none
Looking for some help decrypting generic TCP traffic encrypted with TLS RRS feed

  • Question

  • Hi guys, I'm looking for a feature similar to the unencrypted HTTPS scenario. I'm trying to read the traffic of an application which communicates over port 7770, and just registers as TLS in both message analyzer and wireshark.

    I figured that there would be a provider for this kind of thing, and I tried all of the SChannel, TCP, Web and TLS providers, so I'm at a bit of a loss

    Wednesday, September 25, 2019 11:12 PM

Answers

  • Hello noxora,

    If the negotiated TLS cipher suite does not provide forward secrecy and you have access to the private key of the server certificate, then the decryption functionality of MMA, Wireshark, etc. might be able to decode the traffic.

    If the TLS implementation supports TLS session key export and the application exposes this functionality then Wireshark should be able to decode the traffic.

    If the application (server or client) is instrumented (perhaps using ETW) and logs the data sent/received then that might reveal the plaintext traffic.

    If the application (server or client) is implemented with .NET, then enabling .NET network tracing using the .exe.config file should show the plaintext traffic.

    If the application (server or client) uses the Windows SChannel implementation of TLS then using the debugger API to record the inputs/outputs of EncryptMessage/DecryptMessage should show the plaintext traffic.

    If the application can be persuaded to use a TLS proxy (such as Fiddler or similar) then that should be able to record the plaintext traffic.

    If the traffic flowing over the TLS channel is an unknown/undocumented binary protocol, then it might be difficult to understand the traffic even if it is captured in plaintext.

    Gary

    • Marked as answer by noxora Saturday, September 28, 2019 5:01 PM
    Thursday, September 26, 2019 7:28 PM