Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to decrypt Smart Offices encrypted traffic Thibaud Lopez Schneider Lawson Software April 27, 2010 In this paper I will describe how to intercept and.

Similar presentations


Presentation on theme: "How to decrypt Smart Offices encrypted traffic Thibaud Lopez Schneider Lawson Software April 27, 2010 In this paper I will describe how to intercept and."— Presentation transcript:

1 How to decrypt Smart Offices encrypted traffic Thibaud Lopez Schneider Lawson Software April 27, 2010 In this paper I will describe how to intercept and decrypt the encrypted HTTPS traffic from Lawson Smart Office which sometimes cannot be captured with Fiddler, and which is unreadable in Wireshark. This technique is useful for troubleshooting IBrix, Smart Office, Personalized Scripts, etc.

2 The goal is to capture IBrix traffic from Smart Office.

3 I followed my own instructions (although Im not on any VPN).

4 But Fiddler is not capturing any IBrix traffic from Smart Office; its just capturing some noise. This surprises me because it used to work in the past.

5 I dont know why Fiddler doesnt capture traffic. Maybe its because the protocol to M3 Workplace is HTTPS and not HTTP (see screenshot here). But I think that worked in the past. Or maybe Smart Office is not using WinINet anymore (plausible; to be verified).

6 Wireshark correctly captures the traffic, but its encrypted with TLS (SSL) and unreadable. Tip: Filter the packets to make it easier to identify Smart Office traffic, for example: tcp.port==443 and ip.addr==

7 I found this article on Internet that explains how to use Wireshark to decrypt SSL. Lets try. s/node/1606/decrypting+ssl+traffic+ troubleshoot+nam I found this article on Internet that explains how to use Wireshark to decrypt SSL. Lets try. s/node/1606/decrypting+ssl+traffic+ troubleshoot+nam

8 This article is similar: decrypt-https-traffic-with- wireshark.html decrypt-https-traffic-with- wireshark.html This article is similar: decrypt-https-traffic-with- wireshark.html decrypt-https-traffic-with- wireshark.html

9 And heres some general information about SSL: And heres some general information about SSL:

10 I make sure I have the correct version of Wireshark, the one with SSL enabled, which according to the article is determined if we have the settings RSA keys list and SSL debug file in Wireshark Preferences.

11 I installed OpenSSL. For Windows it can be found at: > Related > Binaries I installed OpenSSL. For Windows it can be found at: > Related > Binaries

12 Start capturing with Wireshark: Capture > Interfaces > Start.

13 Open Smart Office, login, open the Ibrix, and load some data in the IBrix. That will generate plenty of interesting traffic.

14 For curiosity, find the TLS packet that contains the Server Hello. You can sort by Protocol or by Info. The packet contains the servers public key.

15 Now lets export the servers private key. For that we need access to the server. Go to the Smart Office IIS server, expand to Default Web Site > Properties > Directory Security > View Certificate.

16 Continue to Details > Copy to File, and follow the screenshots.

17 Run this command: openssl pkcs12 -in CIDW82.pfx -out CIDW82.pem –nodes Note: Be careful with the generated pem file as it contains the servers certificate in clear text! Run this command: openssl pkcs12 -in CIDW82.pfx -out CIDW82.pem –nodes Note: Be careful with the generated pem file as it contains the servers certificate in clear text!

18 Go to WireShark > Edit > Preferences > Protocols > SSL > RSA keys list. In my case its: ,443,http,C:\THILOP\CIDW82.pem; ,443,http,C:\THILOP\CIDW44.pem Click on Apply. Go to WireShark > Edit > Preferences > Protocols > SSL > RSA keys list. In my case its: ,443,http,C:\THILOP\CIDW82.pem; ,443,http,C:\THILOP\CIDW44.pem Click on Apply. Actual setting for my two keys: ,443,http,C:\THILOP\LAWSON~1\Products\LAWSON~2\MYDOCU~1\HOWTOD~2\CIDW82.pem; ,443,http,C:\THILOP\LAWSON~1\Products\LAWSON~2\MYDOCU~1\HOWTOD~2\CIDW44.pem

19 Make sure the SSL debug file says: filename.pem successfully loaded Make sure the SSL debug file says: filename.pem successfully loaded

20 Now Wireshark is showing the decrypted HTTP packets

21 Right-click on a packet > Follow SSL stream. Now we can see all the Smart Office traffic in clear text. Next time you open Wireshark, you dont need to do any of this again. Indeed, Wireshark has remembered the servers private keys. So just capture the traffic as usual, and right-click > Follow SSL stream. Right-click on a packet > Follow SSL stream. Now we can see all the Smart Office traffic in clear text. Next time you open Wireshark, you dont need to do any of this again. Indeed, Wireshark has remembered the servers private keys. So just capture the traffic as usual, and right-click > Follow SSL stream.

22 Conclusion With the technique described in this paper we were able to intercept and decrypt the encrypted HTTPS traffic from Lawson Smart Office which otherwise cannot be captured with Fiddler, and which is unreadable in Wireshark. This technique is useful for troubleshooting IBrix, Smart Office, Personalized Scripts, etc. Does that demonstrate a flaw in Smart Office? Not at all. Smart Office relies on HTTPS which relies on SSL encryption which is secure and which itself relies on public and private keys. To decrypt the traffic, we had to to export the servers private key (which by definition is not public) and for that we had to get access to the server (which is secure). So this technique does not demonstrate any flaw.

23 Thibaud Lopez Schneider


Download ppt "How to decrypt Smart Offices encrypted traffic Thibaud Lopez Schneider Lawson Software April 27, 2010 In this paper I will describe how to intercept and."

Similar presentations


Ads by Google