Decrypting SSL / TLS traffic with Wireshark

The Dia it was not designed to be safe by itself. Many protocols (such as HTTP and DNS ) are designed to serve their purpose and to transmit information over the network without security.

However, nowadays privacy and security are major priorities. As a result, the Transport Level Security (TLS) protocol (and predecessor of SSL) are designed to encrypt network traffic. This allows computers to use the same protocols to format data (such as HTTP) but add a level of security (converting it to HTTPS).

The problem with SSL / TLS security is that it works. While encryption templates were developed for a good purpose, hackers also use them for illegal activity. In this article, we will describe how to perform SSL / TLS decryption in Wireshark.

Contents hide
What you will need
Perform motion decryption
Applications and restrictions

What you will need

The Wireshark is a commonly known and freely available tool for network analysis.

The other thing you need to do before decrypting the encrypted s TLS is to configure your web browser to export TLS keys from the client.

Since TLS is designed to protect client and server data during information transmission, it makes sense that it is designed so that anyone can decrypt the traffic.

In Firefox and Chrome, this can be achieved by setting a variable called SSLKEYLOGFILE. If this variable is set both browsers are configured to save a copy of the client in the indicated file location. On Linux, this variable can be set using the Export command. In Windows, it can be configured by opening Advanced System , επιλέγοντας Environment and then adding a new System Variable. An example of this variable on Windows is shown below.

Once the variable is set, it is recommended that the system be restarted to ensure that the new settings are active. Once completed, we have everything we need to decrypt the TLS traffic.

Perform motion decryption

If you want to decrypt TLS traffic, you must first record it. For this reason, it is important to enable and run Wireshark before you start surfing.

Before we start downloading the program, we need to prepare the TLS traffic decryption. To do this, click Edit → Preferences. Select Protocols in the left pane and scroll down to TLS. At this point, you will see something similar to the image below.

At the bottom of this image, there is a field with the file name (Pre) -Master-Secret log. As shown above, you must set this value in the same location as SSLKEYLOGFILE for your browser. When done, click OK.

Now on the Wireshark main screen, it will display a list of possible adapters to download. In this example, I will use WiFi 2 as there is traffic (shown from the black bar).

Clicking on an adapter will start recording its traffic on it.

At this point, you are ready to generate some encrypted TLS traffic. Go to Chrome or Firefox and browse to a site that uses HTTPS (we used Facebook for this example). Once the page is loaded, return to Wireshark and stop capturing the packages.

Looking at the download, you will probably see a lot of traffic. What we are looking for now are packages related to the TLS encrypted browsing session. One method is to find the DNS lookup and filter by the IP address provided (shown below). The image below shows a package from our Facebook browsing session.

As you can see, Wireshark displays some different tabs at the bottom of the window. In addition to the Frame tab, one is called Decrypted TLS. Looking at the ASCII representation of the package, we see the certificate of the site (including the word Facebook). At this point, we have successfully decrypted the TLS release on Wireshark.

Applications and restrictions

Decrypting TLS traffic is achieved with many applications. Many hackers have resorted to using encrypted transmissions in an attempt to increase their level of anonymity and to control the communications and credibility of their victims. (People have been trained to trust the green padlock unfortunately…) Using TLS decryption, businesses can decrypt and inspect packets on the traffic in their business.

The main limitation of TLS decryption in Wireshark is that it requires the monitoring device to have in the secrets used for encryption. While we achieved this by exporting the keys from Chrome and Firefox, many enterprises choose to implement a proxy server that breaks the TLS connection into two parts. While this is effective for tracking, it has significant privacy and security implications.

The issue of confidentiality is that users can not be excluded from monitoring in certain cases (eg checking banking information).

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.087 registrants.

know moreasciichromeclientdns exportFacebookfirefoxhackershttphttpsIPlevellinuxmasterOKsecretsecuritySettingsSSLssl / tlssystemTLStrafficwebsitesWirelesswindowswireshark

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).