how to decrypt smart office’s encrypted traffic thibaud lopez schneider lawson software april 27,...
DESCRIPTION
How to decrypt Smart Office’s encrypted traffic Thibaud Lopez Schneider Lawson Software April 27, 2010 - PowerPoint PPT PresentationTRANSCRIPT
How to decrypt Smart Office’s encrypted traffic
Thibaud Lopez SchneiderLawson Software
April 27, 2010
In this paper I will describe how to intercept and decrypt the encrypted HTTPS traffic from Lawson Smart Office which sometimes cannot be captured with Fiddler, and which is unreadable in Wireshark. This technique is useful for troubleshooting IBrix, Smart Office, Personalized Scripts, etc.
The goal is to capture IBrix traffic from Smart Office.
I followed my own instructions (although I’m not on any VPN).
But Fiddler is not capturing any IBrix traffic from Smart Office; it’s just capturing some noise. This surprises me because it used to work in the past.
I don’t know why Fiddler doesn’t capture traffic. Maybe it’s because the protocol to M3
Workplace is HTTPS and not HTTP (see screenshot here). But I think that worked in the
past. Or maybe Smart Office is not using WinINet anymore (plausible; to be verified).
Wireshark correctly captures the traffic, but it’s encrypted with TLS
(SSL) and unreadable.
Tip: Filter the packets to make it easier to identify Smart Office traffic, for example: tcp.port==443 and ip.addr==208.92.250.178.
I found this article on Internet that explains how to use Wireshark to
decrypt SSL. Let’s try.http://www.novell.com/communities/node/1606/decrypting+ssl+traffic+troubleshoot+nam
This article is similar: http://htluo.blogspot.com/2009/01/decrypt-https-traffic-with-wireshark.html
And here’s some general information about SSL:
http://wiki.wireshark.org/SSL
I make sure I have the correct version of Wireshark, the one with SSL enabled, which according to the
article is determined if we have the settings RSA keys list and SSL debug file in Wireshark Preferences.
I installed OpenSSL.For Windows it can be found at:
www.openssl.org > Related > Binaries
Start capturing with Wireshark: Capture > Interfaces > Start.
Open Smart Office, login, open the Ibrix, and load some data in the IBrix. That will
generate plenty of interesting traffic.
For curiosity, find the TLS packet that contains the Server Hello. You can sort by
Protocol or by Info. The packet contains the server’s public key.
Now let’s export the server’s private key. For that we need access to the server. Go to the Smart Office IIS server, expand to
Default Web Site > Properties > Directory Security > View Certificate.
Continue to Details > Copy to File, and follow the screenshots.
Run this command:openssl pkcs12 -in CIDW82.pfx -out CIDW82.pem –nodesNote: Be careful with the generated pem file as it contains the server’s certificate in clear text!
Go to WireShark > Edit > Preferences > Protocols > SSL > RSA keys list. In my case it’s:208.92.250.178,443,http,C:\THILOP\CIDW82.pem;208.92.250.118,443,http,C:\THILOP\CIDW44.pemClick on Apply.
Actual setting for my two keys: 208.92.250.178,443,http,C:\THILOP\LAWSON~1\Products\LAWSON~2\MYDOCU~1\HOWTOD~2\CIDW82.pem;208.92.250.118,443,http,C:\THILOP\LAWSON~1\Products\LAWSON~2\MYDOCU~1\HOWTOD~2\CIDW44.pem
Make sure the SSL debug file says:filename.pem successfully loaded
Now Wireshark is showing the decrypted HTTP packets
Right-click on a packet > Follow SSL stream. Now we can see all the Smart Office traffic in clear text.
Next time you open Wireshark, you don’t need to do any of this again. Indeed, Wireshark has remembered the server’s private keys. So just capture the traffic as usual, and right-click > Follow SSL stream.
Conclusion
With the technique described in this paper we were able to intercept and decrypt the encrypted HTTPS traffic from Lawson Smart Office which otherwise cannot be captured with Fiddler, and which is unreadable in Wireshark. This technique is useful for troubleshooting IBrix, Smart Office, Personalized Scripts, etc.
Does that demonstrate a flaw in Smart Office?
Not at all. Smart Office relies on HTTPS which relies on SSL encryption which is secure and which itself relies on public and private keys. To decrypt the traffic, we had to to export the server’s private key (which by definition is not public) and for that we had to get access to the server (which is secure). So this technique does not demonstrate any flaw.
Thibaud Lopez [email protected]