Open JeremyWhaling opened 4 months ago
chardin-cpi
commented
4 months ago @jhart-cpi wrote the tool for processing pcap offline since that was our main use case. Wireshark has the load key from a file and we would need to read up in the new code if they have the get the key from the UDP debug packet. This very likely is solved - just don't know where or how they solved it.
jhart-cpi
commented
4 months ago Anything in the tools folder is independent and not integrated into the dissector code itself.
The extract_secrets.py works by extracting the session key and then writing a pcap-ng formatted file with the secret embedded in it, but you'll notice that editcap (a Wireshark companion utility) is being called to do that work. I would consider it more of a pre-processor and we've used it independently to process some quantities of files before viewing them.
The python code uses scapy to process the packets and apply some very basic matching logic to extract the session key. Included in that folder is a Pipfile which will automatically pull in the required dependencies and create a virtualenv for you.
A more robust solution is to apply some fuzzy-finding to the packets in Lua and then insert the secret into the TLS dissector, which I have so far been unable to find support for.
JeremyWhaling
commented
4 months ago Thanks for this context! It seems that the pathway to injecting the secret is to use the Lua script to detect UDP packets which contain the pre-shared master secret and write it to a file. You would then need to go into wireshark and select this file in the TLS protocols preferences. From there, it seems Wireshark will automatically (?) start decoding. I'll try modifying teh v2g.lua and report back.
jhart-cpi
commented
1 week ago The wiki mentions that it is possible to set the PSK from the preferences interface: https://wiki.wireshark.org/TLS#using-the-pre-master-secret
So with that in mind, it might be possible to extract the secret and write it to that preference for Wireshark to automatically load.
I haven't had time to experiment with it, given lack of testing devices that actually generate these packets on my end, but it should be easy enough to scan all of the UDP packets in a capture for CLIENT_RANDOM. I don't know if these packets are standard for all testing devices either.
Hello!
I was looking at the tools section of this git repo and noticed the "extract_secrets.py" script, and am wondering there is any documentation on this script, is it somehow called by the wireshark-v2g instance in some way? Or is only an independent tool. Is it included in the normal release for Windows (installer)?
Somewhat related, it would be very handy if the decoder could in real time react to seeing a UDP packet with the client random (secret) and begin decrypting the stream in situ. It seems like this tool is only intended for PCAP files, not a live capture (although it is still useful!).