Determine communication between domains and application without decrypting the traffic

  • 23 April 2021
  • 3 replies
  • 9 views

Badge +13

If you find yourself in a situation where you are not using the client and need to know exactly what to bypass in SSL Decryption policy or Steering Exceptions, you can use the following to quickly determine what domains you need to focus on.

 

Netskope relies on private keys in order to determiner the URLs for any HTTP traffic that has been encrypted using TLS.  If you don't have the private keys, you can query the SNI from the certificate exchange for the domains being called.

 

To do this, simply capture a successful application session using Wireshark then run the following command against the PCAP to pull the domains from the SNI in the certificate exchanges.

 

tshark -r ~/file.pcapng -T fields -e tls.handshake.extensions_server_name | sed ‘/^$/d’
 

This will produce a list separate from the below example:

a88.oms.opinsights.azure.com 
dc.services.visualstudio.com 
management.azure.com 
login.microsoftonline.com 
batchexplorer.azureedge.net 
management.azure.com 
raw.githubusercontent.com 
graph.windows.net 
rtgrenderingacct.eastus.batch.azure.com 
github.com 

 

This output can now be used to better inform any SSL Bypass or Steering Exceptions needed to accommodate the your use case.

 

Thanks to Samuel Shiflett for the creative idea below.  We can also query the Subject Alternate Name list for any site that we want to know what domains to focus on. A quick and dirty way is to use openssl as follow.

 
echo | openssl s_client -connect company.xyz:443 | openssl x509 -noout -text | grep DNS:

 

This will output the following data which one can easily extract the domains from using their favorite editor or utility. All the domains we care about will be labeled with DNS:

 

% echo | openssl s_client -connect company.xyz:443  | openssl x509 -noout -text | grep DNS:

depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

verify return:1

depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3

verify return:1

depth=0 C = US, ST = Illinois, L = Chicago, O = "company.xyz", CN = abc.map.company.xyz

verify return:1

DONE

                DNS:   <dns output scrubbed for protection>

 

 

Credits: Samuel Shiflett, Netskope SE and DJ Koehler, Netskope SE Leader


3 replies

Badge +12

what is 1echo ?

Badge +13

Great catch.  Came from a copy past of the line.  I will remove it 🙂

Badge +13

In order to suppress empty lines, "sed" did not work for me but "where":

PS C:UsersPublic
etSkope> tshark -r ./nspktdump.pcap -T fields -e tls.handshake.extensions_server_name | where {$_ -ne ""}
accounts.google.com
nexusrules.officeapps.live.com
PS C:UsersPublic etSkope>

 

 

Reply