Decrypting SSL/TLS sessions with Wireshark - Reloaded

Hi there,

 

In a previous blog post of mine, I went through the steps of decrypting SSL/TLS traffic by using wireshark and openssl tools. In this blog post, I wanted to talk about the same procedure again because it got even easier to decrypt encrypted traffic with Wireshark since then. 

Here are the steps to export a certificate with private key included and using that certificate to decrypt SSL/TLS session in Wireshark:

 

=> Exporting the certificate with its private key:

The certificate could be exported by using certificates mmc on Windows:

 

 

  

 

 

 

  

The exported certificate (with private key included) is c:\servercert.pfx

 

=> Capturing a network trace where an SSL/TLS session is established:

  - To start capturing network traffic:

 

 

- Reproduce the issue

- To stop capturing network traffic:

 

 

=> Decrypting the SSL/TLS session by using Wireshark and the given certificate with private key:

 

 

 

  - In the below example

Server IP is 10.2.2.2 and TCP port is 443.

 

Note: The password shown below is the one that you assigned while exporting the server certificate:

 

 

 

 

Once the certificate is applied to Wireshark, then an appropriate Wireshark filter (the filter is “http” in this example) could be applied to see the traffic in clear text:

 

The problem with decrypted SSL/TLS sessions is that you cannot save the network trace in an unencrypted format (best to my knowledge that’s also something Wireshark dev’s to do list) for later analysis or for sharing with someone external to your company, so if you want to save the output in clear text, you might want to print the packets to a text file. But it would also be good to expand all relevant protocol headers before doing so so that the text file will include all application layer protocol header lines expanded. You can see an example below for HTTP protocol:

 

We expand “Hypertext Transfer Protocol” and “Line-based text data: text/html” lines:

 

 

 

Now we can print the packets to a text file as given below:

 

 

with the following options set:

  

 

Now the output will be written to a text file where the HTTP request/response header+payloads will be visible in clear test:

 

Hope this helps

 

Thanks,

Murat