Search code examples
securityssldecompiling

Extract SSL info from suspicious binary

I am facing the following situation: for some reasons I have to run a linux binary provided by someone.

I can see (at least tcpdump can see it) that this binary is sending something over SSL when I run it - so I already know it's doing something it shouldn't be doing. My question: is it possible to find what it's doing ? I was thinking of going two routes:

  • Try to decompile it
  • Set up my SSL so it feeds me unencrypted traffic

I have already checked and it's statically linked, so the second option might not be possible.

I need to stress that this is a completely legitimate attempt at trying to find out what others want to find about me. Thank you for your time.

Solution

  • It's almost certainty linked with OpenSSL.

    This procedure might work:

    1. Create a new root certificate
    2. Install the root certificate into your certificate store
    3. Redirect its traffic to your receiver using host remapping or ipfw.
    4. Capture the traffic from your endpoint, re-encrypt and send to the real one.

    If it doesn't you need to find the encryption points in the binary and intercept those calls. Kind of hard, unfortunately.