, and the response containing the flag.


Interesting challenge isn't it?
Thanks goes to my friend SiD for his help on this challenge.

11 comments:

  1. а я ебался...

    ReplyDelete
  2. Hi stalkr, good post, it is what i am looking for :D. actually i'm doing a pentest in my job using tshark but i have one doubt, do you know if it can be possible with hotmail, gmail (ssl/tls) traffic? i hope you can answer me my best regards from mexico

    ReplyDelete
  3. No it's not possible. Good luck!

    ReplyDelete
  4. Very handy, thanks. FWIW, I had to use -lcrypto as well on 12.04 ubuntu:

    gcc -o create_private create_private.c -lssl -lcrypto

    ReplyDelete
  5. I have public key of RSA-2048. Can you help me to decrypt it?

    ReplyDelete
  6. it can be done whit this keys for example?

    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)
    Modulus:
    00:9d:0e:0c:1c:c5:06:81:fe:75:bd:fd:2e:6a:e5:
    53:85:77:02:70:02:fd:55:96:7c:cd:cd:7a:4a:2a:
    17:9e:37:a2:00:47:8a:b1:46:f3:f4:ae:d4:54:c1:
    76:f6:d0:7a:5d:05:4b:1f:03:66:0e:9e:62:b3:0b:
    ........

    ReplyDelete
  7. I have a md5WithRSAEncryption

    Public Key Algorithm: rsaEncryption
    Public-key: 512 bit
    Exponent: 3(0x3)

    which RSA do i need?

    ReplyDelete