Using tshark to Decrypt SSL/TLS Packets

I’m going to walk you through the process of decoding SSL/TLS traffic from a pcap file with the server’s private key using tshark (command-line version of Wireshark). You can, of course, always use ssldump for the same purpose.

I assume you know how SSL/TLS works, and basic understanding of how Wireshark works, and why we use it.

I will start with getting a sample encrypted traffic that includes the handshake part (important for decryption later). For that purpose, we are going to use openssl command to generate a pair of server certificate and key. And then run the HTTPS server with openssl’s s_server command on port 4443 (or any other port you may like) using the generated certificate and key. Then we will issue a GET request to HTTPS server via curl. In the mean time, we will collect the traffic with tshark and will save the data into ssltest.pcap file.

At this point, we should have the file called ssltest.pcap from tshark, and server.crt/server.pem from openssl commands.

Next, we are going to read the pcap file and decode the traffic.

In Wireshark GUI, we can follow “SSL stream” that will dump the ASCII output from the stream. How are we going to do it with tshark?

You will see the output similar to below:

OS X and Android SDK

Android SDK can be installed with Homebrew (http://brew.sh).

Then run the following to install the SDK packages:

If you don’t want SDK and just want to install “adb” and “fastboot” for android phones, just install:

Running Ghost on Ubuntu

Ghost blogging platform was released to public on Oct 14, 2013. It’s a nodejs app, that was started out as a kickstarter.

Since it’s out for public download, I tried to deploy it on a droplet from Digital Ocean running Ubuntu 13.04.

Firstly, Ubuntu repository does not have the latest version of nodejs. Ghost requires nodejs later than 0.8, while nodejs in Ubuntu is 0.68. I had to install nodejs from ppa and later proxy though my current nginx server.

These are the steps required to make it work:
(Initial requirement is that you already have nginx server setup and running).

  1. SSH into your machine and download the file from https://en.ghost.org/download.
  2. Unzip the file into a directory.
  3. Then run “npm install –production”
    (If you don’t have the latest version of npm, it will throw errors)
  4. In your nginx server definition, add this location:
  5. Then re-start your nginx and from the Ghost installation directory run “npm start”
  6. You should see something like this, if everything is okay:
  7. Now try to access, through your nginx server. You should start seeing console is logging requests coming in.

This document is based on Ghost’s deployment guide.

HTTP and HTTPS server with Python

Python 2 has already included an HTTP server module in its later versions. And running the server is as simple as this:

It starts the server on port 8000 (by default), and if we want to run on a different port, we will just add the new port number at the end of the command.

With Python 3, the package merged into http.server. So we would call:

When we need to customize how the server behaves (e.g. to run the server on a specific IP address), we can write a very simple python codes:

If we want HTTPS server, we will need to use built-in “ssl” module. We need to wrap the httpd socket with wrap_socket method. The certificate needs to be in PEM format (RFC1422).

In general, we just need a socket and a handler to serve.

Making SQL Queries

This article is to summarize how do we make SQL queries using different languages and their methods. Making connection to the database will not be covered here.

In the examples, we will be querying “SELECT * FROM employees where eid =and dept =”

It is not recommended to use SQL statements without placeholders in order to reduce the risk of SQL injection.

Java

In Java, we can use JDBC, Hibernate, or some other database frameworks to interact with databases. Generally, I would prefer to use methods that allow me to insert “values” into an sql query. With JDBC, we can use PreparedStatement method. There is also createStatement method, where you insert user-supplied values into the query directly.

Basically the flow looks like this:

  1. Get a “Connection” object, with DriverManager
  2. From “Connection” object, we create a “Statement” object with sql statement.
  3. From the statement object, we generate “ResultSet”.

PHP

PHP has more methods to interact with database. It also depends on the module the php interpreter is built with. We can use MySQL extension, PostgreSQL extension, or ADODB or PDO as generic abstraction interfaces.

With mysqli extension

NOTE: Why mysqli instead of mysql command? If we are using MySQL v4.1.3 and above, PHP manual recommends to use mysqli which is an improved version. Reference.

With PostgreSQL extension

With ADODB

With PDO