A guide to decrypting HTTPS traffic with Wireshark
All information below is for educational purposes only, the author is in no way responsible for any misuse of the information.
The word “Hack” or “Hacking” that is used on this site shall be regarded as “Ethical Hack” or “Ethical Hacking” respectively.
HTTPS stands for HTTP with secure or HTTP over SSL/TLS, and it means that the data are sent with an encryption mechanism.
Https uses a hybrid encryption mechanism, asymmetric encryption for sending the session key, and using symmetric encryption for transferring data.
The picture above tells us that the session key was transmitted using asymmetric encryption (private and public key), then data was encrypted by the session key.
So how to decrypt the traffic?
Today I will explain to you how to decrypt HTTPS traffic. Imagine you have access directly to the victim machine, then you could set the user environment variable and record the traffic with Wireshark or tcpdump.
- Capture the session key by setting the SSLKEYLOGFILE in the env variable.
2. Restarting the chrome and just checking the sslkeylog.log seem like the picture below.
3. Try to access a website and make sure your sslkeylog.log exist and there is some random number there.
4. Power up the Wireshark or tcpdump and listen to the network traffic, in this explanation I use Wireshark for simply the user interface.
5. Collect the pcap file, and import it to the Wireshark.
6. For a better view, you can use these Wireshark columns preferences.
7. Put your sslkeylog.log in Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log filename
8. All HTTPS traffic is decrypted.
I was opening https://wireshark.com/someting before, and it appears in the Wireshark below.
If something says secure, don’t trust it. More protection like tunneling your connection is a good idea if you are using a public network.
This explanation can use for the defender, maybe the attacker has been transferring the malware over HTTPS traffic, as a defender you could decrypt that traffic and export the packet/malicious files.