Grab and decrypt HTTPS traffic

Time:2021-9-9

WireShark

Wireshark decrypts TLS data stream in two ways: one is to directly decrypt the server private key, and the other is to use sslkeylogfile to obtain the session key information in the handshake process for decryption.

Only the second way to decrypt TLS data is tried here. Available applications include: chrome, Firefox, curl.

First, set the sslkeylogfile user environment variable with the value of user-defined file path. Example:

  or append the parameter — SSL Key log file when starting the browser process=。

Start the test, open Wireshark, and access https://www.baidu.com , exit the browser after the web page is loaded, and Wireshark ends capturing packets. The corresponding key file is generated under the target path. Then in Wireshark, edit – > Preferences – > protocols – > TLS. RSA decryption private key, pre shared key and master key can be added. Here, only the (pre) master key is used to import the previously generated key file. Finally, view or track the TLS stream in the main window, and the corresponding data has been decrypted.

Fiddler

However, when analyzing some non browser processes, for those that use HTTPS and do not need to see TCP data, you can use Fiddler (working in the application layer), import the certificate carried by the tool in the virtual machine, and then turn on the HTTPS decryption option in fiddler to decrypt.

reference resources:

https://blog.didierstevens.com/2020/12/14/decrypting-tls-streams-with-wireshark-part-1/ (server key import)

https://blog.didierstevens.com/2020/12/28/decrypting-tls-streams-with-wireshark-part-2/(SSLKEYLOGFILE)

https://blog.didierstevens.com/2021/01/11/decrypting-tls-streams-with-wireshark-part-3/ (key export and embedding)

https://support.f5.com/csp/article/K50557518