search

SuperCowPowers / chains

Python Chained Generators for Network Streams:
http://chains.readthedocs.org
MIT License
40 stars 4 forks source link

Add KEYLOGFILE TLS decryption support. #11

Open vadimszzz opened 2 years ago

vadimszzz commented 2 years ago

I have such code:

nss_keys = {}

with open("captured.keylog", "r") as keylogfd:
    for line in keylogfd.readlines():
        tokens = line.strip().split()
        if tokens[1] not in nss_keys:
            nss_keys[tokens[1]] = {}
        if tokens[0] == 'CLIENT_RANDOM':
            nss_keys[tokens[1]]['master_secret'] = tokens[2]
        elif tokens[0] == 'CLIENT_HANDSHAKE_TRAFFIC_SECRET':
            nss_keys[tokens[1]]['client_handshake_secret'] = tokens[2]
        elif tokens[0] == 'SERVER_HANDSHAKE_TRAFFIC_SECRET':
            nss_keys[tokens[1]]['server_handshake_secret'] = tokens[2]
        elif tokens[0] == 'CLIENT_TRAFFIC_SECRET_0':
            nss_keys[tokens[1]]['client_traffic_secret'] = tokens[2]
        elif tokens[0] == 'SERVER_TRAFFIC_SECRET_0':
            nss_keys[tokens[1]]['server_traffic_secret'] = tokens[2]

print(json.dumps(nss_keys, indent=4))

that produces:

{
    "7834e2da48ed053d149e3587e646eef8d37cbd4c96bcd3e010089c2dbf3918f6": {
        "client_handshake_secret": "3cc7fb6f9518cd0e37eba33de56fa5e2d8fac3273d19f311abc5f135b152cae7",
        "server_handshake_secret": "195e9473d29b45c71a261e303b4075e418c0b7d23268a44895d0d6a8ad42a74f",
        "client_traffic_secret": "98a36efdd5b709685456a9ffd550addbfda34213661ddadf3aee1fee2a18bdc9",
        "server_traffic_secret": "5fd2f247d0b31c80dd899a93a6d193424309e640658d0329b0f3376260e61208"
    },
    "82f2d1337f0065ecd9fa5cc844c74813daa3585f011a07ecdb793c30edfb9a4a": {
        "client_handshake_secret": "f066f004712237a8cbb192cadaad5e9a795df98cd806e5f7e0d1509864fc2c52",
        "server_handshake_secret": "13d3b2a8f8330b478c32bfec00a301585246b8df218ef83d748eda2de6ed785d",
        "client_traffic_secret": "e7ed02a33e208ce3390e45c5d176fa95a1da1b46e3199579eff2d5df5e696850",
        "server_traffic_secret": "b86a222f4b789839d705f15026f72bdffb2849584b0d5046524f5d9987bb10f2"
    }
}

captured.pcap and captured.keylog are updating in real time.

I want to use this keys to decrypt TLS traffic and get reconstructed flow with decrypted HTTPS requests and responses in live stream to see every HTTP request with response together in the terminal while they appear. By the first how to decrypt traffic?

vadimszzz commented 2 years ago

You can take a look at https://github.com/secdev/scapy/pull/3374 and https://github.com/cisco/mercury/blob/main/python/pmercury/protocols/tls_decrypt.py