Wireshark-dev: Re: [Wireshark-dev] Support for TLS1.2 decryption using derived keys

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Fri, 1 May 2020 22:24:16 +0200
On Fri, May 01, 2020 at 02:39:28PM +0300, webpentest wrote:
> Hello Peter,
> On 01.05.2020 01:23, Peter Wu wrote:
> >
> >> 1. A generic way to export schannel key material in SSLKEYLOG-like
> >> format using elevated privilege and lsass.exe debugging / memory.
> >> Preferably - the data that wireshark supports already - master secret
> >> for tls <= 1.2 and the intermediate traffic secrets for tls 1.3
> > That would be great :-)
> 
> I wrote a script to do that and documented its usage on
> http://b.poc.fun/sslkeylog-for-schannel/. It is in now way generic
> (yet), but I successfully use in my research. Feel free to give it a go!
> The main problem really is to get crandom and correlate it with master key.

Thanks, right now I cannot test it but I'll keep this as reference!

As for the linking with a session, if obtaining the Client Random is too
complicated, but a ClientHello.SessionID is available, consider using
the "RSA Session-ID:" format as done by the earlier SChannel work [1].
The various available mappings can be found in the source code, but they
are also summarized at https://security.stackexchange.com/a/42350/2630

 [1]: https://www.blackhat.com/docs/us-16/materials/us-16-Kambic-Cunning-With-CNG-Soliciting-Secrets-From-SChannel.pdf

Since it relies on undocumented structures, maybe you could make an
automated test that you run with GitHub Actions to check whether it
keeps working? That can act as usage documentation as well.

(Aside: maybe you can slap a Let's Encrypt certificate on your domain
and make it available over HTTPS?)

> It is currently win-10 only, TLS1.2-only, does not work with resumed TLS
> sessions and poorly handles simultaneous connects.

With TLS 1.2, it resumes with the same master secret. So as long as you
have extracted the master secret from previous sessions, you should be
able to use the same master secret if you combine it with the Client
Random from the second session.
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl