1 / 23

How to decrypt Smart Office’s encrypted traffic Thibaud Lopez Schneider Lawson Software

How to decrypt Smart Office’s encrypted traffic Thibaud Lopez Schneider Lawson Software April 27, 2010

lucasj
Télécharger la présentation

How to decrypt Smart Office’s encrypted traffic Thibaud Lopez Schneider Lawson Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to decrypt Smart Office’s encrypted traffic Thibaud Lopez Schneider Lawson Software April 27, 2010 In this paper I will describe how to intercept and decrypt the encrypted HTTPS traffic from Lawson Smart Office which sometimes cannot be captured with Fiddler, and which is unreadable in Wireshark. This technique is useful for troubleshooting IBrix, Smart Office, Personalized Scripts, etc.

  2. The goal is to capture IBrix traffic from Smart Office.

  3. I followed my own instructions (although I’m not on any VPN).

  4. But Fiddler is not capturing any IBrix traffic from Smart Office; it’s just capturing some noise. This surprises me because it used to work in the past.

  5. I don’t know why Fiddler doesn’t capture traffic. Maybe it’s because the protocol to M3 Workplace is HTTPS and not HTTP (see screenshot here). But I think that worked in the past. Or maybe Smart Office is not using WinINet anymore (plausible; to be verified).

  6. Wireshark correctly captures the traffic, but it’s encrypted with TLS (SSL) and unreadable. Tip: Filter the packets to make it easier to identify Smart Office traffic, for example: tcp.port==443 and ip.addr==208.92.250.178.

  7. I found this article on Internet that explains how to use Wireshark to decrypt SSL. Let’s try. http://www.novell.com/communities/node/1606/decrypting+ssl+traffic+troubleshoot+nam

  8. This article is similar:http://htluo.blogspot.com/2009/01/decrypt-https-traffic-with-wireshark.html

  9. And here’s some general information about SSL: http://wiki.wireshark.org/SSL

  10. I make sure I have the correct version of Wireshark, the one with SSL enabled, which according to the article is determined if we have the settings RSA keys list and SSL debug file in Wireshark Preferences.

  11. I installed OpenSSL.For Windows it can be found at: www.openssl.org > Related > Binaries

  12. Start capturing with Wireshark: Capture > Interfaces > Start.

  13. Open Smart Office, login, open the Ibrix, and load some data in the IBrix. That will generate plenty of interesting traffic.

  14. For curiosity, find the TLS packet that contains the Server Hello. You can sort by Protocol or by Info. The packet contains the server’s public key.

  15. Now let’s export the server’s private key. For that we need access to the server. Go to the Smart Office IIS server, expand to Default Web Site > Properties > Directory Security > View Certificate.

  16. Continue to Details> Copy to File, and follow the screenshots.

  17. Run this command: openssl pkcs12 -in CIDW82.pfx -out CIDW82.pem –nodes Note: Be careful with the generated pem file as it contains the server’s certificate in clear text!

  18. Go to WireShark > Edit > Preferences > Protocols > SSL > RSA keys list. In my case it’s: 208.92.250.178,443,http,C:\THILOP\CIDW82.pem;208.92.250.118,443,http,C:\THILOP\CIDW44.pem Click on Apply. Actual setting for my two keys: 208.92.250.178,443,http,C:\THILOP\LAWSON~1\Products\LAWSON~2\MYDOCU~1\HOWTOD~2\CIDW82.pem;208.92.250.118,443,http,C:\THILOP\LAWSON~1\Products\LAWSON~2\MYDOCU~1\HOWTOD~2\CIDW44.pem

  19. Make sure the SSL debug file says: filename.pem successfully loaded

  20. Now Wireshark is showing the decrypted HTTP packets 

  21. Right-click on a packet > Follow SSL stream. Now we can see all the Smart Office traffic in clear text. Next time you open Wireshark, you don’t need to do any of this again. Indeed, Wireshark has remembered the server’s private keys. So just capture the traffic as usual, and right-click > Follow SSL stream.

  22. Conclusion With the technique described in this paper we were able to intercept and decrypt the encrypted HTTPS traffic from Lawson Smart Office which otherwise cannot be captured with Fiddler, and which is unreadable in Wireshark. This technique is useful for troubleshooting IBrix, Smart Office, Personalized Scripts, etc. Does that demonstrate a flaw in Smart Office? Not at all. Smart Office relies on HTTPS which relies on SSL encryption which is secure and which itself relies on public and private keys. To decrypt the traffic, we had to to export the server’s private key (which by definition is not public) and for that we had to get access to the server (which is secure). So this technique does not demonstrate any flaw.

  23. Thibaud Lopez Schneider thibaud.lopez.schneider@us.lawson.com

More Related