This method works well and fortunately my goal is to use OpenSSL.
Http://www.cloudshield.com/blog/advanced-malware/ how-to-decrypt-openssl-sessions-using-wireshark-and-ssl-session-identifiers/
https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets/16415/
How to Decrypt OpenSSL Sessions using Wireshark and SSL Session Identifiers
Among the many challenges facing malware analysts is encrypted malware traffic. Malicious software is increasingly using OpenSSL to encrypt Command and Control (C2) communication channels. Malware developers encrypt communications to hide C2 channels rendering intrusion Detection Systems (IDS) ineffective and Enabling malware to gain a foothold on server or client systems.
The malware analyst cannot determine encrypted attacker actions without decrypting the communications. Typically, decrypting network traffic using Wireshark (a free and Open-source Packet Analyzer) requires access to the Serv ER private key and following the steps outlined in [1] and [2] with the references section at the end of this article. But, the private encryption key for malicious software was generally located on the C2 server and not available for decrypt Ion. In this situation, it's necessary to perform memory analysis on the compromised system to deliver the required details to Decrypt the network traffic of command and control sessions. Here's how-to-do it.
Step 1:identify the master secret and corresponding session key
For both legitimate and dangerous traffic, during SSL session establishment, the client and server first negotiate a maste R Secret. The master secret is used to generate the session key, that's used to encrypt communications. During the initial "server Hello" portion of the SSL handshake, the server issues a session identifier that is used the TR Ack the "Master Secret" [3]. The session identifier enables the client to reconnect to the SSL server and skip the computationally expensive processes of negotiating a new master secret. A Sample Session ID can be seen in the Wireshark output captured in Figure 1.
Figure 1:wireshark Display of a session ID
Figure 1:wireshark Display of a session ID
Without access to the private key, both the session ID and master secret is needed to decrypt a session. Fortunately for malware analysts, both the session ID and more importantly, the master secret is stored, in memory, on Bo Th the client and the server. The approaches can is used when the examining memory for a master secret. The first is to scan for the session ID directly and the master secret would typically be located in the vicinity of the SE Ssion ID. The other method was to scan for the OpenSSL structure that stores the master secret and session ID. Table 1 is a memory snippet taken from a compromised system responsible for establishing the SSL session in Figure 1.
Table 1:memory Snippet containing SSL session ID
-2390h:3b F8 5C B5 (xx) to XX, i.&.\. (.......
-23A0H:1A 0D 00 28 01 08 00 01 03 00 00 00 00 00 00 .... (...........
-23b0h:00 xx, xx, xx, 2E 7A 39 83 ..... 0....z9.
-23c0h:da 2E 1E One 8E FD Wuyi E5-E9, 5E, DF, A2 ... Qw.f.^u ...
-23D0H:BB-C0 C4 9D, CD FE A9, E9-t ... a...es.49
-23e0h:1b B3 E9 A8 B4 20 00 00 00.. 5f.. ' ..... ...
-23F0H:2C A8 1C D6 0B C5 C0 D4, A4 D3,. V...b.d ....
-2400h:55-Bayi EB D6 6D D8 D9 3D, C3 U ... S...xm. =...
-2410h:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .......
The session ID starting with 2C A8 1C can is seen at offset-23f0h. The values prior to the session ID can is examined in detail by the SSL_SESSION_ST structure from openssl/ssl.h.
Table 2:ssl_session_st Structure Form openssl/ssl.h
struct SSL_SESSION_ST
{
int ssl_version; /* What SSL version session info is
* Being kept in here? */
/* only really used in SSLV2 */
unsigned int key_arg_length;
unsigned char key_arg[ssl_max_key_arg_length];
int master_key_length;
unsigned char master_key[ssl_max_master_key_length];
/* session_id-valid? */
unsigned int session_id_length;
unsigned char session_id[ssl_max_ssl_session_id_length];
--cut-
Using the SSL_SESSION_ST structure, it is possible to identify what the memory prior to the session ID were used for. Table 3 lays out the values observed in memory with the Ssl_session_st.
Table 3:values for Ssl_session_st obtained from memory
Variable Binary Value
int Ssl_version 0x301
UINT Key_arg_length; 00 00 00) 00 0
Uchar Key_arg[ssl ...]; 00 00 00 00 00 00 00 00
int master_key_length; XX 0x30
Uchar Master_key[ssl ...]; 2E 7A E5 DA 2E 1E one 8E FD Wuyi-All-in-one 5E
DF E9 A2 BB C0 C4 9D CD FE A9 65
E9 1 B, B3 E9, A8 B4
UINT Session_id_length; XX 0x20
Uchar Session_id[ssl ...]; 2 c A8 1C (D6) 0B C0 C5 D4 A4
D6 6D D8 D9 3D (C3)
Notice, the SSL version (0x301) and Session ID (2C A8 1C ...) is consistent with the SSL handshake in Figure 1. This suggests the master key (2E 7A ...) is likely to be correct also.
Step 2:configure Wireshark to use the master secret
Once a master secret and corresponding session ID has been identified, the next step was to configure Wireshark Master Secret. To does this, write the session ID and master key to a text file using the format:
RSA session-id:<sslid> master-key:<mk>
The example session Id/master key combination identified in Table 3 would look like this (with the exception of being on a Single line):
RSA session-id:2ca8761c96d6620b6401c5c0d480a4d355
1781eb53dd80d6786dd8d93d9618c3\
Master-key:2e7a3983da2e1e118efd5177e546925e55dfe9a2bb7\
411c0c49d1041cdfea96553e934391b843566b3e927a804b497a6
To configure Wireshark to use the master secret file, open Wireshark and select the menu option Edit->preferences Follo Wed by Protocols->ssl. You should see the following dialog box appear.
Figure 2:wireshark Master Secret Configuration dialog
Figure 2:wireshark Master Secret Configuration dialog
Select the text file containing the master key and session ID in the (Pre)-master secret log filename field.
Step 3:decrypt The encrypted malware SSL session
Now that Wireshark are configured for decryption, you can open the Packet capture (PCAP) files that includes the encrypted Malware SSL session and decrypt it by right clicking on the session and selecting "Follow SSL Stream".
The YARA signature [5] can assist with finding generic session IDs within a memory dump by utilizing values commonly seen In TLS sessions. The signature identifies OpenSSL structures for encryption algorithms that has a 0x30 byte master key and 0x20 byte Sessi On identifier. It may is necessary to adjust the signature based on the system architecture, encryption algorithm and protocol being used .
Rule openssl_ssl_session_st:sessionkeys{
Strings
$struct _ssl_session_st_1 = {03 00 00 00 00 00 00 [8] 30 00 00 00 [48] 20
00 00 00?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??}
Condition
Any of them
}
Key Takeaway
The skillful malware analyst with access to a memory snapshot and network traffic from a compromised system can decrypt MA Lware that utilizes openssl-encrypted C2 channels without access to the malware server. While this method relies on memory artifacts and are not as reliable as has the private key, it demonstrates that once T He session ID and master secret is obtained, it's then possible to decrypt network communications and view the C2 action s taken by malware on a compromised system. It's important to note that obtaining a memory snapshot of a compromised system as quickly as possible increases the like Lihood of obtaining the encryption key before it is overwritten in memory.
References
[1] Http://blogs.technet.com/b/nettracer/archive/2010/10/01/how-to-decrypt-an-ssl-or-tls-session-by-using-wireshark.aspx
[2] Http://wiki.wireshark.org/SSL
[3] Http://en.wikipedia.org/wiki/Secure_Socket_Layer#Session_IDs
[4] http://www.openssl.org/
[5] http://code.google.com/p/yara-project/
Image:Fotolia.com, Bofotolux
Wireshark is a registered trademark of the Wireshark Foundation
Posted on September, at Advanced Malware | tags:advanced malware, C2, Command and Control, decryption, encryption, master key, master secret, memory artifact, opens SL, Wireshark | Permalink. Ten Comments
Josh Homan
About Josh Homan
Joshua is a Senior Incident Response Analyst with years of experience in information security. He has previously worked in both DoD and commercial environments focusing on incident response, penetration testing, Vulne Rability, and Network forensics. His current efforts involve reverse engineering of malicious software and developing custom applications to enhance NETWOR K Forensics capabilities.
More Articles
[3 Ways to Meet we Malware experts at McAfee FOCUS13] [How to Think a Cyber attacker]
Latest Posts
Pick a strategy for dealing with bind vulnerabilities Pick a strategy for dealing with bind vulnerabilities
Own your DNS before someone else does
Expert interview:stopping Insidious Malware Attacks expert interview:stopping Insidious Malware Attacks
Bill Kasje talks about the advanced malware orchestration and TCSO
Keep DNS Protected with Actionable security Insight Keep DNS Protected with Actionable Security Insight
Understanding DNS Traffic
Popular Posts
How to Decrypt OpenSSL Sessions using Wireshark and SSL Session Identifiers: [22260 views] How to Decrypt OpenSSL session s using Wireshark and SSL Session Identifiers
A tip for savvy malware analysts
The case for Learning python®for Malware Analysis: (9112 views) The case for learning python®for Malware analysis
Why Python was the best language for fighting malware
Phear of Phishing? : (8787 views) Phear of Phishing?
How to develop your own Phish tests
It works!