Scribd
Upload
4 views7 pages

Laboratory2-ITT557

The laboratory session focuses on capturing and analyzing SSL/TLS traffic, understanding the SSL/TLS handshake, and checking for server misconfigurations. Students are required to use Wireshark and wget/curl to generate and inspect SSL traffic, and to answer specific questions regarding the captured data. Additionally, students will utilize online tools to assess SSL configurations of a chosen domain, such as google.com.

Uploaded by

2024692568
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
4 views7 pages

Laboratory2-ITT557

The laboratory session focuses on capturing and analyzing SSL/TLS traffic, understanding the SSL/TLS handshake, and checking for server misconfigurations. Students are required to use Wireshark and wget/curl to generate and inspect SSL traffic, and to answer specific questions regarding the captured data. Additionally, students will utilize online tools to assess SSL configurations of a chosen domain, such as google.com.

Uploaded by

2024692568
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

LABORATORY 2

ITT 557
SSL/TLS PROTOCOL

NAME: MUHAMMAD NAFIZ IZZUDDIN BIN MOHD SAIPOL BAHARI

STUDENT ID: 2024692568


LAB OBJECTIVES
At the end of this laboratory session, students should be able to:
i. Capture and Analyze SSL/TLS traffic
ii. List and understand each step in SSL/TLS handshake
iii. Check server for misconfigurations of SSL

REQUIREMENTS
For this laboratory session, students are required to have the
following: i. Wireshark
ii. wget/curl

INSTRUCTIONS (PART I)

FOR THIS LAB, THERE ARE 2 PARTS, PART I DEALS WITH ANALYZING OF SSL
PACKETS. PART II DEALS WITH CHECKING FOR ANY MISCONFIGURATION OF
SSL ON A SERVER.

STEP 1: CAPTURE A TRACE

In this step, we are required to capture SSL traffic. The easiest way for us to produce SSL
traffic is by accessing any web pages with HTTPS such as https://www.uitm.edu.my.
However, web browsers have complex behaviors that can lead to a complex trace. So
instead, we are going to use wget/curl to fetch a single HTTPS resource.

1. Close all tabs and windows on any browsers that are not in use. We are trying to
minimize any HTTPS traffic.

2. Launch wireshark and start a new capture.


2 | Mohd Ali Mohd Isa © 2021
3. On the Capture Filter field, enter “tcp port 443” to capture only SSL traffic since SSL
is normally carried on port 443.

Figure 1

4. Open up a terminal or command prompt.

5. Use wget or curl to fetch a single HTTPS resource and generate SSL traffic. For this
lab, we are going to explicitly use TLS 1.0 and turn off certificate checking. Here is
the command for both wget and curl (choose either one or try both):
curl –tlsv1 –insecure https://www.uitm.edu.my > out
wget –secure-protocol=TLSv1 –no-check-certificate https://www.uitm.edu.my
6. Remember to start capture on Wireshark before executing the curl/wget command.
Once the command completed, stop the capture on Wireshark.

STEP 2: INSPECT A TRACE

In this step, we are going to look in detail the SSL packets. Bear in mind that there are
several versions of SSL and TLS version in use. To make sure that everyone has the
same trace for this lab exercise, we have ensure that both wget and curl uses TSL
version 1.0
7. Open up wireshark, we should see lists of packets that have been captured.

Figure 2

3 | Mohd Ali Mohd Isa © 2021


8. Enter “ssl” on the filter field to show only the SSL packets.
9. We should get list of packets similar to Figure 2. (If you do not have the Info column
on your wireshark, this can be added by right clicking the column field and adding a
new column and selecting the variables info.)

10. Click on a trace for which the info reads “Application Data”. Expands it Secure Socket
Layer block. Application data is generic TLS message which carry contents of the
application.

11. Based on the “TLS Record Layer” block, answer the following question.

a. What is the content type for a record containing “Application Data”?

b. What version of TLS is being used, justify your answer.

The TLS version used is TLS 1.2, as shown in the Wireshark packet details
where it states: "Version: TLS 1.2 (0x0303)". This hexadecimal code
0x0303 uniquely identifies the TLS 1.2 protocol.

c. Does the length cover only the payload or the Record Layer Header as well?
The length field in the TLS Record Layer covers only the payload, not the Record Layer
Header. The header itself contains metadata like the content type, version, and length, but
the length specifically refers to the encrypted application data being transmitted.

STEP 3: SSL HANDSHAKE

In our video lecture, we have learnt about all the steps that take place during an SSL
Handshake. Click on each step and view the resulting Transport Layer Security Block.
Answer the following questions. (Provide screenshot for your answer)
d. In both Client Hello and Server Hello, how long in bytes is the random data?
Client Hello: 28 bytes

Server Hello: 32 bytes

e. How long is the bytes in the session identifier?


f. How many suites are supported by the client?

g. Which cipher suite is selected by the server?

h. Who send the Change Cipher Spec message, the client, the server or both?
Both client and server will send a Change Cipher Spec message.
i. What are the content carried inside the Change Cipher Spec message?
There are no Change Cipher Spec Message

STEP 4: ALERT MESSAGE

Finally, amongst the packet listed in the captured is label as alert message. Click on an
alert message and answer the following:
j. What is the purpose of the alert message?
To notify the peer about errors or session closure. There are two levels: warning
and fatal.

k. Is the content of alert message encrypted? Can we read the message?


If it’s after Change Cipher Spec, then yes, it’s encrypted. Otherwise, you can read it
in clear text.

4 | Mohd Ali Mohd Isa © 2021


BONUS
This section is for students that would like to explore further the SSL/TLS Protocol.

1. Remove the “ssl” filter to see not only SSL packet but also other TCP
packets that are part of the connection.
2. Try and capture HTTPS packet generated by the browsers instead of
using wget or curl. Notice the differences between both traffic
generated.
3. Try and generate HTTPS traffic for SSL version 2 and 3.
4. Configure wireshark so that it is able to look inside encrypted SSL
messages by using a key.

INSTRUCTIONS (PART II)

In this part, you are required to use available online tools to check for any SSL
misconfiguration at the server. Below is list of tools that you can use:

• SSL Labs - https://www.ssllabs.com/ssltest/analyze.html

• GeekFlare TLS Scanner - https://gf.dev/tls-scanner

• DigiCert - https://www.digicert.com/help/

First please choose a domain that you would like to check:

Domain name: google.com

Based on the result that you get, please answer the following question about the chosen
domain.
A. Who is the issuer of the certificate?
Google Trust Services LLC
B. What version of protocol is supported by the browser?
TLS 1.2, TLS 1.3
C. Is the any vulnerabilities exist at the server?
No major vulnerabilities, or it may mention things like weak cipher suites if found.
Finally, you can also check your browser SSL status by vising the following
website https://www.howsmyssl.com/.

5 | Mohd Ali Mohd Isa © 2021

You might also like