Original address: http://kelvinh.github.io/blog/2014/01/12/decrypt-ssl-using-fiddler-and-wireshark/
Fiddler is a well-known debugging agent tool that can not only parse HTTP, but also resolve encrypted HTTPS traffic. Wireshark is a very powerful network packet Monitoring and Protocol analysis tool. In this article, only consider using SSL to encrypt HTTP, so the SSL and HTTPS are not strictly distinguished, although in a broad sense, it is very unreasonable to confuse the two .
See here, most people will be very confused: Fiddler can not be able to decrypt SSL traffic? Why do we need Wireshark?
Yes, in most cases, using Fiddler to decrypt SSL is sufficient, but in practice we find that Fiddler is powerless to resolve HTTP long connections. For specific applications, such as Office365 Microsoft MAPI over HTTP, it always maintains an HTTP long connection between Outlook and Office365 Exchange server, and leverages the features of the HTTP chunk. Returns a chunk when an update is available to achieve the purpose of informing outlook of changes to the server side in real time. However, Fiddler does not handle this situation well, and it is always expected to be displayed after the HTTP response is fully returned. Therefore, in the above application, fiddler not only can not display the contents of the HTTP communication in real time, but also, even after a long connection is broken, the HTTP response it displays is invalid content.
So, we think of Wireshark, which is always able to monitor network traffic in real time. However, the HTTP traffic we want to monitor is SSL-encrypted, so it must encrypt the private key of SSL traffic to decrypt this SSL traffic. Therefore, the direct interception of network traffic is not feasible, because the server side of the private key we can not get.
The combination of these two scenarios has led to our solution: to use Fiddler as an SSL proxy to provide private key, and then to use wireshark real-time monitoring to decrypt traffic.
SSL introduction and the principle of SSL proxy
SSL (Secure Socket layer) is a Netscape company designed to encrypt Internet traffic, and the latest version is renamed TLS (Transport layer Security). It uses X509 certificate encryption to ensure the confidentiality and reliability of communication. The certificates that are used by cryptography are usually issued by a third-party certification authority, which is trusted, that is, they do not use these issued certificates for eavesdropping. Based on this premise, the SSL protocol itself guarantees that, if eavesdropping occurs, the certificate used for encryption must be untrusted (unless the user adds the certificates to their list of trusted certificates).
SSL proxy-In other words, the man-in-the-middle attack is actually the case. SSL proxy, which is to replace the original server side of the certificate with its own certificate (SSL although the support of the two parties to provide certificates, but the vast majority of services that support HTTPS, are only one side authentication, that is, Server provides a certificate, does not require the client to provide a trusted certificate, So the SSL proxy only needs to replace the server-side certificate, thereby decrypting the traffic. But this way the client will find that the server-side certificate is not trusted, but because this is our own test, we need to trust the certificate generated by the agent.
Setting up the decryption environment
To use both Fiddler and Wireshark, we need two machines: Machine A runs fiddler as the Agent, Machine B runs Outlook, and the system proxy is set to machine A to bring all traffic to machine a. Then monitor with Wireshark on machine B. It is not possible to use only one machine, because the Windows version of Wireshark, by default, does not support loopback monitoring, simply speaking, is the 127.0.0.1 monitoring. It is here and here that you can see why, and how to make it loopback monitoring. The final process is as follows:
+------------+ +------------+ +-----------------+| ComputerA| Wireshark | ComputerB| | ||+---------->| +------>|exchange server ||outlook || fiddler || |+------------+ +------------+ +-----------------+
Set fiddler and export the root certificate to the trusted list
Fiddler as a tool that can proxy all HTTPS traffic, it needs to provide HTTPS certificates for all Web sites. Therefore, the most common practice is to self-sign a root certificate, and then use this root certificate to issue all domain certificates, as a client, only need to trust the root certificate. This method is also used by the popular ladder tool--goagent. However, fiddler makecert.exe does not provide a way to export the private key of its generated certificate (including the root certificate and the generated individual domain certificates), so we need to install a fiddler plugin-- Certmaker instead of fiddler as a certificate generation tool, because this tool can see private key.
The Certmaker plugin does not affect the Fiddler decryption SSL setting, it simply replaces the fiddler default certificate generation process. In Fiddler, perform the following settings:
Figure 1. SSL decryption settings, which automatically import the root certificate to the trusted list of Windows Certificate Manager
Figure 2. Open the "Allow Remote connection" option, you will need to restart Fiddler after saving
Remember, we have two machines, so the root certificate needs to be added to the trusted list on machine B. Open the Windows command line for machine B, enter certmgr Open Certificate Manager, and add the exported root certificate to the certificate under Personal and Trusted Root Certification authorities, respectively, The specific action is: Right-click on the certificate, select "All Tasks", "Import", and then select the location of the certificate storage, OK.
Export the private key for the fiddler generated certificate
After using the Certmaker plugin, we can see the private key of the Fiddler root certificate. However, it is important to note that what we need is not the private key of the Fiddler root certificate, but the private key that monitors the site. For example, if we want to monitor and https://www.example.com traffic, we need to fiddler the private key for the certificate issued for this domain . So, to do this, you need to set a property in Fiddler:
- Enter the input box in the bottom left corner of the Fiddler interface
about:config and enter
- Added to the About:config tab on the right
fiddler.certmaker.bc.LogPrivateKeys and set toTrue
Because Fiddler does not automatically generate a certificate for the HTTPS Web site that you are listening to when it is not connected, it will not generate a certificate for it until after it is connected. So, we open Wireshark, and then run Outlook, after the Exchange HTTPS server is connected, fiddler will generate a certificate for this domain, and now on its log tab you can see the certificate, which is BASE64 encoded, We copy it and save it as a file. Note: Saving directly to a file does not conform to the format of the PEM certificate file, we need to add the following separately at the beginning and end of the file:
-----BEGIN private key-----Base64private key here -----END private key---- -
Import private key to Wireshark
In Wireshark, open Edit->preferences->protocols->ssl, then click on the Edit button of the RSA keys list, click New, add a new rule, IP and port are set to agent machine A's address and ports, and then protocol is set to Http,key file to select the files we just generated, and then determine, for example:
Figure 3. Add a new SSL private key in Wireshark
OK, now in the Wireshark, is it possible to see the decrypted green HTTP traffic?
Reference
- Https://en.wikipedia.org/wiki/Secure_Sockets_Layer
- Http://wiki.wireshark.org/CaptureSetup/Loopback
- Http://www.hsc.fr/ressources/articles/win_net_srv/missing_loopback.html
- Https://fiddler2.com/add-ons
- Http://security14.blogspot.com/2010/07/how-to-use-fiddler-and-wireshark-to.html
- http://www.iprotocolsec.com/2012/11/07/wireshark%E6%8A%80%E5%B7%A7-%E8%A7%A3%E5%AF%86ssl%E5%8D%8F%E8%AE%AE/
- Https://groups.google.com/forum/#!topic/httpfiddler/lofwICmb7PQ
Decrypt SSL encrypted traffic with fiddler and Wireshark