Question
I have a PCAP file that was given to me for a Forensics Challenge. The PCAP has encrypted traffic using TLS Version 1. I have looked into a BEAST attack but there are no tools to do this. Is there any way using just the packets I have in the PCAP file to decrypt this traffic in Wireshark without the private key? Can I get the private key from the certificate exchange in anyways or the master secret log or something? I could not find any tutorials online that do not involve having access to the private key. Any help is appreciated.
UPDATE:
My later research revealed that version 1 of TLS did have vulnerabilities and that it was possible to do but I would have needed access to the actual host as well not just the PCAP of its traffic.
Solution
If you have the master secret, you might be able to do something.
Have a look at the "Using the (Pre)-Master-Secret" section on the SSL page of the Wireshark wiki. You'll need a reasonably recent version of Wireshark, which adds the ability to set the master secret (instead of expecting the server's private key). This should also help for Ephemeral Diffie-Hellman cipher suites.
More details in this question on the Wireshark Q&A site.
https://stackoverflow.com/questions/22965739
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian