好使好使！

这个方法好使，很幸运我的目标就是用的openssl。
http://www.cloudshield.com/blog/advanced-malware/how-to-decrypt-openssl-sessions-using-wireshark-and-ssl-session-identifiers/
https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets/16415/

How to Decrypt OpenSSL Sessions using Wireshark and SSL Session Identifiers

Among the many challenges facing malware analysts is encrypted malware traffic. Malicious software is increasingly using OpenSSL to encrypt Command and Control (C2) communication channels. Malware developers encrypt communications to hide C2 channels rendering Intrusion Detection Systems (IDS) ineffective and enabling malware to gain a foothold on server or client systems.

The malware analyst cannot determine encrypted attacker actions without decrypting the communications. Typically, decrypting network traffic using Wireshark (a free and open-source packet analyzer) requires access to the server private key and following the steps outlined in [1] and [2] in the references section at the end of this article. But, the private encryption key for malicious software is generally located on the C2 server and not available for decryption. In this situation, it is necessary to perform memory analysis on the compromised system to deliver the required details to decrypt the network traffic of command and control sessions. Here’s how to do it.
Step 1: Identify the master secret and corresponding session key

For both legitimate and dangerous traffic, during SSL session establishment, the client and server first negotiate a master secret. The master secret is used to generate the session key that is used to encrypt communications. During the initial “Server Hello” portion of the SSL handshake, the server issues a session identifier that is used the track the “master secret” [3]. The session identifier enables the client to reconnect to the SSL server and skip the computationally expensive processes of negotiating a new master secret. A sample session ID can be seen in the Wireshark output captured in Figure 1.

Figure 1: Wireshark display of a session ID

Figure 1: Wireshark display of a session ID

Without access to the private key, both the session ID and master secret are needed to decrypt a session. Fortunately for malware analysts, both the session ID and more importantly, the master secret are stored, in memory, on both the client and the server. Two approaches can be used when examining memory for a master secret. The first is to scan for the session ID directly and the master secret will typically be located in the vicinity of the session ID. The other method is to scan for the OpenSSL structure that stores the master secret and session ID. Table 1 is a memory snippet taken from a compromised system responsible for establishing the SSL session in Figure 1.

Table 1: Memory snippet containing SSL session ID
-2390h: 3B 49 F8 26 BF 5C 02 B5 28 00 00 00 00 00 00 00  ;I.&.\..(.......
-23A0h: 1A 00 0D 00 28 01 08 00 01 03 00 00 00 00 00 00  ....(...........
-23B0h: 00 00 00 00 00 00 00 00 30 00 00 00 2E 7A 39 83  ........0....z9.
-23C0h: DA 2E 1E 11 8E FD 51 77 E5 46 92 5E 55 DF E9 A2  ......Qw.F.^U...
-23D0h: BB 74 11 C0 C4 9D 10 41 CD FE A9 65 53 E9 34 39  .t.....A...eS.49
-23E0h: 1B 84 35 66 B3 E9 27 A8 04 B4 97 A6 20 00 00 00  ..5f..‘..... ...
-23F0h: 2C A8 76 1C 96 D6 62 0B 64 01 C5 C0 D4 80 A4 D3  ,.v...b.d.......
-2400h: 55 17 81 EB 53 DD 80 D6 78 6D D8 D9 3D 96 18 C3  U...S...xm..=...
-2410h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

The session ID starting with 2C A8 76 1C can be seen at offset -23F0h. The values prior to the session ID can be examined in detail by the ssl_session_st structure from openssl/ssl.h.

Table 2: SSL_session_st structure form openssl/ssl.h
struct ssl_session_st
{
    int ssl_version;    /* what ssl version session info is
                 * being kept in here? */
 
    /* only really used in SSLv2 */
    unsigned int key_arg_length;
    unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
    int master_key_length;
    unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
 
    /* session_id - valid? */
    unsigned int session_id_length;
    unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
 
    --cut—

Using the ssl_session_st structure, it is possible to identify what the memory prior to the session ID was used for. Table 3 lays out the values observed in memory with the ssl_session_st.

Table 3: Values for ssl_session_st obtained from memory
Variable     Binary     Value
int ssl_version     01 03 00 00     0x301
uint key_arg_length;     00 00 00 00     0
uchar key_arg[SSL…];     00 00 00 00 00 00 00 00     
int master_key_length;     30 00 00 00     0x30
uchar master_key[SSL..];     2E 7A 39 83 DA 2E 1E 11 8E FD 51 77 E5 46 92 5E
55 DF E9 A2 BB 74 11 C0 C4 9D 10 41 CD FE A9 65
53 E9 34 39 1B 84 35 66 B3 E9 27 A8 04 B4 97 A6     
uint session_id_length;     20 00 00 00     0x20
uchar session_id[SSL…];     2C A8 76 1C 96 D6 62 0B 64 01 C5 C0 D4 80 A4 D3
55 17 81 EB 53 DD 80 D6 78 6D D8 D9 3D 96 18 C3

Notice, the SSL version (0x301) and Session ID (2C A8 76 1C…) are consistent with the SSL handshake in Figure 1. This suggests the master key (2E 7A 39 83…) is likely to be correct also.
Step 2: Configure Wireshark to use the master secret

Once a master secret and corresponding session ID has been identified, the next step is to configure Wireshark to use the master secret. To do this, write the session ID and master key to a text file using the format:
RSA Session-ID:<SSLID> Master-Key:<MK>

The example session ID/master key combination identified in Table 3 would look like this (with the exception of being on a single line):
RSA Session-ID:2CA8761C96D6620B6401C5C0D480A4D355
  1781EB53DD80D6786DD8D93D9618C3\
Master-Key:2E7A3983DA2E1E118EFD5177E546925E55DFE9A2BB7\
  411C0C49D1041CDFEA96553E934391B843566B3E927A804B497A6

To configure Wireshark to use the master secret file, open Wireshark and select the menu option Edit->Preferences followed by Protocols->SSL. You should see the following dialog box appear.

Figure 2: Wireshark master secret configuration dialog

Figure 2: Wireshark master secret configuration dialog

Select the text file containing the master key and session id in the (Pre)-master secret log filename field.
Step 3: Decrypt the encrypted malware SSL session

Now that Wireshark is configured for decryption, you can open the packet capture (pcap) files that includes the encrypted malware SSL session and decrypt it by right clicking on the session and selecting “Follow SSL Stream”.

The YARA signature [5] can assist with finding generic session IDs within a memory dump by utilizing values commonly seen in TLS sessions. The signature identifies OpenSSL structures for encryption algorithms that have a 0x30 byte master key and 0x20 byte session identifier. It may be necessary to adjust the signature based on the system architecture, encryption algorithm and protocol being used.
rule OpenSSL_ssl_session_st : SessionKeys{
  strings:
    $struct_ssl_session_st_1 = { 03 00 00 00 00 00 00 [8] 30 00 00 00 [48] 20
    00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??}
  condition:
    any of them
}
Key Takeaway

The skillful malware analyst with access to a memory snapshot and network traffic from a compromised system can decrypt malware that utilizes OpenSSL-encrypted C2 channels without access to the malware server. While this method relies on memory artifacts and is not as reliable as having the private key, it demonstrates that once the session id and master secret are obtained, it is then possible to decrypt network communications and view the C2 actions taken by malware on a compromised system. It is important to note that obtaining a memory snapshot of a compromised system as quickly as possible increases the likelihood of obtaining the encryption key before it is overwritten in memory.

References

[1] http://blogs.technet.com/b/nettracer/archive/2010/10/01/how-to-decrypt-an-ssl-or-tls-session-by-using-wireshark.aspx
[2] http://wiki.wireshark.org/SSL
[3] http://en.wikipedia.org/wiki/Secure_Socket_Layer#Session_IDs
[4] http://www.openssl.org/
[5] http://code.google.com/p/yara-project/

Image: Fotolia.com, bofotolux
Wireshark is a registered trademark of the Wireshark Foundation
Posted on September 12, 2013 in Advanced Malware | Tags: advanced malware, c2, Command and Control, decryption, encryption, master key, master secret, memory artifact, openssl, wireshark | permalink. 10 Comments

Josh Homan
About Josh Homan
Joshua is a Senior Incident Response Analyst with 13 years of experience in information security. He has previously worked in both DoD and commercial environments focusing on incident response, penetration testing, vulnerability research, and network forensics. His current efforts involve reverse engineering of malicious software and developing custom applications to enhance network forensics capabilities.

MORE ARTICLES
[3 Ways to Meet our Malware Experts at McAfee FOCUS13] [How to Think Like a Cyber Attacker]
Latest Posts

Pick a Strategy for Dealing with BIND Vulnerabilities Pick a Strategy for Dealing with BIND Vulnerabilities
    Own your DNS before someone else does
    Expert Interview: Stopping Insidious Malware Attacks Expert Interview: Stopping Insidious Malware Attacks
    Bill Kasje talks about advanced malware orchestration and TCSO
    Keep DNS Protected With Actionable Security Insight Keep DNS Protected With Actionable Security Insight
    Understanding DNS traffic

Popular Posts

How to Decrypt OpenSSL Sessions using Wireshark and SSL Session Identifiers : (22260 Views) How to Decrypt OpenSSL Sessions using Wireshark and SSL Session Identifiers
    A tip for savvy malware analysts
    The Case for Learning Python® for Malware Analysis : (9112 Views) The Case for Learning Python® for Malware Analysis
    Why Python is the best language for fighting malware
    Phear of Phishing? : (8787 Views) Phear of Phishing?
    How to develop your own phish tests