HTTPS Decryption with Wireshark // Website TLS Decryption

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
chris just before we start and get into you know the weeds with wire shock i want to ask you like a really important question is it important for a network engineer to learn wireshark or is it important if i'm if i'm like trying to get into cyber security i want to be a hacker type person or ethical hacker you know i want to be on the red team or blue team is it important for me to learn wireshark and if so why why you know what's your answer to that absolutely resounding yes david absolutely what i've seen is that especially in our industry there is a gap and it's so important to fully understand how tcp works to be a master of tcp to really understand it well to know what's going on on the wire looking at the protocols knowing what looks weird so what wireshark does is it gives us that window into a very important data set the packets yeah in fact you might hear around the industry packets don't lie and that's because no one can fight with you if you see something happening on the wire that's the truth it's not a guess we're not relying on another metric right there we saw it in the traffic so wireshark allows us to collect that traffic and to understand that traffic now from uh where can it send you thing basically what i've found is there's there's two major ways that wireshark are used the first is network analysis and troubleshooting something's broken something's slow let's fix it and the other one that's definitely gaining a lot of uh strength now is using it for security and using it for incident response uh looking for attacks so either way whichever way your career takes you be it the cisco route network engineering route it's going to make you a better troubleshooter you're going to be able to understand things that are going to really help you resolve problems and not just throw them over the wall at somebody else or on the other side to be able to be either a red team or a blue team you could either look at how systems respond to a pen test for example or you could be looking at traffic and saying you know that looks like a strange flow i think something's weird going on here or even doing malware analysis all that can come down to understanding how things work at the packet level which wireshark allows us to do and do you think there's you know will you be able to get a better job or will you be able to increase your earnings if you understand why shock better absolutely i think so um the difference between being able to explain something from a textbook example yeah or really understanding the underlying protocols how things really work so yes absolutely yeah i mean that's always the problem isn't it like you do ccna and you and i you know ccna years ago you it gives you an idea but it doesn't cover a lot of stuff and i'm you you've mentioned it many times you know you need to understand tcp because tcp and like newer protocols which we'll talk about in this in this video um that's what's happening in the real world and ccna can only cover that much it's um you really need to learn this stuff everyone it's david bomble back with a very interesting guest chris tell us about yourself hey david it's great to be here with you i'm really excited uh i'm just a packet person kind of like yourself a wire shark guy that's out there looking around youtube and trying to make sense of all this traffic you're too humble chris you've got a youtube channel and i'll link that below but tell us you recently did a presentation what was it where was it and um we kind of deciding which you know which topic to talk about and hopefully i can twist your arm to do both but you know tell us about this presentation that you did not a problem okay so yeah so i've been doing wireshark analysis and training for some time and one thing that happened recently is i've been pivoting into cyber security and doing more analysis on attacks and how hackers do their thing and trying to catch them in the packets so that's been a pretty interesting field of study to get into i know i've been watching your content too david and helping that's been helping me to to get up to speed but one thing i did is i reached out to the def con community and i noticed this last year for the def con conference that there was several sessions in the packet hacking village but i noticed a gap what i thought to be a gap there in the the focus on the material and it was into specifically around tcp so as you know when it comes to hacking and taking trying to find vulnerabilities in systems a lot of times hackers they know the minutia of how things work right they're getting into very complicated systems and so i reached out to him i said you know i i feel like there's a bit of a gap here there's the application right so hacking a web server okay getting in there and you know messing around in the code finding vulnerabilities and there's also the network side of things like you just recently did one on an arp poison that's right so that's really important to understand but i saw this gap there around tcp and i reached out and i just said hey would you guys like just to do a tcp deep dive how does tcp work how does it look when a hacker might be enumerating a system and how can you catch weird right uh i reached out to him and they said let's go for it and i went ahead and was able to do a wireshark tcp presentation there i was really excited you're making you're making it really difficult because um i wanted to also get your tls decryption point of view can you explain what you you've done some content on that before what's that about absolutely yeah so as you know it so you start looking at things in wireshark a lot of times you come up with things that are encrypted encrypted flows uh it can be hard to find uh anything that's open anymore like open passwords and file transfers that are easy to extract so recently on my channel what i did is how to decrypt traffic and wireshark and fundamentally that comes down to being able to capture the session keys anymore with tls uh the way it works especially with tls 1.3 it the point is that it's difficult to decrypt right that's the whole point so to be able to decrypt it in wireshark we have to be able the easiest way to do it is to be able to store the keys locally on the client side or to store them server side if we have access on that side or to do a man in the middle so to just teach people how to do it uh i went ahead and stored those keys locally on the client and then i was able to put them in wireshark and decrypt so yeah i can absolutely yeah let's start with that one because i think that's a really interesting one because i like you said i i did this um like man in the middle attack on wi-fi using a python script um and i'll link to that video and your your full video below but perhaps you can show us that one first and then depending on how much time we have we can look at like weird traffic on a network so you up for that absolutely yeah go for it okay so to the demo we're gonna go ahead and first now this is this trace file let me give you a little bit of background of how it was captured because that's important when we're doing decryption so all i did is i just opened up a web browser okay and i went out to youtube.com that's it yeah but in order to be able to decrypt it i had to capture the tls keys all right so the way tls 1.3 works is for every new tls handshake there's a new set of session keys that are created there's actually five keys that are created and we won't go down that too far but basically it stores it in a local ssl key log file and for each operating system you can usually get it to do it sometimes it gets a little tricky in terms of what browser to use i've had the most success doing this on a windows machine using chrome okay however you can still do it with linux you can still do it with other operating systems all the ones that i've tried have worked but again that's one of those things we have to consider so what i did back for people who are brand new can you explain just like in 30 seconds what is ssl what is tls and why is why is this important okay that's a great question so basically now i mean most of the traffic that we're sending over the internet is encrypted yeah right and even locally a lot of times when we're using local applications uh we're using encrypted traffic so the days of http and things being open and easy to analyze with wireshark are are disappearing our job as analyst david is getting harder at the packet level it is yeah yeah when i i had to use telnet because telnet is clear text but the problem is like if i did a man-in-the-middle attack and you going to youtube what you're saying is all that traffic's encrypted yeah so i need to do something like you're going to demo now to try and capture the traffic from us from a user session yeah exactly that's exactly it you know back in you know years ago telnet everything was http everything was open ftp so anymore yeah at times we need to decrypt so this is how we can do that with wireshark so is it right to assume like what this capture that you've done here could have been done like in it with a man in the middle attack or did you have to do something else and i don't i'm jumping the gun a bit but like if you can explain how do i get to capturing this and seeing what you're seeing and i'm assuming that's what you're going to show us yeah yeah no problem so basically yes uh the answer is yes could it be done from a man in the middle sure would it be much harder yes so the purpose of security and encryption is to make what i'm doing really hard to do yeah that way i can't listen in on what david's doing even at a coffee shop it's not as easy doing it as a man in the middle to learn this the simplest way would be to capture them locally from the client side get used to how to decrypt things and then depending on the kind of access that we have within the system that's where we can begin to look at other locations for example on the wireman in the middle or server side so uh any any one of those three we either need to be on the client on the server or somewhere in the middle yes i've jumped the gun so so you you take it away and then hopefully at some point we can you know go to more like how do you do man in the middle et cetera sorry go on absolutely no problem okay so so first let me just back up just a moment david i gotta bring in my i'm just gonna bring in my um my terminal and what the reason here is i just wanted you all to see at least on a mac system let me pull this up for you a little bit so on this is on a mac system right so i i didn't break out the windows box for this conversation we're having today but basically this is one way to do it what all i'm doing is i'm just telling my local system to export what's called this ssl key log file and basically this is a variable i'm telling my system when you go out and you're actually creating these tls handshakes store the keys locally and store them here so for mac this is going to be i'll go ahead and give you a link that you can share with the good people that a lot that shows them how to do this either on a mac on windows or on linux but basically i need to be able to store those keys locally yeah once i have that key log then i can go do my packet capture of whatever it is that i want to do uh whatever it is that i want to decrypt yeah okay now wireshark can only do uh decryption on certain types of applications so https is one of them uh quick is another and we'll we'll have that conversation another time but uh basically you can't just decrypt anything right so certain applications aren't going to allow you to do that certain mobile apps don't store the keys locally so very specifically we can do this when we're doing web so https and when the system will store those keys locally for the browser we're going to use okay so first we had to store those keys we had to set up our system to stash those keys in our key log the next step would be to open up a browser supports this which chrome or firefox typically do and then we can navigate to some site out there that we want to test this out with i went ahead and chose youtube yeah so good job once i did that with chrome yeah right so uh i went ahead and hit youtube and then uh those keys were stored to my key log and i can go ahead and show you over on the windows side um um i can show you maybe i'll give you on the windows side i have some copy that shows you how to actually do it on the windows side so maybe i'll send that to you as well if it's useful yeah definitely but anyway um so once i so once i actually have the um the site up and those key logs are being stored in the key log i have to be capturing that traffic too so there's the key david i need the packets and the key log from the same conversation yeah so that means if you're storing key logs if you're doing this key log storage on your side but you're not also capturing the packets this won't work so i need to ask a question sorry just before we go any further which keys are stored in this key log so can you explain a bit about the keys sure absolutely uh so tls is what we're using now for uh transport layer security yeah right that's what tls means so tcp doesn't have a mechanism to secure traffic and for a long time applications didn't do their own security either for example telnet right there wasn't any security at that level so what what was done was a new layer if you'd will was put in between those two parts of the whole chain that's transport layer security so at first it started off as being ssl we had ssl 1.0 2.0 3.0 tls came around around you know late 2008 nine and then now we're at uh tls 1.3 so the keys that are used by tls are generated for every handshake that it creates which i'm going to show you in wireshark i am talking about some concepts that are going to make a bit more sense once i get into the packets but those keys are created for a session and just like the keys to your car they're stored like those are specific keys but the thing is imagine if you went out to your car david every single morning and you had to use a different key yeah or every time you go into your house it was a different key that's what tls does it establishes a new key for every single tcp connection that you make that's why we have to store them it used to be that there was a master key that you could use i could say hey david here's a master key you can unlock any tls session this is basically the grand daddy key for everything that was easy to break yeah because it was persistent it never changed so now with tls 1.3 that's why we have to do this we have to store those keys because they change for every single tcp conversation so hopefully that so when the client connects to the server the client and the server both generate some kind of random key is that right is it based off a private key or is it just some randomized key that they exchange that's exactly it so they come up they basically exchange information that allows them to arrive at the same key on each side without passing that key to the other party okay so it's a pretty uh complex way that they derive it but to keep it very simple that's basically what's done that they they are able to arrive at those keys on each side without passing it to the other so just so you and i let's say you and i wanted to set up a tls session you're the server and i'm i'm connecting to your servers as a as a client i i you and i would exchange some information um and then we come up with a shared key that encrypts the session is that correct that's correct exactly so we we arrive at the same key only you didn't have to pass it to me and i didn't have to pass it to you so that a passive listener could capture it it's a similar kind of concept to ipsec or vpns isn't it so we're kind of exchanging some we have some kind of mechanism and like i understand we don't want to get into the math of it for now but you and i exchange something securely but we both come up with the same key without actually sending the key across the session is that right yeah that's that's the idea behind okay tls 1.3 so now we don't have to um basically it's it's protecting the session right it's keeping it it's keeping it secure so that so that that key is stored in that um key file that you showed us here so what i'm telling you exactly sorry i'm telling my system to store it locally okay where if i if i don't tell it to do this it could be embedded somewhere in the browser it could be somewhere that i i don't even know how to access but in order for it to be available to me as an analyst to then be able to decrypt my packets i need to have access to those keys so all i'm doing is i'm just basically saying hey system hey environment store those keys to this log and then i can go in and i can decrypt my my trace file using that log so in this in this example the the y shot captures is taking place on the client that initiated the session because you've got the key stored locally is that right that is correct and the reason why david i think it's a this is a good place to do it from is because this is the simplest way to learn how to do it to start yeah yeah i agree i mean we can we can we can do man in the model and server side attacks in a separate video perhaps but you've got to start with the basics so brilliant yeah yeah and for me it's uh it's it's nice to be able to learn oh okay this is how those keys are stored this is what they look like this is what wireshark's gonna need in order to decrypt because let me just tell you when you're learning wireshark decryption you're going to run into a lot of failures at the beginning because we maybe we won't have everything exactly right but this is absolutely the simplest way to do it so let's just assume that i have both of those pieces let's just back up for a second yeah i'm storing the keys locally i'm telling tls just dump them to this key log and i start up wireshark and i begin to capture yeah then i go off to youtube.com from my browser yeah and then i stop the capture and then i can load those keys into wireshark okay that's the basic process so here you can see on my screen hopefully i'm i'm coming through now you can see my my wire shark all right so uh you can see up above that this is just uh is it large enough does it look okay you know that's fine you can see it all right yeah okay so so basically what i have to do is uh just at the very beginning as you know wireshark it could just could be a daunting thing to look at in fact i have a few options that i have enabled here for my security profile let me come over here to my tcp plain profile which allow me to simplify things just a little bit at least for my eyes now you might be thinking oh wow look at all those colors what does all this mean uh help and that's okay that's why i'm here we're gonna walk through this together so at the very beginning you can see okay i do a youtube dns call all right i just go and knock on youtube's door hey youtube what's good well first i asked dns hey dns how do i get to youtube dns comes back oh here you go here's youtube's ip great fantastic so after that i go ahead and send a tcp syn to youtube to that same ip yep all right just kind of fixing some of these columns so now to kind of simplify my view here let's go ahead and set a filter i'm just going to right click packet 4 and i'm going to come down to conversation filter tcp what that will do is it will set a filter for the four tuple of that tcp conversation a four tuple is the two ips and the two tcp port numbers nice and we can see that up up top on our filter bar i got the ip of the client ipa the server and then i've got the two ports all good so far yeah that's correct all right good so the first thing that my machine does to youtube is i i gotta establish a tcp connection right so i i knock on the door i send out a tcp send to port 443 33 milliseconds later comes back with my synack so that's good deal that server has that port available and i'm able to connect at the transport layer this is just layer four this is just tcp establishing the connection now you and i david can have a whole lot of conversations about what's going on in here and what this mss is and this window scale factor and uh sac and what all those things are which hey that's fuel for another time yeah let me just put it this way i'm hoping that i can twist chris's arm to come back for many many like wireshark videos so if you're interested please put in the comments below let us know the type of stuff that you want to see i'm going to ask him to do like a detailed deep dive into tcp which would be great so sorry chris carry on well we'll see now that sounds like a good time that sounds like a lot of fun i can't miss that party i'm not gonna miss that party good it's a tcp party right well because and you know just to to if i may sidebar just for a minute i'm very passionate about network engineers learning tcp in fact david your audience uh coming from the networking background even entering into the network world tcp is a very important thing for them to learn it is because really i mean throughout my career it's something that i've seen as a network engineer i came from the ccna ccnp world that's what i started with and i got to a point where we started to have problems on networks that from a network perspective were really difficult to troubleshoot and these guys would come in almost like with superman on their chest and their capes with these packet analyzers and they'd start capturing this traffic and they would look over my shoulder and they would say oh chris right there the mss is wrong that's probably what our problem is we you know we're just we're running into an mtu problem yeah and i'm just stunned speechless looking at him like i that i didn't know that that was whoa tcp hang on there's a whole world here that i need to understand as well that ultimately david i'm gonna get blamed for yeah because application people usually you know coders developers they're using tcp but they don't understand how how it works they're not deep dive tcp people usually yeah so if there's a problem they're going to kick it to the network guys and say uh tcp that's a network thing but here we can see this is sitting on top of the network but it's not necessarily something that i'm going to specialize in if i learned cisco right so i'm very passionate about people learning that so absolutely definitely get you back yeah definitely get you back oh for sure anyway thanks for the sidebar okay tcp connection is now established cincinnati three-way handshake next what happens tls he comes in we can see this on in my protocol column tls 1.3 so now tls needs to come in and say all right let's do our handshake and this is where the client is going to send out that hello and this is where if i come down into the details here and again just for purposes of time we're not going to get too crazy deep in the weeds just yet but let's just take a look at some simple things see this is the weeds right there's a lot going on in here but i'd like to draw your eye to something simple why don't we just come down to server name the server name extension this is called the sni basically my client is saying hey here's a tls handshake who do i want to talk to my my server name at this ip address that i'm talking to on this port i want to talk to youtube.com great well there's some session ids there's this random string these things all matter but basically what i'm doing is i'm saying hey other side let's go ahead and establish this tcp or this sorry tls connection now the server he comes back tcp says great i got your client hello this is an empty act this is just tcp saying i got that packet that took 32 milliseconds which is about my network round trip time so i'm pretty happy with that 32 seconds 32 milliseconds 14 milliseconds after that the server comes back saying okay great this is tls this is tls saying hey i'm here this is my server hello and right away what happens is the server it basically breaks its its response in two pieces it says okay here's my server hello now you notice the server hello is a little shorter than the client hello the server's saying okay great here's some of the key establishment stuff wonderful here's my supported versions i can go ahead and do tls 1.3 but immediately after that i go ahead and change my cipher spec what this means is that the server is basically saying okay i'm going to give you a little bit of information just enough to establish the the key pair and now i'm going to encrypt my stuff yeah so in one round trip we're encrypted from this point forward if i do not have the keys i do not see decrypted information now in this case i do have my key key loaded so what i'm going to do is i'm just going to briefly change over here david just so the good people can see if i go to default this is just my default profile in wireshark the key is not loaded here look how this looks if i don't have that extra key information all i see is client hello server hello comes back and that's it everything is encrypted after that click on application data let's see what you see yeah sure there's application data so i got my tcp header i got my tls layer there and then encrypted application data that's all i get yeah so that's normally what you'd see nothing else but just nonsense yeah exactly it's just gibberish yeah and from uh that's the point right yeah exactly so from from a network analyst perspective what do i get when i'm looking at an encrypted stream well i'm going up and i can see network round trip time i can see my client hello i can see my server hello i can measure that response time so i can sort of get some idea on server delay network round trip time i can look for things like re-transmissions or out-of-orders or tcp types of issues that can let me to troubleshoot the network or troubleshoot the application however as you can see i'm pretty blind here yeah now what this is what i'd like you to do keep your eye on if we come down here you see where it says application data yeah this is toward the end of what we call that tls handshake which just happened let me flip back over to my other profile i'm going to go to tcp plane and you notice how now i have http 2 and now instead of application data now i can see oh here's window update priority here's all these streams that are being established here's a get that's an actual get string yeah so here's my decompressed header i can actually see the method that's used the http method youtube.com so this is now decrypted but how did i get there how did i go to decrypt this well in this profile under tcp plan what i did is i just went up to now on on mac i go to wireshark preferences on windows linux you're going to find preferences under the edit menu you're going to go to edit and then down here preferences on a mac wireshark preferences same thing just two ways to get there so what i have to do is i'm going to come down to protocols i'm going to expand this i'm just going to hit the t key and i'm going to come down here to tls and what i do with tls is i literally just come down here to pre master secret log file name this is where i hit browse and this is where i go ahead and i bring in that key log file that i created okay where i stored those keys all i'm doing is pointing wireshark over there for your decryption go look over here so if you on the bottom left where it says hypertext transfer protocol 2 can you just expand that bottom left absolutely you bet actually david that's a that's a great question and a good place for your eyes to go because when i first started to decrypt tls sessions i saw http 2 and i went oh there's more going on beyond that lock than i thought so it's not just http 1.0 or 1.1 uh now http 2 or even with the next generation of of http now we see http 3 as well can you what what is just for everyone's benefit can you explain what's http 2 and you mentioned http http 3 and i saw your file name is called quick what's all that about ooh good question okay so here here it is plain and simple with http 2 or actually let me back up http1 yeah you
Info
Channel: David Bombal
Views: 73,471
Rating: undefined out of 5
Keywords: wireshark, tls handshake, wireshark tutorial, tls decryption, ssl decryption, tls handshake explained, tls handshake wireshark, tls handshake protocol, tls 1.3, wireshark tutorial https, https, quic, ssl decrypt, tls 1.3 wireshark capture, tls 1.3 wireshark decrypt, tls handshake process, wireshark tutorial kali linux, tls decryption wireshark, ssl decryption explained, wireshark capture, tcp, wireshark packet analysis, tls encryption
Id: GMNOT1aZmD8
Channel Id: undefined
Length: 31min 13sec (1873 seconds)
Published: Tue Nov 23 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.