Documentation around extract secret script, automatic injection of client random into wireshark, etc. #57
Comments
|
@jhart-cpi wrote the tool for processing pcap offline since that was our main use case. Wireshark has the load key from a file and we would need to read up in the new code if they have the get the key from the UDP debug packet. This very likely is solved - just don't know where or how they solved it. |
|
Anything in the tools folder is independent and not integrated into the dissector code itself. The The python code uses scapy to process the packets and apply some very basic matching logic to extract the session key. Included in that folder is a Pipfile which will automatically pull in the required dependencies and create a virtualenv for you. A more robust solution is to apply some fuzzy-finding to the packets in Lua and then insert the secret into the TLS dissector, which I have so far been unable to find support for. |
|
Thanks for this context! It seems that the pathway to injecting the secret is to use the Lua script to detect UDP packets which contain the pre-shared master secret and write it to a file. You would then need to go into wireshark and select this file in the TLS protocols preferences. From there, it seems Wireshark will automatically (?) start decoding. I'll try modifying teh v2g.lua and report back. |
Hello!
I was looking at the tools section of this git repo and noticed the "extract_secrets.py" script, and am wondering there is any documentation on this script, is it somehow called by the wireshark-v2g instance in some way? Or is only an independent tool. Is it included in the normal release for Windows (installer)?
Somewhat related, it would be very handy if the decoder could in real time react to seeing a UDP packet with the client random (secret) and begin decrypting the stream in situ. It seems like this tool is only intended for PCAP files, not a live capture (although it is still useful!).
The text was updated successfully, but these errors were encountered: