How to decrypt network traffic from Infor Grid

Here is a technique to intercept and decrypt the TLS (HTTPS) network traffic from the Infor Grid using Wireshark and the server’s private keys.

Why does it matter?

This technique is useful for troubleshooting products like M3 Web Services (MWS) and Infor Process Automation (IPA) which don’t log the HTTP requests and responses in their entirety. For instance, MWS Runtime can optionally dump the SOAP requests and SOAP responses but misses the HTTP request headers and HTTP response headers, and IPA only logs the HTTP response body but misses the HTTP request’s header and body and the HTTP response header, and neither MWS nor IPA let us hook to a proxy such as Fiddler. Sometimes it’s necessary to troubleshoot the HTTP requests and responses in their entirety. For example, I’m currently troubleshooting for a customer the case of a rogue white space somewhere in a request that’s throwing a syntax error down stream in a parser, and I need to chase the bug down by analyzing the hexadecimal values of the bytes, and for that I need un-encrypted traffic.

We could use Wireshark to intercept all network packets but if the traffic is encrypted with TLS (HTTPS) it’s unreadable. In public-key cryptography, a client and server initiate a TLS connection using asymmetric cryptography, and then switch to symmetric cryptography for the rest of the session. Fortunately, the Wireshark SSL dissector can decrypt traffic if we give it the server’s private keys. I had previously showed this technique a long time ago to decrypt Lawson Smart Office traffic and more recently to intercept un-encrypted IPA traffic. This time I update the technique for encrypted traffic of the Infor Grid.

Don’t get exited about hacking and don’t freak out about security because this technique is only available for those administrators that have access to the servers private keys and passwords.

Server’s private keys and passwords

First, we will need to find the Infor Grid’s private keys and passwords. I don’t do Grid installations so I don’t know where the keys are stored (if in the same path on any Grid, or if at a path defined by the installer), nor how the keys are generated (if automatically by the Grid, or if manually by the installer). In my case, I was testing on two different Grids and I found the keys in LifeCycle Manager (LCM) server at these two different paths:

D:\Infor\LifeCycle\<host>\grid\<grid>\grids\<grid>\secure\
E:\Infor\LifeCycle Manager\LCM-Server\grid\<grid>\keyStore\

This non-consistency tells me the path is defined by the installer.

Here is a screenshot:
b1

The paths contain many files of type *.ks and *.pw. The KS file type is a keystore encrypted with a password. The PW file type is the password in clear text; it looks encrypted but it’s just long random clear text. In my second Grid, there were about 50 pairs of files where the file names seem to follow a specific naming convention. That tells me the keys and passwords are generated automatically by the Grid.

Export and convert the private key

Now that we have the keystores and the passwords, we need to export the private key from the keystore and convert it to a format supported by Wireshark. For that, we can use the keytool of the JRE to export and OpenSSL to convert, or use KeyStore Explorer that will both export and convert.

Here’s with the keytool (export to PKCS12) and OpenSSL (convert to PEM):

keytool -importkeystore -srckeystore mykeystore.ks -destkeystore myexportedkey.p12 -deststoretype PKCS12
openssl pkcs12 -in myexportedkey.p12 -out myexportedkey.pem -nocerts -nodes -passin file:mykeystore.pw

b2

And here’s with the KeyStore Explorer (directly to PEM):
b3

Now we have a file with —–BEGIN PRIVATE KEY—–:
7

Import the private key in Wireshark

Now we import the key in Wireshark > Edit > Preferences > Protocols > SSL and set the Infor Grid server’s IP address, port and private key (PEM):
b4

Intercept and decrypt traffic

Now we are ready to intercept and decrypt traffic, for example we can go to the Grid Management Pages with HTTPS:
b5

Then we filter for ssl, see the decrypted traffic, the key exchange, and Follow SSL Stream:
b6

Summary

That was a technique to intercept and decrypt network traffic of the Infor Grid using Wireshark and the server’s private keys which is useful for troubleshooting purposes. This technique is only available to the administrators that have access to the servers.

If you know of a simpler technique please let me know.

That’s it. Please like, comment, subscribe, share. Thank you.

Published by

thibaudatwork

M3 Technical Consultant

5 thoughts on “How to decrypt network traffic from Infor Grid”

  1. UPDATE: If I apply this technique when Wireshark is running on the server itself then Wireshark wrongly shows 0 bytes for the conversations. I don’t know if the problem is because Wireshark must run on the client and not on the server (illogical), or if it’s a lack of loopback adapter on the server (likely), or if it’s because the browser I’m using on the server uses Diffie-Hellman which is not decryptable (check with openssl s_client -connect host:port). To be continued…

    Like

  2. UPDATE: I have more information regarding my setup and why sometimes traffic cannot be decrypted.

    My setup: I imported the Infor Grid’s private key https.pem into my Wireshark RSA key list and I set the Infor Grid server’s IP address (for example 10.6.9.210), port number (for example 26108) and protocol http, as in the screenshot, then I run Wireshark on the client (for example on my laptop or on another server) next to my browser, and then I open an Infor Grid page over HTTPS in my browser (for example https://host:26108/grid/info.html), as in the screenshot. Wireshark will intercept the TLS traffic from my browser, I filter for ssl, I right-click Follow SSL stream, and Wireshark will decrypt the traffic using the server’s private key. That’s for the setup, and it works.

    Unable to decrypt: Sometimes Wireshark will be unable to decrypt, and I found two scenarios, there may be more:

    1. The first scenario is when I don’t capture or when I delete the packets for the TLS handshake for the session (Client Hello, Server Hello, Certificate, key exchange, cipher suite, etc.). Sometimes in Wireshark I make captures, I delete the captures, and I make new captures. As the browser resumes the session without renegotiating for the lifetime of the ticket, if I delete the handshake packets from my Wireshark capture, then Wireshark won’t be able to decrypt subsequent captures anymore and will show zero decrypted bytes. So when I make captures I have to ensure I also capture the TLS handshake. I couldn’t find the value of the ticket lifetime in my tests. It seems the TLS session resumption lasts less than a second, so I can just wait a minute and make a new capture.
    2. The second scenario is when the client and server negotiate a Diffie-Helmann cipher suite. DH provides perfect forward secrecy and cannot be decrypted as per http://tools.ietf.org/html/rfc4492#section-2. During my tests, my Internet Explorer 11.0.96.x negotiated an RSA cipher suite with the Infor Grid server (in my case TLS_RSA_WITH_AES_128_CBC_SHA) and Wireshark was able to decrypt it. But my Google Chrome 36.0.x negotiated a cipher suite with DH (in my case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) and Wireshark is unable to decrypt that. It seems Firefox has the ability to disable specific cipher suites (about:config > security.ssl*). Also, it seems Chromium has this ability https://code.google.com/p/chromium/issues/detail?id=58831. Opera seems to have that as well. So that’s the trick to decrypt Infor Grid traffic: use Internet Explorer or downgrade your cipher suites (remember to restore the settings).

    Note: I haven’t made a thorough review of any of what I’m writing. I’m just dumping my quick findings for my tests so I can remember next time, and so you can try for yourself.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s