obtaining nimbuzz server certificate for nmdecrypt expert in NetMon

Posted by lurscher on Server Fault See other posts from Server Fault or by lurscher
Published on 2012-04-13T21:18:45Z Indexed on 2012/04/13 23:32 UTC
Read the original article Hit count: 296

I'm using Network Monitor 3.4 with the nmdecrypt expert. I'm opening a nimbuzz conversation node in the conversation window and i click Expert-> nmDecrpt -> run Expert

that shows up a window where i have to add the server certificate. I am not sure how to retrieve the server certificate for nimbuzz XMPP chat service. Any idea how to do this?

this question is a follow up question of this one.

Edit for some background so it might be that this is encrypted with the server pubkey and i cannot retrieve the message, unless i debug the native binary and try to intercept the encryption code. I have a test client (using agsXMPP) that is able to connect with nimbuzz with no problems. the only thing that is not working is adding invisible mode. It seems this is some packet sent from the official client during login which i want to obtain. any suggestions to try to grab this info would be greatly appreciated. Maybe i should get myself (and learn) IDA pro?

This is what i get inspecting the TLS frames on Network Monitor:

  Frame: Number = 81, Captured Frame Length = 769, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[...],SourceAddress:[....]
+ Ipv4: Src = ..., Dest = 192.168.2.101, Next Protocol = TCP, Packet ID = 9939, Total IP Length = 755
- Tcp: Flags=...AP..., SrcPort=5222, DstPort=3578, PayloadLen=715, Seq=4101074854 - 4101075569, Ack=1127356300, Win=4050 (scale factor 0x0) = 4050
    SrcPort: 5222
    DstPort: 3578
    SequenceNumber: 4101074854 (0xF4716FA6)
    AcknowledgementNumber: 1127356300 (0x4332178C)
  + DataOffset: 80 (0x50)
  + Flags: ...AP...
    Window: 4050 (scale factor 0x0) = 4050
    Checksum: 0x8841, Good
    UrgentPointer: 0 (0x0)
    TCPPayload: SourcePort = 5222, DestinationPort = 3578
  TLSSSLData: Transport Layer Security (TLS) Payload Data
- TLS: TLS Rec Layer-1 HandShake: Server Hello.; TLS Rec Layer-2 HandShake: Certificate.; TLS Rec Layer-3 HandShake: Server Hello Done.
  - TlsRecordLayer: TLS Rec Layer-1 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 42 (0x2A)
   - SSLHandshake: SSL HandShake ServerHello(0x02)
      HandShakeType: ServerHello(0x02)
      Length: 38 (0x26)
    - ServerHello: 0x1
     + Version: TLS 1.0
     + RandomBytes: 
       SessionIDLength: 0 (0x0)
       TLSCipherSuite: TLS_RSA_WITH_AES_256_CBC_SHA            { 0x00, 0x35 }
       CompressionMethod: 0 (0x0)
  - TlsRecordLayer: TLS Rec Layer-2 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 654 (0x28E)
   - SSLHandshake: SSL HandShake Certificate(0x0B)
      HandShakeType: Certificate(0x0B)
      Length: 650 (0x28A)
    - Cert: 0x1
       CertLength: 647 (0x287)
     - Certificates: 
        CertificateLength: 644 (0x284)
      - X509Cert: Issuer: nimbuzz.com,Nimbuzz,NL, Subject: nimbuzz.com,Nimbuzz,NL
       + SequenceHeader: 
       - TbsCertificate: Issuer: nimbuzz.com,Nimbuzz,NL, Subject: nimbuzz.com,Nimbuzz,NL
        + SequenceHeader: 
        + Tag0: 
        + Version: (2)
        + SerialNumber: -1018418383
        + Signature: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)
        - Issuer: nimbuzz.com,Nimbuzz,NL
         - RdnSequence: nimbuzz.com,Nimbuzz,NL
          + SequenceOfHeader: 0x1
          + Name: NL
          + Name: Nimbuzz
          + Name: nimbuzz.com
        + Validity: From: 02/22/10 20:22:32 UTC To: 02/20/20 20:22:32 UTC
        + Subject: nimbuzz.com,Nimbuzz,NL
        - SubjectPublicKeyInfo: RsaEncryption (1.2.840.113549.1.1.1)
         + SequenceHeader: 
         + Algorithm: RsaEncryption (1.2.840.113549.1.1.1)
         - SubjectPublicKey: 
          - AsnBitStringHeader: 
           - AsnId: BitString type (Universal 3)
            - LowTag: 
               Class:    (00......) Universal (0)
               Type:     (..0.....) Primitive
               TagValue: (...00011) 3
           - AsnLen: Length = 141, LengthOfLength = 1
              LengthType: LengthOfLength = 1
              Length: 141 bytes
            BitString: 
        + Tag3: 
        + Extensions: 
       - SignatureAlgorithm: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)
        - SequenceHeader: 
         - AsnId: Sequence and SequenceOf types (Universal 16)
          + LowTag: 
         - AsnLen: Length = 13, LengthOfLength = 0
            Length: 13 bytes, LengthOfLength = 0
        + Algorithm: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)
        - Parameters: Null Value
         - Sha1WithRSAEncryption: Null Value
          + AsnNullHeader: 
       - Signature: 
        - AsnBitStringHeader: 
         - AsnId: BitString type (Universal 3)
          - LowTag: 
             Class:    (00......) Universal (0)
             Type:     (..0.....) Primitive
             TagValue: (...00011) 3
         - AsnLen: Length = 129, LengthOfLength = 1
            LengthType: LengthOfLength = 1
            Length: 129 bytes
          BitString: 
  + TlsRecordLayer: TLS Rec Layer-3 HandShake:

© Server Fault or respective owner

Related posts about network-monitoring

Related posts about tls