Because it is Relevant

Nicola Coretti

2023-12-01

Why it is relevant?

Because it is all connected

The Magic Arm

📝 TL;DR:

Not only think outside of the box, also have a look into other boxes ;).

📦 Agenda

Why Wireshark?
Coping with TLS
Extracting Data
Outlook

Why Wireshark?

General Perspective

Application/Network Trobuleshooting
Network Optimization
Security Analysis
Quality Assurance
Protocol Analysis

Developer Perspective

Implementation ¹
Testing & Debugging
Performance Analysis & Optimizations
Security Analysis

Real Life Example’s

Debugging a WSS-Protocol

💻 Client

{
    "command": "createPreparedStatement", 
    "sqlText": "INSERT INTO autoinc_pk DEFAULT VALUES"
}

🖥️ Server

{   "status":"ok",
    "responseData": {
        "statementHandle":16,
        "results":[
            {"resultType":"rowCount","rowCount":0}
        ],
        "numResults":1
    }
}

💻 Client

{
    "command": "executePreparedStatement", "statementHandle": 16,
    "numColumns": 0, "numRows": 3, "columns": [], "data": []
}

🖥️ Server

{
    "status":"error",
    "exception":
    {   
        "text":"Invalid parameter rows received. (Session: ...)",
        "sqlCode":"00000"
    }
}

Coping with TLS

Been There

imgflip.com

🔓 Decrypting TLS

💾 Store Session Keys

Global
```
export SSLKEYLOGFILE=~/session-keys.txt
```
Local
```
SSLKEYLOGFILE=~/session-keys.txt myApp
```

📥 Import Session Keys

💰 Profit

⚠️ `$SSLKEYLOGFILE` ⚠️

🔩 Supported By

OpenSSL
libressl
BoringSSL
GnuTLS
wolfSSL
rusttls

🪤 Gotachas

Custom Contexts
Compile time switches
Language specific TrustStores

Extracting Data

🧦 Objects

Export Type(s)

Save Object(s)

🔑 Credentials

More Details

📦 Payloads & Streams

GUI

Export

Copy

CLI

tshark -r ~/trace.pcapng -T ek tcp.stream eq 1 | jq

{
  "timestamp": "1692958244468",
  "layers": { 
    "frame": { ... },
    "eth":   { ... },
    "ip":    { ... },
    "tcp":   { ... },
    "data": {
      "data_data_data": "53:45:4d:4d:53:20:54:4f:20:57:4f:52:4b:21:0a",
      "data_data_len": "15"
    }
  }
}

👀 Outlook

🦈 wireshark

Color Coding
Quick Filters
I/O Graphs
Remote Capture
Custom Disectors
Custom Interfaces (extcap)
Traffic generator (randpkt)
Tshark
…

🛠️ Other Network Tools

socat
ngrep
scapy
nmap
CURL
…

Because it is Relevant

Why it is relevant?

Because it is all connected

The Magic Arm

📝 TL;DR:

📦 Agenda

Why Wireshark?

General Perspective

Developer Perspective

Real Life Example’s

Debugging a WSS-Protocol

Coping with TLS

Been There

🔓 Decrypting TLS

💾 Store Session Keys

📥 Import Session Keys

💰 Profit

⚠️ `$SSLKEYLOGFILE` ⚠️

🔩 Supported By

🪤 Gotachas

Extracting Data

🧦 Objects

Export Type(s)

Save Object(s)

🔑 Credentials

Credentials Menu

More Details

📦 Payloads & Streams

GUI

Export

Copy

CLI

👀 Outlook

🦈 wireshark

🛠️ Other Network Tools

Thx!

Because it is Relevant

Why it is relevant?

Because it is all connected

The Magic Arm

How does this related to ⌨️ Software-Development?

📝 TL;DR:

📦 Agenda

Why Wireshark?

General Perspective

Developer Perspective

Real Life Example’s

Debugging a WSS-Protocol

Coping with TLS

Been There

🔓 Decrypting TLS

💾 Store Session Keys

📥 Import Session Keys

💰 Profit

⚠️ $SSLKEYLOGFILE ⚠️

🔩 Supported By

🪤 Gotachas

Extracting Data

🧦 Objects

Export Type(s)

Save Object(s)

🔑 Credentials

Credentials Menu

More Details

📦 Payloads & Streams

GUI

Export

Copy

CLI

👀 Outlook

🦈 wireshark

🛠️ Other Network Tools

Thx!

⚠️ `$SSLKEYLOGFILE` ⚠️