How to Decrypt HTTPS Traffic with Wireshark // TLS Decryption // Wireshark Tutorial

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome back to the channel packet heads great to see you back and today i'm going to show you how you can one way decrypt tls in wireshark after all we look at our trace files and anymore a lot of it is encrypted and that's a good thing for security right but when it comes to troubleshooting and analysis it can be a real pain for us as packet people so if you want to learn how to decrypt it stick around so in this video we're going to be decrypting some tls if you want to follow along with me in the trace file that i'll be using go ahead and click the link in the description down below there you'll get both the trace file and a key log file that you're going to need in order to do this decryption now while you're down there if you like this content go ahead and smash the like button and be sure to subscribe for when i release content like this so before we get into the packets first let's talk about tls decryption now what we're going to do is we're going to do a client-side capture of the session keys so we're not talking about going to the server and getting some super secret key nor are we talking about capturing it off the wire like a man in the middle instead we're going to do this on the client side now there's other ways that we could do this but this is the simplest one for sure now it's possible to do this with different operating systems and different browsers but just to keep this video short i'm going to show you how to do it in a windows 10 environment using the chrome browser it's just the one that i think i do it on the most and i've had the most success with so first let's set up capturing those session keys now here we can see we're on a windows 10 box and if i go ahead and go to in my control panel i can go to my system properties from there i want to enable on the client side an environment variable so let's go ahead and click that and under here i can see the user variables for chris to configure one for you it's pretty simple all you got to do is you just say new and what you're going to do is you're going to say the variable name will be ssl key log file so ssl key log file under that you're going to go ahead and let windows know where to store the session keys so once we activate this key log file once i open up chrome and start to navigate the client will start to store the set the temporary session keys locally in this log file so let's go ahead and say okay and i'm going to close this down now to actually do our trace file so first i want to go in and take a look at that key log so i already see some sessions being logged in this key log file which is a good thing you start to see that but now let's go ahead and start up wireshark and actually capture the packets going out to a site so i'm going to start up wireshark and i'm also going to get my browser ready now the site that i want to go and hit is a site that we all know and love and that is wireshark so in order to start up my capture let me go ahead and say wi-fi that's my interface i'm going to start capturing on start see some packets coming in and i'm going to go ahead and head over in my browser and i just want to head out to wireshark.org now once i have hit wireshark.org i know that those session keys have been exchanged and established then i can go ahead and use those keys for later decryption okay so we went ahead and launched our site i'm going to go ahead and go back into wireshark and just to make sure that i captured what i think i caught i'm going to go ahead and do a frame contains wireshark now if i see the dns traffic as well as some tls traffic then i know i got what i'm interested in getting now what i did for you is i went ahead and filtered down that conversation and the key log just so you have a very simple set to work with as you follow along with me so now let's go ahead and open this up in wireshark and take a look so right away you can see by these packets it's simple conversation i've only got 89 packets here here i'm going out to wireshark.org now i actually have a profile in wireshark that's called tls and there i like to see the server name and a handful of other things that we can go ahead and populate as we go forward but if you notice with our tls handshake just to highlight a few things we're going to talk deeper in tls on another video but here on this trace file so we can see our tcp conversation or our handshake get established since synack and let's go ahead and take a quick peek at our client hello so we're going to select the client hello and what i'd like to go down to is to the tls transport layer security and this is where i can see my tls first packet of that handshake now what type is it it's a client hello random now this is a session identifier and it's interesting you'll actually see this number if you look in your key log for this session a couple other quick things if we come down to the extension server name i just want to be sure that i'm knocking on the door of wireshark.org and sure enough there it is now with tls 1.3 let's notice something that's all i'm going to go to on the client hello if i come down to the server hello now notice on the server response i do see okay my tcp connection was already established in the handshake now this is the tls part we're playing this is my server hello this is where we come down and we select our cipher suite we say that we want to use tls 1.3 and really the rest of the handshake is encrypted so this is just a one round trip setup one round trip handshake to get a tls 1.3 session going but what we want to do is decrypt this so how do i do that well i'm going to go ahead and go up to wireshark preferences now if you're on a windows system you're going to find preferences under the edit menu so you got to go to edit preferences now from here this is where i come down to protocols i'm going to go ahead and expand that and i want to come down and find tls so i can hit the t key to go faster but just for grins i'm going to go to tls and this is where i feed it that keylog file so wireshark's asking me where is the pre master secret log file name so i'm gonna go ahead and hit browse and then i'm gonna select the log file gonna say open and then i just fed that log file to wireshark if i hit ok now it's interesting in the background you're going to see something a little different once you apply this log file first of all you notice that we have a couple of extra orange packets now i went ahead and colored all packets that are a part of the tls handshake orange why i'm in my tls profile i want to see them as a different color but here i can immediately see more packets there i don't just see that client hello in the server hello in fact the next packet down if i take a look at packet 7 this is where i can start to see some additional tls 1.3 information now before this was all encrypted but now because we had that log file or we had the session keys for this session we can decrypt it so down here the server says okay i'm finished that's the end of its handshake the client comes back and it says all right i'm finished too let's go ahead and get busy so here i can see this is http 2 that was encrypted in tls103 and then i had the tcp header ip header and so on before i didn't see this get here but now i can actually see those application transactions now this is decrypted now a couple other things to note i also have tcp reassembly enabled here and that's an important thing if we're taking a look at responses coming back from servers and that's because not only are we dealing with encryption but we're also dealing with compression so the application is going to compress data in addition to letting tls encrypt it so this is what i mean if i come down i'm taking a look at that okay and i can see different messages coming back but if you jump down all the way down to packet number 57 go ahead and join me there in this packet wireshark reassembled the application response and if you come down below our hexadecimal view if you come down here and our packet bytes you can notice that i have decrypted tls reassembled i want to go to uncompressed entity body and i can see that that's 200k let's click that and this is where you're going to see a bunch of good info this was all previously compressed and encrypted between the client and the server and now we have access to it with wireshark so that is quickly a simple way how we can capture the session keys on a client we can feed that to wireshark and we can decrypt tls for our analysis thanks for stopping by the channel and i'll see you on another video you
Info
Channel: Chris Greer
Views: 96,290
Rating: undefined out of 5
Keywords: wireshark tutorial 2021, tls handshake, how to decrypt tls, tls decryption, tls 1.3, how tls works, decrypt network traffic, wireshark decryption, free wireshark tutorial, chris greer, decrypting traffic, wireshark tls decrypt, tls 1.3 decryption wireshark, tls decrypt, SSL decryption, tls handshake wireshark, SSL decrypt, how to decrypt https, decrypting https, decrypt wireshark traffic, wireshark tutorial, ssl decryption
Id: 5qecyZHL-GU
Channel Id: undefined
Length: 9min 25sec (565 seconds)
Published: Tue Feb 16 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.