Professional Documents
Culture Documents
Decrypting SSL - TLS Traffic With Wireshark (Updated 2021) - Infosec Resources
Decrypting SSL - TLS Traffic With Wireshark (Updated 2021) - Infosec Resources
Decrypting SSL - TLS Traffic With Wireshark (Updated 2021) - Infosec Resources
Hacking
Decrypting SSL/TLS
traffic with Wireshark
[updated 2021]
March 4, 2021 by Howard Poston Share:
The internet wasn’t designed to be secure from the start. Many protocols Need a cybersecurity
(such as HTTP and DNS) were designed to serve their purpose of conveying training plan for you or
information over the network without spending time on security. your team? Get a free role-
based training plan for:
However, in the modern Internet, privacy and security are major priorities. As
a result, the Transport Level Security (TLS) protocol (and its predecessor SSL) SOC Analyst
are designed to encrypt traffic as it travels over the network. This allows Penetration Tester
computers to use the same underlying protocols for formatting data (like
Security Manager
HTTP) but add a level of security (transforming it to HTTPS).
Secure Coder
The issue with SSL/TLS for cybersecurity professionals is that it works. While And more!
the encryption standards were developed for good purposes, the bad guys
use them too. In this article, we’ll describe how to perform SSL/TLS decryption GET TRAINING PLANS
in Wireshark.
In this Series
What should you learn
next?
13 popular wireless hacking tools
[updated 2021]
From SOC Analyst to Secure Coder to Security
Manager — our team of experts has 12 free Man-in-the-middle attack: Real-life
example and video walkthrough
training plans to help you hit your goals. Get your [Updated 2021]
free copy now.
Dumping a complete database using
SQL injection [updated 2021]
GET YOUR PLAN
Hacking clients with WPAD (web
proxy auto-discovery) protocol
[updated 2021]
Wireshark is a commonly-known and freely-available tool for network How to hack android devices using
the stagefright vulnerability
analysis. The first step in using it for TLS/SSL encryption is downloading it
[updated 2021]
from here and installing it.
Hashcat tutorial for beginners
Hashcat tutorial for beginners
The other thing that you’ll need to do before decrypting TLS-encrypted traffic [updated 2021]
is to configure your Web browser to export client-side TLS keys. Since TLS is
designed to protect the confidentiality of the client and the server during
Related Bootcamps
transmissions, it’s logical that it’s designed so that either of them can decrypt
the traffic but no one else can. Since we’re acting as an eavesdropper on the
Incident Response
network (the exact thing that TLS is designed to prevent), we need to have
one of the trusted parties share their secrets with us.
Get hands-on
experience
Win over $1,000 in
prizes
Once the environment variable has been set, it’s advisable to restart the New challenges every
system to ensure that the new settings are active. Once this is complete, we month
have everything that we need for decrypting TLS traffic.
JOIN MONTHLY
If you want to decrypt TLS traffic, you first need to capture it. For this reason,
it’s important to have Wireshark up and running before beginning your web
browsing session.
Before we start the capture, we should prepare it for decrypting TLS traffic. To
do this, click on Edit → Preferences. Select Protocols in the left-hand pane and
scroll down to TLS. At this point, you should see something similar to the
screen below.
At the bottom of this screen, there is a field for (Pre)-Master-Secret log
filename. As shown above, you need to set this value to the same location as
the SSLKEYLOGFILE for your browser. When done, click OK.
Now on the main screen of Wireshark, it will show a list of possible adapters
to capture from. In this example, I’ll be using WiFi 2 as it has traffic flowing
over it (shown by the black line).
Looking through the capture, you’ll probably see a lot of traffic. What we’re
looking for now are packets related to your TLS-encrypted browsing session.
One method is to find the DNS lookup and filter by the provided IP address
(shown below). The image below shows a packet from our browsing session
to Facebook.
The privacy issue is that users cannot opt out of monitoring under certain
situations (e.g., checking banking information). From the security side, it
creates a single point of failure where all traffic is viewable (decrypted) by an
attacker and also prevents the user from seeing the server’s certificates
(which may indicate a malicious site). As a result, enterprise TLS decryption at
scale can be dangerous and should be performed in a secure fashion.
Sources
Download Wireshark, Wireshark
Decrypting TLS Browser Traffic With Wireshark – The Easy Way!, Red Flag
Security
Author
VIEW PROFILE
Howard Poston
Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and
malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of
Technology and two years of experience in cybersecurity research and development at Sandia
National Labs. He currently works as a freelance consultant providing training and content
creation for cyber and blockchain security.
Website LinkedIn
Leave a Reply
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Post Comment
Related Articles
Tutorial: How to
exfiltrate or execute
files in compromised
machines with DNS
Author Image September 7, 2021
Pedro Tavares
Newsletter
Get the latest news, updates and offers straight to your inbox.
Subscribe