Original address: http://article.yeeyan.org/view/530101/444688
In general, we do not have much problem with Wireshark to crawl packages for analysis. But here's the problem is, if you meet with SSL/TLS and other encryption means to encrypt the network data, often we can only be helpless. In the past, if we had the private key of the transfer session, we could still provide it to Wireshark to decrypt the encrypted packets.
1. Introduction
It is believed that the peers who have access to this article will basically use the popular Web Capture tool Wireshark, which is used to crawl the corresponding network packets for problem analysis or other things that you understand.
In general, we do not have much problem with Wireshark to crawl packages for analysis. But here's the problem is, if you meet with SSL/TLS and other encryption means to encrypt the network data, often we can only be helpless. In the past, if we had the private key of the transfer session, we could still give it to Wireshark to decrypt the encrypted packets, but it was the same time that we used RSA to encrypt the network data. Now that we have embraced the former encryption technology PFS, this approach is no longer applicable. Because the goal of the forward encryption technique is to make each data interaction use a different private key, it is impossible for you to break out the entire session's network packets as you would like before in the RSA era. So it's going to be a pretty annoying thing.
2. Session key diary record to fire!
I'll tell you another simple way to solve this problem. In fact, both Firefox and Chrome browser support the use of journaling files to encrypt the TLS packet symmetric session key. This allows you to specify the file in the Wireshark to quickly complete the purpose of your hack. Please continue looking at the specific steps.
3. Browsers configuration
First you need to configure an environment variable.
3.1 Configuration under Windows:
How to go to the Environment variable configuration page I believe I do not need to say more, after all, the country is still windows world.
Add a new environment variable called "Sslkeylogfile" in the location and specify its path to where you want to save your session's private key.
3.2 Configuration on Linux or Mac OS x:
1 |
$ export SSLKEYLOGFILE=~/path/to/sslkeylog.log
|
Of course, if you want to specify the journaling path every time your system starts, you can perform the following actions under your Linux:
Or, execute the following command on your Mac OS x:
So the next time we start Firefox or Chrome's developer mode, the TLS key will be automatically written to the specified file.
4. Wireshark Configuration
To support this feature, your current Wireshark version must be 1.6 or newer. All we have to do is go to the preferences page first:
Expand protocol Options:
Locate the SSL option and then open the session key to save the file as shown in the above settings:
5. Results
Is what we usually see after the Wireshark catches the TLS packet, the result of the display:
This is what it looks as when you switch to the "decrypted SSL Data" tab. Note that we can now see the request information in plain-text! Success! you can see Wireshark below there will be a "decrypted SSL data" label, after clicking on you can see as shown in the TLS packet has been decrypted trust information:
6. Summary
Through this article I really hope you can learn something from it, this method allows us to be so straightforward to the TLS packet to crack out. Another benefit of this approach is that there is no need to install any Wireshark tools at all for two machines in the session, because you will worry that the installation will be problematic because you don't know what is wrong. All you have to do is to assign the session key file above them to a network shared folder and then use the other one already installed on the machine and wireshark the key file as shown earlier to grab the packet.
Finally, thank you for viewing this article. If you want to see the latest technology and other information articles every day, please follow the public number I provided below: Techgogogo. Thank you!
-------------finished------------------
English Original quote: https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
One of the simplest ways to crack SSL-encrypted network packets by Wireshark