Everyone likes to keep it simple. Scintillating, I know! But today's modern bring-your-own-device enterprise network has lots of different devices, such as iPads, laptops, desktops, stand-alone VOIP phones, etc. Managing all these devices can be anything but simple because there are so many different implementations of protocols and services.
So, sometimes we need to supercharge our troubleshooting and take it to the next level of reverse engineering. A new Fortigate firewall does a lot of the "magic" for us and protects our internet connections at the same time. But for learning purposes let's go ahead this time and take a peek at the technical nitty gritty of our computer and network. No math this time, unfortunately, just recreating the wheel! Two best-in-class tools that we will be using are Wireshark and Fiddler. Wireshark is a packet sniffer and Fiddler is a web proxy.
For reference, my scenario looks like this:
Laptop with Lync 2013 and Wireshark <--> switchports or wireless <--> Desktop with Fiddler Proxy <--> Internet <--> Lync Server <--> PSTN Network <--> computer/phone/device
A very similar scenario is the following:
Any Smartphone/Tablet with apps <--> Fortigate network firewall with tcpdump <--> Internet <--> computer/phone/device
Now hold onto your hat because this is a deep dive!
First we'll need to install Wireshark and Fiddler
https://www.wireshark.org/download.html
http://www.telerik.com/download/fiddler
By default, Fiddler generates a new temporary certificate for each website that is visited.
So we'll also need to install the Bouncy Castle CertMaker add-on for Fiddler.
http://fiddler2.com/r/?fiddlercertmaker
Open Fiddler and Trust the Root Certificate when prompted.
Then go to Tools - Fiddler Options - HTTPS and select Capture and Decrypt.
Click Export Root Certificate to Desktop and rename to FiddlerRootPublic.CER.
Click on Connections and note the port. I use 8888. Click Allow remote computers to connect.
Open an elevated command prompt and allow the port through the firewall for both TCP and UDP.
netsh firewall add portopening UDP 8888 "Fiddler 8888 UDP"
netsh firewall add portopening TCP 8888 "Fiddler 8888 TCP"
Back in Fiddler, click down on the Quick Exec, the lower-left black bar.
Type prefs set fiddler.certmaker.bc.ReusePrivateKeys True
Type prefs set fiddler.certmaker.bc.LogPrivateKeys True
Type about:config. Then filter for certmaker. This is our private and public key.
Double-click on the fiddler.certmaker.bc.key line, right-click on the text starting with "MIIE" and click copy.
We can run this this string through an online hex editor to figure out exactly what it is.
Go to http://lapo.it/asn1js/ and paste in string.
Note that the first byte of data starts with 0x30. This means that the file/string is in Binary DER-encoded format. This is sometimes called ASN.1 BER-encoded: DER is a stricter subset of BER. If this is confusing, just remember that ASN.1 is a notation for structured data, and DER is a set of rules for transforming a data structure (described in ASN.1) into a sequence of bytes, and back. For the programmers out there, see the x209 Layman's Reference guide to Object Identifiers, which is defined as a sequence of integer components that identify an object such as an algorithm or attribute type.
From <http://luca.ntop.org/Teaching/Appunti/asn1.html>
This BER text string also has what is known as ASCII Armoring and the technical name of this file's format is known as PKCS #8 Unencrypted Private Key.
From <http://en.wikipedia.org/wiki/Binary-to-text_encoding>
Let's remove the armor and convert this from a .BER to a .DER binary file now.
Select Text Wizard from Fiddler and select the Radio Button for From Base64.
Click To File for Save Output and save the file as FiddlerPrivate.DER
Now we have the private key in a binary format. We've exported the public certificate itself already. We can use this private key to rekey/recreate another public certificate as well as root sign other certificates which have a name that matches the names of websites that are browsed. And we have set our Fiddler to resign/reuse the same keys on all websites for which it proxies a certificate – this makes it easy to decipher all the traffic with Wireshark.
Wireshark has a decryption requirement of needing to have the private key in a .PEM OpenSSL format. This .PEM looks very similar to the ASCII-armored .BER but it is actually very different.
Let's skin this cat by extracting this format from the .DER file.
Download Key Store Explorer: http://keystore-explorer.sourceforge.net/downloads.php
Create a new PKCS12 keystore (.PFX) and then click Tools - Import - Key Pair - PKCS#8
Deselect encrypted Private Key and select the private key and public certificate.
Great! At this point we could use this .PFX file in another tool like Microsoft Message Analyzer but there are many great scripts and development in Wireshark. So let’s get that going!
Now right-click on the keypair and click Export and select OpenSSL.
Deselect Encrypt and select PEM.
Enter the key to Wireshark under Edit->Preferences->Protocols->SSL- >RSA keys list.
Transfer the FiddlerRootPublic.cer to the device or laptop that is going to use HTTPS. There is a different way of doing this for each one. If it is a laptop then install the certificate into Trusted Root for System manually or by Group Policy. If it is an iPad or other device, then follow appropriate directions for trusting the Root Certificate. One tool to create such a proxy profile is with the iPhone Configuration Utility. Set the system proxy of the device to be IP/port of the Fiddler proxy.
Start Wireshark on the network interface that which has the proxy port socket. Fire up the mobile device and browse or use an application. We can now inspect the communications and draw conclusions about the any problems while using the excellent statistical/inspection informational functions of both Wireshark and Fiddler!
Whew, now we can decipher all standard web traffic of a network device that trusts our proxy’s certificates, BYOD or not. Happy supercharged troubleshooting!
