I’m in the cloud. Originally, Wireshark can capture the HTTPS plaintext package

Time:2021-2-21

preface

In use beforewiresharkWhen we do protocol analysis, we always think that it can only grasp HTTP packets, so we always use it when we grasp HTTPS packetsFiddlerOne day, however, I suddenly wanted to grab itHTTP2Take a look at your message,FiddlerI couldn’t, so I found out after GooglewiresharkIt can be supported, only under specific conditions.

Problems of fiddler

FiddlerNot yetHTTP2Agreement, can’t see the realHTTP2Some people here may have doubts and say that I will use it clearlyFiddlerGot itHTTP2Protocol message, that’s becauseFiddlerMan in the middle attacks the server and demotes the protocol toHTTP1Agreement, so what we actually see is the sameHTTP1The message can be intuitively felt through the following two pictures:

  • Direct access to services supporting http2 without proxy

I'm in the cloud. Originally, Wireshark can capture the HTTPS plaintext package

  • Through proxy access, packet capture

I'm in the cloud. Originally, Wireshark can capture the HTTPS plaintext package

As you can see, when capturing packets through the agent, the protocol becomeshttp/1.1

Grabbing with Wireshark

Now the mainstream browsers on the market are all based on http2TLSThat is to say, we need to analyzeHTTP2We have to go through it firstTLSThis pass, otherwise can only analyze a pile of encrypted garbled code.

wiresharkSupport two ways to decryptSSL/TLSMessage:

  1. Through the private key of the website
  2. TLS symmetric encryption is stored in the external file for Wireshark encryption and decryption through the browser

Next, I’ll demonstrate them one by one

1. Through the private key of the website

If the website you want to capture is your own, you can use this method, because it needs to use the private key used by the website to generate the certificate for decryption, which is configured on nginxssl_certificate_keyAdd the corresponding private key file to the Wireshark configuration

I'm in the cloud. Originally, Wireshark can capture the HTTPS plaintext package

And then throughwiresharkYou can see the clear text:

I'm in the cloud. Originally, Wireshark can capture the HTTPS plaintext package

As you can see from the picture above, I passedcurlAfter configuring the corresponding private key of the server, you can grab the corresponding HTTP plaintext.

However, the disadvantages are also very obvious. We can only analyze the websites with our own private key. If others’ websites can’t be analyzed, fortunately, there is a second scheme to support.

2. Through SSL log function of browser

At present, the scheme only supportsChromeandFirefoxBrowser, by settingSSLKEYLOGFILEEnvironment variables, you can specify the browser in the accessSSL/TLSThe corresponding key is saved to the local file when the website is opened. After having this log filewireshakeThe message can be decrypted.

  1. Set up firstSSLKEYLOGFILEEnvironment variables:
    I'm in the cloud. Originally, Wireshark can capture the HTTPS plaintext package

    Note: This is operated on Windows system, the same as other operating systems

  2. to configurewireshake, Preferences > protocls > TLS:
    I'm in the cloud. Originally, Wireshark can capture the HTTPS plaintext package

    Configure the file path specified in the first step

  3. Restart the browser to capture packets:
    I'm in the cloud. Originally, Wireshark can capture the HTTPS plaintext package

    Similarly, HTTP plaintext can be captured.

    Note: remember to delete environment variables when not capturing packages, so as to avoid performance waste and security problems

The advantage of scheme 2 is very obvious, which can capture the information of any websiteSSL/TLSThe only disadvantage of encrypted message is that it can only be supported by the browser. Scheme 1 can capture packets for any HTTP client.

Capturing http2 message through wireshake

It’s all aboutTLS+HTTP1Carry on the grab bag, the mainstream browser on the marketHTTP2It’s all based onTLSSo it’s the sameTLSThis layer decrypts the original plaintext.

Here is an analysishttps://www.qq.comFor example, why not classichtts://www.baidu.comBecause Baidu home page is stillHTTP/1.1agreement.

  1. Use the second scheme above to configurewiresharke
  2. adopthttp2Keyword filtering
  3. Browser accesshttps://www.qq.com
  4. seeHTTP2Message:
    I'm in the cloud. Originally, Wireshark can capture the HTTPS plaintext package

    That’s itHTTP2Now, http2 protocol is very complex, and I’m still in the learning stage, so I won’t say much here.

Postscript

Wireshake is really a very powerful network analysis toolHTTPSandHTTP2When it is becoming the mainstream, it can be used to help us deepen our understanding of these agreements, so as to meet new opportunities and challenges.

reference resources

The author of this paper: MonkeyWie
Link to this article: https://monkeywie.github.io/2020/08/07/wireshark-capture-https/
Copyright notice:Except for special announcement, all articles in this blog adoptBY-NC-SALicense agreement. Reprint please indicate the source!