dpkt icon indicating copy to clipboard operation
dpkt copied to clipboard

Published 20 hours ago verified publisher icon kbandla

Add KEYLOGFILE TLS decryption support.

Open vadimszzz opened this issue 3 years ago • 1 comments

I have such code:

nss_keys = {}

with open("captured.keylog", "r") as keylogfd:
    for line in keylogfd.readlines():
        tokens = line.strip().split()
        if tokens[1] not in nss_keys:
            nss_keys[tokens[1]] = {}
        if tokens[0] == 'CLIENT_RANDOM':
            nss_keys[tokens[1]]['master_secret'] = tokens[2]
        elif tokens[0] == 'CLIENT_HANDSHAKE_TRAFFIC_SECRET':
            nss_keys[tokens[1]]['client_handshake_secret'] = tokens[2]
        elif tokens[0] == 'SERVER_HANDSHAKE_TRAFFIC_SECRET':
            nss_keys[tokens[1]]['server_handshake_secret'] = tokens[2]
        elif tokens[0] == 'CLIENT_TRAFFIC_SECRET_0':
            nss_keys[tokens[1]]['client_traffic_secret'] = tokens[2]
        elif tokens[0] == 'SERVER_TRAFFIC_SECRET_0':
            nss_keys[tokens[1]]['server_traffic_secret'] = tokens[2]

print(json.dumps(nss_keys, indent=4))

that produces:

{
    "7834e2da48ed053d149e3587e646eef8d37cbd4c96bcd3e010089c2dbf3918f6": {
        "client_handshake_secret": "3cc7fb6f9518cd0e37eba33de56fa5e2d8fac3273d19f311abc5f135b152cae7",
        "server_handshake_secret": "195e9473d29b45c71a261e303b4075e418c0b7d23268a44895d0d6a8ad42a74f",
        "client_traffic_secret": "98a36efdd5b709685456a9ffd550addbfda34213661ddadf3aee1fee2a18bdc9",
        "server_traffic_secret": "5fd2f247d0b31c80dd899a93a6d193424309e640658d0329b0f3376260e61208"
    },
    "82f2d1337f0065ecd9fa5cc844c74813daa3585f011a07ecdb793c30edfb9a4a": {
        "client_handshake_secret": "f066f004712237a8cbb192cadaad5e9a795df98cd806e5f7e0d1509864fc2c52",
        "server_handshake_secret": "13d3b2a8f8330b478c32bfec00a301585246b8df218ef83d748eda2de6ed785d",
        "client_traffic_secret": "e7ed02a33e208ce3390e45c5d176fa95a1da1b46e3199579eff2d5df5e696850",
        "server_traffic_secret": "b86a222f4b789839d705f15026f72bdffb2849584b0d5046524f5d9987bb10f2"
    }
}

captured.pcap and captured.keylog are updating in real time.

I want to use this keys to decrypt TLS traffic and get reconstructed flow with decrypted HTTPS requests and responses in live stream to see every HTTP request with response together in the terminal while they appear. It would be awesome to re-read and update .pcap and .keylog files when they're updating but this is not the most important thing. By the first how to decrypt traffic?

vadimszzz avatar Nov 29 '21 11:11 vadimszzz

You can take a look at https://github.com/secdev/scapy/pull/3374 and https://github.com/cisco/mercury/blob/main/python/pmercury/protocols/tls_decrypt.py

vadimszzz avatar Nov 29 '21 12:11 vadimszzz