Decrypting HTTPS Traffic

Hypertext Transfer Protocol over SSL (https)  is pretty decent security. This is because https uses the Secure Sockets Layer (SSL) encryption scheme to pass keys between two parties over the Internet. These days, however, most of our Web servers are utilizing Transport Layer Security (TLS 1.2), which is an updated version of SSL 3.0. Therefore, we refer to TLS as SSL version 3 (SSLv3). But, SSL is not as safe as we originally thought it was. As we’ve seen with the latest KRACK attacks, it is entirely possible to decrypt a victim’s https traffic. You can read more about KRACK attacks here.

I’ll show you another way of decrypting SSL traffic using Wireshark and Google Chrome. Wireshark possesses a cool feature that allows it to decrypt SSL traffic. First let’s start by capturing some regular SSL-encrypted traffic on Wireshark, the protocol analyzer. If you don’t have Wireshark, you can download it for free here.

encrypted data.png

As you can see in the highlighted area, there is just a bunch of random characters. We can’t make much use of that since its encrypted.

However, if we navigate to Control Panel > System and Security > System, you will see the following:

System.png

Click on the “Advanced systems settings” option to open up the System Properties box. It should look like this:

System Properties.png

Now, click on the “Environmental Variables…” box. But, before we go any further. We must create a text document. Name your text document “SSLkeylogfile.txt.” Now, go back to the Environmental Variables box and click the “New” button at the bottom pane.

Environmental variables.png

Type “SSLKEYLOGFILE” in the variable name bar. Then, post the path to the SSLkeylogfile.txt file. Then click OK.

SSLKEYLOGFILE.png

Now, let’s open Wireshark. Press Ctrl + Shift +P to open the Preferences box. Under the Protocols drop down list, click on “SSL.” Under the “(Pre)-Master-Secret log filename, you will post the path for the .txt file you just created.

preferences

Press OK. Now, let’s start capturing traffic again using Wireshark. Type the filter “http” in the filter bar. Since we’re now logging the SSL keys and exporting them into the SSLkeylogfile.txt file, Wireshark will collect these keys and decrypt the https traffic into http traffic. Open up a new Window using Google Chrome and navigate to a Web site that uses https. You should see a lot of http traffic popping up on Wireshark now. As you can see, it’s still encrypted.

more encrypted data

But, if you click the “Decrypted SSL” tab at the bottom of the pane, the information will now be decrypted for you to see:

Decrypted SSL

As you can see now, all the https traffic is decrypted. If you go back and check the SSLkeylogfile.txt file, you will see a nice surprise inside.

I would love to give credit to Jonathon McKinney. Check out his blog. He creates great content.

  1. […] have previously discussed other ways to decrpyt HTTPS traffic, such as sslstrip and key logging, but let’s discuss another […]

    Liked by 1 person

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: