Decrypting SSL/TLS browser traffic with Wireshark (using netsh trace start)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today I want to show you how you can decrypt TLS traffic with Wireshark so open a terminal here as administrator and the first thing we need to do is set this environment variable called SSL key log file that will instruct any process that supports it to store the TLs session Keys into this file let me do this for the entire machine so after we run that command you now could actually already go ahead into Wireshark and start capturing traffic but before I do that I want to show you a different methodology a tactic on Windows how you can actually capture Network traffic there's a tool called net sh IP and you can use a trace and start that will actually start a network capture on windows so we say capture yes the file we want to store the data in that is useful for instance if you're in a production environment where you don't have Wireshark present you can just use this command and capture some traffic okay the network capture is running so let's start an instance of Chrome and let's just navigate to let's say we go to Bing okay let's select the Bing website and then stop the capture let usage Trace stop and now you can see here the keys were written to the file and we have also have the ETL file the etw trace cannot directly open this file so we need to convert it to the pcap file I use this tool called etl2p CAP which you can find on Microsoft's GitHub so if you just search for let me show you just go to GitHub and go to Microsoft repositor Microsoft org and search for ETL to P CAP e so you can find it here and so here Microsoft ETL to pcap and latest you can download the executable from right from here now that we have that downloaded you just put in the two files like the trace file and you see when I call it pcap and it converts the file networks row and you open ysx so this is now you can go to a different computer if you run a production system you can now could to go to a different computer and open that file the traffic here is all encrypted right so we cannot actually see the TLs traffic the trick now is you go into edit preferences select protocols here expand that and search for TLS I'll scroll down to find TLS and here you now place the keys file and that will do the magic and start decrypting the traffic so you can see we have HTTP HTTP 2 requests come in and get the headers and again see traffic okay finally if you actually want to unset the environment variable you just set it back to empty so there it's good okay I hope that was useful have a good day

Info

Channel: Embrace The Red

Views: 3,549

Rating: undefined out of 5

Keywords:

Id: X-J2S6lQpxc

Channel Id: undefined

Length: 3min 47sec (227 seconds)

Published: Tue Apr 25 2023