Immersive Labs | Cyber Million: Packet Analysis — Wireshark | Understanding Wireshark: TLS handshake | Write-Up
For Any suggestions leave a comment.
Briefing
Reading packet data in Wireshark
Wireshark is a free open-source packet analyser. Its primary uses are network troubleshooting, network analysis, software and communications protocol development, and education. The tool can capture live network traffic or analyse pre-existing capture files (PCAP and PCAPNG); it provides many additional resources too, including built-in statistics.
Wireshark makes it easy to dig into the details contained on the packets being transferred across the network. Simply click on a packet and then expand the details of the protocol information you wish to view.
HTTPS: TLS handshake
Most people understand that for us to browse the Internet securely websites must use HTTPS. What is not often understood is the underlying cryptographic protocols HTTPS uses to achieve this security. Communications over the web are secured via TLS encryption on top of the HTTP protocol, resulting in HTTPS; therefore, any website that uses HTTPS is employing TLS encryption.
Confusingly, most pieces of software (Wireshark included) use the terms SSL and SSL/TLS interchangeably, while they actually mean the TLS protocol. The TLS protocol is the newer version currently in use, whereas SSL is a now deprecated protocol which served the same purpose.
The process
A TLS handshake takes place whenever a user navigates to a site that uses HTTPS and also whenever any other communications use HTTPS; for instance, API calls and DNS over HTTPS queries. The handshake is a series of messages which are exchanged by a client and a server. It involves multiple steps and can vary depending upon the kind of key exchange and cipher suite used by both sides.
A cipher suite is a set of encryption algorithms that specify details about that particular session to establish a secure communication connection between a client and server.
The exact steps of a handshake will vary depending on the key exchange algorithm used and which cipher suites are supported by both parties. The following is a basic overview of what occurs:
Client & Server ‘Hello’
A handshake begins with a ‘ClientHello’ message to the server. This message will include information such as which TLS version the client supports, the cipher suites supported, and a random string of bytes known as ‘client random’.
Next a ‘ServerHello’ message is returned. This message contains information such as the server’s SSL certificate, its chosen cipher suite/TLS version, and the ‘server random’ string of bytes.
Certificate authentication
The certificate that the server provides must be verified against the certificate authority where it was issued. This confirms that the server is who it says it is and that the client is interacting with the correct owner of that domain.
Key exchange
During a handshake various keys are exchanged to encrypt and decrypt the actual message data exchanges by the client and server. The client first sends a random string of bytes — the ‘premaster secret’. The premaster secret is then encrypted with the public key (received via the server’s SSL certificate).
The server then uses its private key to decrypt the premaster secret. Both client and server are now happy that they are speaking with the correct person, so they generate session keys using secret bytes of data exchanged previously (‘client random’ and ‘server random’) as well as the premaster secret — resulting in them generating the same results.
Symmetric encryption achieved
Both client and server are now ready, so they send ‘finished’, encrypted with the session keys. At this stage the handshake is complete and secure communication is continued using the session keys.
In this lab
In this lab we have touched on the TLS protocol and how it performs its handshake to provide secure communications between a client and a server.
However, this lab is intended to allow you to practise reading from network captures and gain familiarity with the Wireshark interface.
Having read and understood the information about TLS handshakes, have a go at reading the relevant packets used during this process within Wireshark using the PCAP on the desktop.
Although the exercise laid out provides ample opportunity to explore PCAP files, it is somewhat unrealistic. A real packet capture will have a great deal of noise generated during the capture phase. To learn how to filter out this noise and capture/display only the traffic you really want, check out the following labs:
Also check out the following lab, which takes you through one way in which an analyst can decrypt TLS encrypted traffic found within Wireshark:
Lab Solution
Tasks
I. Read and understand the briefing about the TLS handshake.
II. Open the pcap file located in the
labfiles
directory.III. Using what you now know about TLS, inspect the relevant packets and answer the questions.
IV. How many cipher suites are supported in TLSv1.3 within this capture?
Answer: 4
Solution:
1. In the filter apply tls so we only get tls packets.
2. Cipher suites supported appear in the client hello.
3. So, we will inspect client hello packet.
4. We will expand the Transport Layer Security>>Handshake Protocol: Client hello.
5. In there you will find cipher suites and there number also their names.
V. Which cipher suite is used in the current capture?
Answer: TLS_AES_256_GCM_SHA384
Solution:
1. We have already applied tls filter.
2. Cipher suite used appear in server hello packet.
3. So, we will inspect server hello packet.
4. We will expand the Transport Layer Security>>Handshake Protocol: Server hello.
5. There we will find cipher suite that will mention used cipher suite.
VI. What is the value of the ‘Client Random’ string of bytes?
Answer: 8147c166d51bfa4bb5e02ae1a787131d11aac6cefc7fab94c862adc8ab0cddcb
Solution:
1. View Client hello packet.
2. Above Cipher Suite (refer above tasks to see how to get there) you will find Random (Field name) that will have random string of bytes.
3. Right click on it.
4. Go on copy another menu will appear select value to get the complete value of the string.
VII. What is the value of the ‘Server Random’ string of bytes?
Answer: 3964dbec5022bfbd0783a15f8fd02518c8cf05be901c389b8a284639e37cdb66
Solution:
1. View server hello packet
2. Follow above tasks for remaining steps.