Início / computer / Perguntas / 1877439
Accepted
user1917289
Asked: 2025-02-08 07:50:16 +0800 CST

Wireshark decodificando apenas uma direção

  • 772

Eu escrevi um cliente de chat em python que usa criptografia TLS. O servidor é executado em um PC, e o cliente em outro.

O servidor cria as chaves SSL (server.key e server.crt) e então eu copio server.crt para o PC cliente.

O cliente não cria nenhuma chave SSL própria.

Usando LD_PRELOAD, eu coleto o SSLKEYLOGFILE no PC servidor. Eu coleto o pcap usando tcpdump no PC servidor também.

Levo ambos ao Wireshark para descriptografar o pcap.

No entanto, apenas pacotes Client -> Server são decodificados. Mensagens Server -> Client permanecem criptografadas. Por que isso?

Keylog.txt:

SERVER_HANDSHAKE_TRAFFIC_SECRET 6e1c671e89c253c9670297d7af1c651236cb52ffcec31f393ff2d4c345b65b83 83156d3d139ab2bda9fb30bc68699fadeaff736373585e9296618973b804e67b858f904b6d67d35791f154d2df1c53ec
CLIENT_HANDSHAKE_TRAFFIC_SECRET 6e1c671e89c253c9670297d7af1c651236cb52ffcec31f393ff2d4c345b65b83 d27b9286b3f209da0cfca1055cd6c5a0b7dc638a3b47b760fc52c46530c6f0129e3ab8cb97de02d708dcd78e4b8eeef6
EXPORTER_SECRET 6e1c671e89c253c9670297d7af1c651236cb52ffcec31f393ff2d4c345b65b83 a81094854b39ab0a39ab4b1d0669591024a3c05d4a8b0df0870e2df824b447b9cdd206e4f120dbeb871a0f642bff783b
SERVER_TRAFFIC_SECRET_0 6e1c671e89c253c9670297d7af1c651236cb52ffcec31f393ff2d4c345b65b83 fa8a418607881a3c78082009acded37a4f1640b6d7e4932785b071bd3dcae67aaef91ef664bb1fc1f01e22d800b11e73
CLIENT_TRAFFIC_SECRET_0 6e1c671e89c253c9670297d7af1c651236cb52ffcec31f393ff2d4c345b65b83 f90a697b55859c7144ccf34c499869cddbec964f37386ab08cf7ed137cd54c53b9c119b42fda4f37b0ba3e5a62694cf7

Servidor.py:

import socket
import ssl
import argparse

# Server-side
def create_tls_server(certfile, keyfile, port):
    context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    context.load_cert_chain(certfile, keyfile)

    hostname = socket.gethostname()
    IPAddr = socket.gethostbyname(hostname)
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
    sock.bind((IPAddr, port))
    sock.listen(2)

    print(f"Server started on {IPAddr}:{port}. Waiting for connections...")

    while True:
        client_socket, addr = sock.accept()  # Accept raw connection
        try:
            ssl_conn = context.wrap_socket(client_socket, server_side=True)  # Wrap here
            print(f"Connected by {addr}. Waiting for message...")
            while True:
                data = ssl_conn.recv(1024).decode()
                if not data:
                    break
                print(f"Received: {data}")
                if data == 'bye':
                    break
                print(">> ", end='')
                response = input()
                ssl_conn.send(response.encode())
        except Exception as e:
            print(f"Error: {e}")
        finally:
            ssl_conn.close()
            client_socket.close()  # close the connection
            print(f"Connection with {addr} closed.")
            break

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="TLS Server")
    parser.add_argument("-p", "--port", type=int, default=8500, help="Port number")
    parser.add_argument("-v", "--version", type=int, default=ssl.PROTOCOL_TLS_SERVER, help="TLS Version")
    args = parser.parse_args()

    create_tls_server('./server.crt', './server.key', args.port)

Cliente.py:

import socket
import ssl
import argparse

# Client-side
def connect_tls_client(cafile, port, host):
    context = ssl.create_default_context()
    context.load_verify_locations(cafile)

    sock = socket.socket()  # instantiate
    sock.connect((host, port))  # connect to the server

    client_socket = context.wrap_socket(sock, server_hostname=host)

    print(">> ", end='')
    message = input()

    while message.lower().strip() != 'bye':
        client_socket.send(message.encode())  # send message
        data = client_socket.recv(1024).decode()  # receive response
        if not data:
            break

        print('Received from server: ' + data)  # show in terminal

        if data == 'bye':
            break

        print(">> ", end='')
        message = input()

    client_socket.close()  # close the connection

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="TLS Client")
    parser.add_argument("-s", "--server_ip", default="name-of-remote-serverenter image description here", help="Server IP address")
    parser.add_argument("-p", "--port", type=int, default=8500, help="Port number")
    parser.add_argument("-v", "--version", type=int, default=ssl.PROTOCOL_TLS_SERVER, help="TLS Version")
    args = parser.parse_args()

    connect_tls_client('./server.crt', args.port, args.server_ip)
python

1 respostas

  1. Best Answer

    Foi assim que isso foi resolvido para mim.

    Eu fiz duas coisas:

    1. Permitir que o subdissector remonte os fluxos TCP.
    The following TCP protocol preferences are also required to enable TLS decryption:

Allow subdissector to reassemble TCP streams. Enabled by default.
Reassemble out-of-order segments (since Wireshark 3.0, disabled by default).

    Referência https://gitlab.com/wireshark/wireshark/-/issues/16713 https://wiki.wireshark.org/TLS#%E2%80%8DPreference_Settings

    1. Além disso - e esse foi meu erro original - eu estava capturando pacotes em uma porta específica à qual o servidor estava vinculado, mas é claro que a porta do cliente era diferente (e dinâmica!), então a captura nem estava acontecendo!

    Modifiquei minha consulta tcpcap para coletar apenas pacotes TLS - isso reduziu o ruído em minhas capturas e capturou ambas as direções também:

    tcpdump -i any 'tcp[((tcp[12:1] & 0xf0) >> 2):1] & 0x80 = 0 && (tcp[((tcp[12:1] & 0xf0) >> 2):1] >= 0x14 && tcp[((tcp[12:1] & 0xf0) >> 2):1] <= 0x17)' -w tls_any_port.pcap

    Funcionou como um encanto! Obrigado a todos.

    • 0

relate perguntas