Using default private keys to decrypt SSL streams

An old but hugely overlooked issue. Many appliance vendors ship their units with a default private key for SSL communications. Even if you reissue a new certificate, your appliance could still be using the same private key as everyone else's.. and it's typically bundled within the firmware packages publicly distributed by the application vendor. This affects everything from DD-WRT to enterprise class VPN appliances, tape libraries, and firewalls.

Well, someone has finally begun cataloguing these into a searchable database:
Just lookup the device in question, point the lookup tool to a running appliance, or feed it a packet capture or live network interface and it will provide any known private keys.

Once the private key is obtained, you can decrypt the SSL stream with tshark:

tshark -nn -t ad -r -o ssl.keys_list:,443,http,"" -V -R http

Note: For successful decryption, the initial full SSL handshake must be present in the capture. A full SSL handshake contains ClientHello, ServerHello, Certificate, ServerHelloDone. If you only see ClientHello, ServerHello, ChangeCipherspec, this is a continuation of a previously established SSL session and cannot be decrypted as is.

No comments: