Decrypting SSL in Wireshark

Now you need to have your pre-master key file and your capture moved to your local box. To do this do the following:

  1. Open Terminal on the Ubuntu Jump Box.

  2. Change directory to Documents by typing: ‘cd Documents’.

  3. Run the following commands:

    1
2
3
4
    sudo scp root@10.1.1.245:/var/tmp/session.pms ./
sudo scp root@10.1.1.245:/var/tmp/hackazon.pcap ./

After each of these commands you will be prompted to accept the SSH keys.  Type yes to continue. Then you will be prompted for the F5 root password.  Type that in as well.

  4. Now open Wireshark.

  5. Once Wireshark is open go to Edit/Preferences.

  6. Expand on the left side, Protocols, then select SSL.

    ../../_images/premaster-session.png

  7. Browse to the pre-master session key file and click on save.

  8. Open in Wireshark the pcap file you pulled down from the F5 BIG-IP.

  9. Right click on one of the SSL packets and select Follow, SSL Stream.

    ../../_images/follow-ssl-stream.png

  10. You will now see unencrypted SSL data in the capture as follows:

    ../../_images/ssl-decrypted-data.png
Previous Next