obtaining nimbuzz server certificate for nmdecrypt expert in NetMon

tls packet-capture network-monitoring

I'm using Network Monitor 3.4 with the nmdecrypt expert. I'm opening a nimbuzz conversation node in the conversation window and i click Expert-> nmDecrpt -> run Expert

that shows up a window where i have to add the server certificate. I am not sure how to retrieve the server certificate for nimbuzz XMPP chat service. Any idea how to do this?

this question is a follow up question of this one.

Edit for some background so it might be that this is encrypted with the server pubkey and i cannot retrieve the message, unless i debug the native binary and try to intercept the encryption code. I have a test client (using agsXMPP) that is able to connect with nimbuzz with no problems. the only thing that is not working is adding invisible mode. It seems this is some packet sent from the official client during login which i want to obtain. any suggestions to try to grab this info would be greatly appreciated. Maybe i should get myself (and learn) IDA pro?

This is what i get inspecting the TLS frames on Network Monitor:

  Frame: Number = 81, Captured Frame Length = 769, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[...],SourceAddress:[....]
+ Ipv4: Src = ..., Dest = 192.168.2.101, Next Protocol = TCP, Packet ID = 9939, Total IP Length = 755
- Tcp: Flags=...AP..., SrcPort=5222, DstPort=3578, PayloadLen=715, Seq=4101074854 - 4101075569, Ack=1127356300, Win=4050 (scale factor 0x0) = 4050
    SrcPort: 5222
    DstPort: 3578
    SequenceNumber: 4101074854 (0xF4716FA6)
    AcknowledgementNumber: 1127356300 (0x4332178C)
  + DataOffset: 80 (0x50)
  + Flags: ...AP...
    Window: 4050 (scale factor 0x0) = 4050
    Checksum: 0x8841, Good
    UrgentPointer: 0 (0x0)
    TCPPayload: SourcePort = 5222, DestinationPort = 3578
  TLSSSLData: Transport Layer Security (TLS) Payload Data
- TLS: TLS Rec Layer-1 HandShake: Server Hello.; TLS Rec Layer-2 HandShake: Certificate.; TLS Rec Layer-3 HandShake: Server Hello Done.
  - TlsRecordLayer: TLS Rec Layer-1 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 42 (0x2A)
   - SSLHandshake: SSL HandShake ServerHello(0x02)
      HandShakeType: ServerHello(0x02)
      Length: 38 (0x26)
    - ServerHello: 0x1
     + Version: TLS 1.0
     + RandomBytes: 
       SessionIDLength: 0 (0x0)
       TLSCipherSuite: TLS_RSA_WITH_AES_256_CBC_SHA            { 0x00, 0x35 }
       CompressionMethod: 0 (0x0)
  - TlsRecordLayer: TLS Rec Layer-2 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 654 (0x28E)
   - SSLHandshake: SSL HandShake Certificate(0x0B)
      HandShakeType: Certificate(0x0B)
      Length: 650 (0x28A)
    - Cert: 0x1
       CertLength: 647 (0x287)
     - Certificates: 
        CertificateLength: 644 (0x284)
      - X509Cert: Issuer: nimbuzz.com,Nimbuzz,NL, Subject: nimbuzz.com,Nimbuzz,NL
       + SequenceHeader: 
       - TbsCertificate: Issuer: nimbuzz.com,Nimbuzz,NL, Subject: nimbuzz.com,Nimbuzz,NL
        + SequenceHeader: 
        + Tag0: 
        + Version: (2)
        + SerialNumber: -1018418383
        + Signature: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)
        - Issuer: nimbuzz.com,Nimbuzz,NL
         - RdnSequence: nimbuzz.com,Nimbuzz,NL
          + SequenceOfHeader: 0x1
          + Name: NL
          + Name: Nimbuzz
          + Name: nimbuzz.com
        + Validity: From: 02/22/10 20:22:32 UTC To: 02/20/20 20:22:32 UTC
        + Subject: nimbuzz.com,Nimbuzz,NL
        - SubjectPublicKeyInfo: RsaEncryption (1.2.840.113549.1.1.1)
         + SequenceHeader: 
         + Algorithm: RsaEncryption (1.2.840.113549.1.1.1)
         - SubjectPublicKey: 
          - AsnBitStringHeader: 
           - AsnId: BitString type (Universal 3)
            - LowTag: 
               Class:    (00......) Universal (0)
               Type:     (..0.....) Primitive
               TagValue: (...00011) 3
           - AsnLen: Length = 141, LengthOfLength = 1
              LengthType: LengthOfLength = 1
              Length: 141 bytes
            BitString: 
        + Tag3: 
        + Extensions: 
       - SignatureAlgorithm: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)
        - SequenceHeader: 
         - AsnId: Sequence and SequenceOf types (Universal 16)
          + LowTag: 
         - AsnLen: Length = 13, LengthOfLength = 0
            Length: 13 bytes, LengthOfLength = 0
        + Algorithm: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)
        - Parameters: Null Value
         - Sha1WithRSAEncryption: Null Value
          + AsnNullHeader: 
       - Signature: 
        - AsnBitStringHeader: 
         - AsnId: BitString type (Universal 3)
          - LowTag: 
             Class:    (00......) Universal (0)
             Type:     (..0.....) Primitive
             TagValue: (...00011) 3
         - AsnLen: Length = 129, LengthOfLength = 1
            LengthType: LengthOfLength = 1
            Length: 129 bytes
          BitString: 
  + TlsRecordLayer: TLS Rec Layer-3 HandShake:

Solution 1:

Unless you are the server operators for Nimbuzz, you cannot get the private key, which is required to decrypt conversations.

Related

Strange permission errors in new PostgreSQL installation
Properly configuring DNS for email sending on multi-domain hosting VPS
One Web Server Two NIC with Two Different Wan Network
ssh connection refused with out iptables rulles
Associating route 53 Nameservers with GoDaddy
Manage DNS outage
syslog-ng not flushing the pipe to external program
frox as reverse proxy?
postfix/dovecot filter who can send mail on behalf of
One IP Address two websites and SSL
php5-mysqlnd on debian wheezy/sid?
How to know which berkley db openldap is refering to?