![]() ![]() If your network is live, ensure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. The information in this document was created from the devices in a specific lab environment. Cisco IOS XE Release 15.2(4)S - 3.7.0 or later.The information in this document is based on these software and hardware versions: There are no specific requirements for this document. The completed code (TBH it’s more comments than code) is available from under an MIT License so feel free to build on it, incorporate it into other utilities etc.This document describes the Embedded Packet Capture (EPC) feature in Cisco IOS ® software. Int ssl_log_secret ( const SSL * ssl, const char * label, const uint8_t * secret, size_t secret_len ) ) ĬALLBACK_OFFSET was determined by disassembling libboringssl.dylib, and like all magic numbers is fragile as it may change if the struct changes in future versions, or on different CPU architectures. ![]() Searching the code for the labels that are defined in key log format finds examples like this one in where the CLIENT_RANDOM values are being logged: In iOS11, Apple migrated from OpenSSL to Google’s BoringSSL so Tom and Marat’s code stopped working but the ideas it introduced remained valid and compared to OpenSSL the BoringSSL code easier to understand.Īnd as Chrome supports TLS key logging so BoringSSL already contains code to log TLS keys. Tom and Marat used Frida to hook the CoreTLS function ( tls_handshake_internal_prf) that generated key material and dump the relevant TLS keys.Īlthough I got a modified version of their code working well enough to inspect some apps, and talk about it at JSOxford I never quite managed to address extracting keys for resumed TLS sessions and some other cases where it didn’t work. I first came across Frida a few years when someone shared Tom Curran and Marat Nigmatullin's paper on TLS Session Key Extraction from Memory on iOS Devices. I’ve filtered the capture to just display HTTP and HTTPS traffic and highlighted the start of one of the decrypted HTTP/2 connections. You can also launch Wireshark, open the packet capture, and then specify the keylog in Preferences > Protocols > TLS > (Pre)-Master-Secret log filename Wireshark -r bbc-news.pcap -o tls:keylog_file:bbc-news.keylog
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |