Decrypt TLS traffic on the client-side with Wireshark

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
okay so here is a quick demo on how to use Wireshark to decrypt a traffic encrypted with the SSL protocol or also known as TLS or and therefore that includes traffic encrypted with https because it is using TLS so normally this sort of traffic cannot be decrypted because you don't you don't have access to the private keys but in this case it will work it's not a man in the middle attack but it will work because we will be the client so we are one end of the communication and obviously if our browser can decrypt that then there must be other ways to decrypt that basically this works because during the TLs handsec the client and the server agree to a secret key which is then used to encrypt further communication normally this key will be just temporarily stored in memory but there is a way to tell windows and subsequently to tell the browser to store this key also in a file and then we will feed this file to wires Arc and then it can use it you can find the key in there to use it to decrypt the traffic so how we do it we we go to the control panel of Windows this is Windows 10 but it will work with earlier versions obviously or future versions as well so we go to system and then we go to Advanced system settings we want to set a new environment variable there's a button here and these are the variables set for now I need the new one and it has to have a specific name the name is SSL SSL key log file and then as a value it needs to have the path where to store the keys which file to store it to so I'm gonna use this path it doesn't have to be this path it can be anything else but I like this one because it's in my my own folder and so other users in the machine cannot see it so click OK here click OK everywhere really and that's it put down with the control panel now we can open Chrome and go and visit an encrypt it website we're gonna go to vsoc.nipple.ac.uk that is an encrypted connection is using https it's not an authenticated one this is why it's red and it doesn't chrome doesn't like it but it is encrypted so uh so we did in that second between me pressing enter in the in the location bar and actually seeing something on the screen in about half a second there has been a TLS exchange and the the browser my browser and the server on the other side have agreed to a secret key and they are using it to encrypt everything that I'm now seeing on the screen so as I said this key has now been captured and is properly available on that file on that path that we said before to double check that we can open that file with Notepad so open that path and indeed you can see here it has captured plenty of information uh this is basically multiple keys that has captured each one of these somewhere somewhere is the key uh I don't necessarily want to know where exactly which one of this is the key you can look this up and you will find exactly which byte is the key in which one is a random numbers or other information that is needed so we have confirmed that the keys are stored the session keys that is and therefore I can now go to wire Circ and I can tell it where to find the keys so I went to uh edit and then preferences and then I open the protocol and it's got settings for all protocols here if you find SSL and you set you you you you you type the path that the key is stored into this field you could also click browse but um if you you know you're gonna have to find it and so on so I'm I'm using adjustment from the clipboard just now uh so apply this okay and now it's all set so now what I want to do I want to start the capture started and then I'll tab to my browser and refresh this connection you probably did another handshake now so let's go back to ourselves close this stop this capture and go to the very top of it we've got lots of stuff that were not relevant and somewhere near the top you would be seeing this client hello buckets these are TLS TLS V 1.2 doing the original vaccines that it does in the very beginning and what we're looking to find is we're looking to find the last bucket within four like the server hello certificate server key exchange service hello done so I'm looking for the last one uh which one could be okay that's probably this one and then after that I am looking for uh all right so there's too many packets here let me set a filter I want to set a filter to filter SSL traffic only okay now much better now uh so last one is this and then I'm looking for another up finished here okay sorry I said it wrong before I'm looking for the last of this kind this info client key exchange change Cipher spec finished which one is the last [Music] well okay well like I could I could I don't necessarily with the last it's just easier if you find the last oh then that's not that's not a very good example anyway let's say that was the last and then one one after is uh after it has finished in exchange then I'm looking for a packet with SSL segment of a reassembled pdu and once you choose basically any of these all right any of this would have a few extra tabs that are not always here so see on this packet there's no tabs here on the bottom but on the one I'm looking for there's a few extra tabs here and the you can click the decrypted SSL data Tab and you will see decrypted data now I scroll down and we also saw some gberries this is because this is probably some sort of image so although it's decrypted but it still is still kind of binary so you don't actually see it uh let's see what it is they keep a live connection frame blah blah blah software Adobe see so it's a binary file okay XMP and so on but clearly it is decrypted as opposed to the frame payload which is completely encrypted and quite quite more random random yeah um okay so that's that and actually if I if I look uh more carefully into my Trace I will probably be able to find the original exchange now there you go so this is the original HTTP response gets lost blah blah blah and is getting the slash of the server I can also right click and now I have an option follow SSL stream which I can also choose and as you see is the whole stream decrypted with my images that's a PNC file and so on and that's it thank you for watching and see you on the next video
Info
Channel: eliasatnapier
Views: 98,849
Rating: undefined out of 5
Keywords:
Id: hh9SRJpK5hI
Channel Id: undefined
Length: 8min 17sec (497 seconds)
Published: Sat Feb 18 2017
Related Videos
TLS Handshake Deep Dive and decryption with Wireshark
David Bombal
247K
Decrypting HTTPS Traffic With Wireshark
HackerSploit
76K
Decrypting SSL/TLS browser traffic with Wireshark (using netsh trace start)
Embrace The Red
1.9K
Wireshark Packet Sniffing Usernames, Passwords, and Web Pages
danscourses
2M
SSL/TLS in action with Wireshark
Lucie Li
108K
Wireshark for Wi-Fi
7SIGNAL
3.9K
Troubleshoot TLS Handshake Failures using Wireshark
Plaintext Packets
23K
How TCP Works - The Receive Window
Chris Greer
66K
How to DECRYPT HTTPS Traffic with Wireshark
Chris Greer
303K
Wireshark - Malware traffic Analysis
Hack eXPlorer
169K
Learn Wireshark in 10 minutes - Wireshark Tutorial for Beginners
Vinsloev Academy
1M
Let's FIX a BROKEN TLS Handshake // with Wireshark
Chris Greer
12K
Decrypt SSL traffic using Wireshark and SSL key log file(Linux)
codefm
4.9K
Troubleshooting with Wireshark - Analyzing TCP Resets
Chris Greer
92K
TLS Handshake Explained - Computerphile
Computerphile
497K
Troubleshooting Packet Voice (Voice over IP or VoIP) with Wireshark
CellStream Inc
8.6K
Learn GitLab in 3 Hours | GitLab Complete Tutorial For Beginners
LambdaTest
298K
Decrypting HTTPS on Windows in Wireshark
CellStream Inc
36K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.