Decrypting HTTPS on Windows in Wireshark

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello youtube in this video i want to show you how you can decrypt your web pages that are https encrypted in wireshark now let's examine first of all the problem and a lot of people are curious about this so what i'm going to do here is i'm going to start up wireshark and as soon as i've got that going here i'm going to start capturing i'm in my default profile i'm going to start capturing on my ethernet interface which is the one that's connected to the network so i'm just going to start capturing there we go let me just resize this a little bit alright so we're just capturing packets the next thing i'm going to do is i've opened up a web browser right here and i'm going to go to cellstream.com which is our website and that should load up here momentarily all right so we can see by the little lock symbol right here that this is an https exchange between my system and the server and so this has been sent to us encrypted and this is what protects the user's data and so forth okay so the page has stopped let's uh get this out of the way and let's stop the packet capture here all right we'll jump back to the top and let's try to find that conversation there are several ways to go about this i'm going to do it the quick and dirty way i'm going to say find a packet and i'm going to make sure this is set to a string i'm going to make sure that we are looking in the packet bytes and i'm going to put cell stream there and see if it can find it so sure enough it has found this and we can see there's several things that are going on obviously it went out here let's see do we see the client hello that's what i'm looking for the client hello right there so this is where my web browser client connects to the server the server says hello you can see they do a key exchange now let's just make sure that we're only looking at this conversation and the quick way to do this is to right click on that client hello and say conversation filter and then tcp that will create a filter syntax up here in the display filter and now we're just looking at the 189 packets it took for me to get that web page on my browser okay so that's a quick and dirty way if you will to single out a conversation so that we can look at it alright so we see all of these full-size packets these are going to be the data packets we see tcp so this is ethernet ip tcp in the protocol model but after that we don't see anything and the purpose of that or the reason for that of course is that the contents have been encrypted and there's really not any purpose to even try and display this it's all going to be just gobbledygook so the question is how can we decrypt this on our local machine the answer is we need to get the keys and we need to tell wireshark what those keys are so let's talk about how to do that now the key for this has already happened they already did the key exchange so there's nothing i can do to go really backwards here so what i'm going to do is show you how to set up your system and then of course we'll do it again and we'll see how wireshark can then use the key to decrypt all right so i'm going to actually close this and i'm not going to save it okay so here are the steps that you need to follow now this only works in windows and obviously we're using windows 10 you should be able to go backwards into windows 7 i believe this all works similarly here's how you do this you click on the start and you're going to look for a program called environment variables or you're going to type the word environment variables now this won't actually show up on my screen because i'm recording a different screen but just start typing the word environment and one of the choices you are going to get is a choice to edit the system environment variables and you will get this system properties window again just start typing the word environment okay and then what you want to do is click on the lower right hand side it says environment variables you'll want to click on that and these are your environment variables now every machine is going to be slightly different it doesn't really matter in the top area here for user variables for your user you're going to click new and you're going to give this a variable name let's call it ssl key log file okay so just give it a title so you can easily recognize this and then what you want to do is you want to put in a file name and path of where you're going to keep your keys or where you're going to want your system to save the keys when you're using your web browser a quick little note here this only works with chrome and firefox to my knowledge now i know the new version of microsoft's web browser is based in chromium but i'm not sure at the time of this recording whether it will also do this so that's something somebody may want to put in the comments all right so we want to put a path here so i'm going to say see colon and then i'm going to say key so i'm going to create a subdirectory called keys and then i'm just going to call it keys dot log okay very important call it keys.log or something like mykeys.log or chromekeys.log or whatever makes sense to you okay and then we'll say okay and what we will see right here is that that variable has now been created and there is the path okay so we want to now say okay and then ok and now what you need to do is you need to reboot your system so that key actually happens so i'm going to go reboot and then we'll pick up from there okay picking up where we left off my system is rebooted and i'm going to start wireshark and we're basically going to do the exact same procedure all right wireshark has started up here and then the other thing we want to do is we want to run our web browser and go to the cell stream website so first let's start wireshark capturing on the ethernet interface right here we'll start a capture okay it's starting to capture traffic we'll bring our web browser over here we'll go to cellstream.com so this is the exact same procedure and we'll let that page complete you can see that the lock symbol is there i'll just move this out of the way and we will stop the packet capture and like we did before we'll locate that particular conversation so i'm going to click on find a packet it's in the packet bytes we're looking for a string we're looking for cell stream okay we have found the client hello right here we'll right click on this so we want a conversation for tcp there we go this is the now the conversation and again we still see that it is all encrypted now let's go check to make sure that the key was saved in the log file so we're going to open up our file manager there it is and we'll go to the c drive there's the directory for keys we'll open that up and you can see right here there is a text document called keys and this is the log file that we need to use so the next piece of this we know we're capturing those keys now which is great in fact you can open this we can double click i think it'll open up and we'll get notepad there you go and you can see all these keys that are being saved now remember when you go to a web page there's actually a lot of different connections that occur so all of these things produce keys okay so pretty cool all right so we know we have this now what we want to do is back in wireshark we want to tell wireshark to be able to use these keys to decrypt so the way that you do this is you go to edit and preferences and then under protocols you'll slide this down to where it says tls right there and you can input where the log file name is going to go so you just click on browse right here and then we'll navigate to the c drive to keys and select the keys log file and say open there you go let's put that same file in there and then we say okay and what should happen here if this all works is we should start to see http packets and indeed here we see http aha so we're not just seeing the tcp we now see the http there's the encrypted data and guess what it is now decrypted and we can see what was going on so pretty cool right that we get to now see this because wireshark is able to use those keys and we'll see the gets and the responses and so forth so pretty cool that all of this is now being decrypted now you know there's a couple of limitations to this it's obviously being done on my machine right if you do a capture on your machine of something that you want to now share the key with me you have to be able to extract the key so what that means is you have to go into that log file and using a text editor you have to find that particular key and then you need to send the key to me so that i can put that key into wireshark and then do the decryption so this is really a handy way for you to do it on your local machine and to see you know how the decryption works so i hope that helps everybody i use this all the time and i hope you will too when you need to decrypt that stuff thanks for watching

Info

Channel: CellStream Inc

Views: 25,492

Rating: undefined out of 5

Keywords: Wireshark, CellStream, HTTPS, Decryption, Windows, Chrome

Id: JwhniGckkVM

Channel Id: undefined

Length: 11min 28sec (688 seconds)

Published: Sun Jul 19 2020