How to Decrypt Lync communication using

advertisement
Use Network Monitor to capture and
decrypt Lync TLS traffic
Network monitor can be run on either Lync server or user’s computer, this guide below is for Netmon
installed on Lync server
A. Install Network Monitor
1. Follow step below to install and configure Lync parser for Network Monitor
B. Capture the traffics
2. Start capturing traffic by clicking on New Capture then click Start
Note: to capture the traffic properly, it’s recommended to restart the Lync service first.
3. Once the capture has completed, click Stop.
4. Save the capture to local hard disk
C. Decrypt the traffics
5. Filter the TLS traffics by type in TLS in the Display Filter box and click Apply
6. Since the capture is done on Lync server, the result might include connections
from multiple clients to server; a filter can be customized further to narrow
down the number of packet to be analyzed for the specific problematic client.
a. Filter by IP address:
b. Filter by Sessions (Conversation ID)
Conversation ID of the sessions can be seen at the Conv ID column
Once the traffics have been filtered accordingly, save another copy of it to
different location (make sure to select Displayed frames)
7. To decrypt TLS information, we will need to have the certificate that the server
used to encrypt it. The certificate serial number can be found on the frame
TLS:TLS Rec Layer-1 HandShake: Server Hello. Certificate. Certificate Request. Server
Hello Done.
Look at the Frame Details box at the bottom left corner, expand TLS 
TlsRecordLayer  SSLHandshake  Cert:0x1
Expand the cert, find and write down the SerialNumber information of the
certificate.
8. On FrontEnd server, open Certificate MMC and select Computer Account 
Local Computer
Expand Personal  Certificates; find the certificate that has serial number
matched with the one from traffic captured
Export the cert together with the private key in PFX format
9. From Netmon, launch Decryption Expert
Select the certificate, key in the password and select the output for log as well
as decrypted capture and then click Start
Once the decrypt process has completed, Netmon will open the output file
automatically. Sometimes you will see the below error show up, means that
you have to browse and open the output file manually.
10. Now on the decrypt traffic capture, you can filter by either HTTP or SIP to see
the information as required.
Download