obtaining nimbuzz server certificate for nmdecrypt expert in NetMon
I'm using Network Monitor 3.4 with the nmdecrypt expert. I'm opening a nimbuzz conversation node in the conversation window and i click Expert-> nmDecrpt -> run Expert
that shows up a window where i have to add the server certificate. I am not sure how to retrieve the server certificate for nimbuzz XMPP chat service. Any idea how to do this?
this question is a follow up question of this one.
Edit for some background so it might be that this is encrypted with the server pubkey and i cannot retrieve the message, unless i debug the native binary and try to intercept the encryption code. I have a test client (using agsXMPP) that is able to connect with nimbuzz with no problems. the only thing that is not working is adding invisible mode. It seems this is some packet sent from the official client during login which i want to obtain. any suggestions to try to grab this info would be greatly appreciated. Maybe i should get myself (and learn) IDA pro?
This is what i get inspecting the TLS frames on Network Monitor:
Frame: Number = 81, Captured Frame Length = 769, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[...],SourceAddress:[....]
+ Ipv4: Src = ..., Dest = 192.168.2.101, Next Protocol = TCP, Packet ID = 9939, Total IP Length = 755
- Tcp: Flags=...AP..., SrcPort=5222, DstPort=3578, PayloadLen=715, Seq=4101074854 - 4101075569, Ack=1127356300, Win=4050 (scale factor 0x0) = 4050
SrcPort: 5222
DstPort: 3578
SequenceNumber: 4101074854 (0xF4716FA6)
AcknowledgementNumber: 1127356300 (0x4332178C)
+ DataOffset: 80 (0x50)
+ Flags: ...AP...
Window: 4050 (scale factor 0x0) = 4050
Checksum: 0x8841, Good
UrgentPointer: 0 (0x0)
TCPPayload: SourcePort = 5222, DestinationPort = 3578
TLSSSLData: Transport Layer Security (TLS) Payload Data
- TLS: TLS Rec Layer-1 HandShake: Server Hello.; TLS Rec Layer-2 HandShake: Certificate.; TLS Rec Layer-3 HandShake: Server Hello Done.
- TlsRecordLayer: TLS Rec Layer-1 HandShake:
ContentType: HandShake:
- Version: TLS 1.0
Major: 3 (0x3)
Minor: 1 (0x1)
Length: 42 (0x2A)
- SSLHandshake: SSL HandShake ServerHello(0x02)
HandShakeType: ServerHello(0x02)
Length: 38 (0x26)
- ServerHello: 0x1
+ Version: TLS 1.0
+ RandomBytes:
SessionIDLength: 0 (0x0)
TLSCipherSuite: TLS_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x35 }
CompressionMethod: 0 (0x0)
- TlsRecordLayer: TLS Rec Layer-2 HandShake:
ContentType: HandShake:
- Version: TLS 1.0
Major: 3 (0x3)
Minor: 1 (0x1)
Length: 654 (0x28E)
- SSLHandshake: SSL HandShake Certificate(0x0B)
HandShakeType: Certificate(0x0B)
Length: 650 (0x28A)
- Cert: 0x1
CertLength: 647 (0x287)
- Certificates:
CertificateLength: 644 (0x284)
- X509Cert: Issuer: nimbuzz.com,Nimbuzz,NL, Subject: nimbuzz.com,Nimbuzz,NL
+ SequenceHeader:
- TbsCertificate: Issuer: nimbuzz.com,Nimbuzz,NL, Subject: nimbuzz.com,Nimbuzz,NL
+ SequenceHeader:
+ Tag0:
+ Version: (2)
+ SerialNumber: -1018418383
+ Signature: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)
- Issuer: nimbuzz.com,Nimbuzz,NL
- RdnSequence: nimbuzz.com,Nimbuzz,NL
+ SequenceOfHeader: 0x1
+ Name: NL
+ Name: Nimbuzz
+ Name: nimbuzz.com
+ Validity: From: 02/22/10 20:22:32 UTC To: 02/20/20 20:22:32 UTC
+ Subject: nimbuzz.com,Nimbuzz,NL
- SubjectPublicKeyInfo: RsaEncryption (1.2.840.113549.1.1.1)
+ SequenceHeader:
+ Algorithm: RsaEncryption (1.2.840.113549.1.1.1)
- SubjectPublicKey:
- AsnBitStringHeader:
- AsnId: BitString type (Universal 3)
- LowTag:
Class: (00......) Universal (0)
Type: (..0.....) Primitive
TagValue: (...00011) 3
- AsnLen: Length = 141, LengthOfLength = 1
LengthType: LengthOfLength = 1
Length: 141 bytes
BitString:
+ Tag3:
+ Extensions:
- SignatureAlgorithm: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)
- SequenceHeader:
- AsnId: Sequence and SequenceOf types (Universal 16)
+ LowTag:
- AsnLen: Length = 13, LengthOfLength = 0
Length: 13 bytes, LengthOfLength = 0
+ Algorithm: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)
- Parameters: Null Value
- Sha1WithRSAEncryption: Null Value
+ AsnNullHeader:
- Signature:
- AsnBitStringHeader:
- AsnId: BitString type (Universal 3)
- LowTag:
Class: (00......) Universal (0)
Type: (..0.....) Primitive
TagValue: (...00011) 3
- AsnLen: Length = 129, LengthOfLength = 1
LengthType: LengthOfLength = 1
Length: 129 bytes
BitString:
+ TlsRecordLayer: TLS Rec Layer-3 HandShake:
Solution 1:
Unless you are the server operators for Nimbuzz, you cannot get the private key, which is required to decrypt conversations.