Decrypting LDAPS traffic to Active Directory

It may be necessary as part of troubleshooting to view the LDAP traffic to Active Directory. If that traffic is encrypted (LDAPS), then extra steps must be taken to be able to view it in clear text.

To decrypt the traffic, the first step is to get the private key for the domain controller. The private key is marked as not exportable, therefore it’s not possible to use the Certificates MMC to export it. I used a tool called Jailbreak from iSecPartners (here). This ships with their own MMC that is supposed to ignore the “not exportable” flag. This didn’t work for me, though. I ended up using their jbstore command line utility to export the entire computer personal certificate store in to a PKCS12/PFX file.

Use the OpenSSL utility to extract the private keys from the PKCS file. I transferred the file to a Linux box and used openssl there. Alternatively, you can use Cygwin or download the Windows binary from http://www.openssl.org/.

The default password for the PKCS12 store created by jbstore is password. This exports all private keys from the PKCS12. Simply open keystore.pem in your favorite text editor and extract the private key you need.

Next install Wireshark. These instructions are for version 1.8.6. To use the private key for decryption:
  • Go to Edit->Preferences.
  • Expand Protocols and click on SSL
  • Click Edit for RSA keys list
  • Click New
  • Enter the required information. For example:
  • If the -nodes option was specified when using the OpenSSL utility, the private key should not be encrypted therefore the password key is blank
With this in place, start a packet capture. To make life easier set the filter to ldap. The traffic should now be visible.