Shulou(Shulou.com)05/31 Report--

Wireshark how to decrypt HTTPS traffic, I believe that many inexperienced people do not know what to do, so this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Encrypted traffic is often encountered when reviewing suspicious network activity. Most websites use the HTTPS protocol, and various types of malware also use HTTPS. Viewing the data generated by malware is very helpful for traffic content.

How to use Wireshark to decrypt HTTPS traffic from pcap.

You can use a text-based log for decryption, which contains the encryption key data that was captured when the pcap was originally recorded.

HTTPS Web traffic

HTTPS traffic usually displays a domain name. For example, when you view https://www.wireshark.org in a Web browser, and when you view it in a custom Wireshark column display, pcap displays www.wireshark.org as the server name for this traffic. However, no other details are known, such as the actual URL or the data returned from the server.

Encryption key log file

The encryption key log is a text file.

When pcap is initially recorded, these logs are created using man-in-the-middle (MitM) technology. If you do not create any such files when recording the pcap, you cannot decrypt HTTPS traffic in that pcap.

Example analyzes HTTPS traffic with key log files

There is a password-protected ZIP file in the Github repository that contains the pcap and its key log files. After the pcap contained in the ZIP is decrypted through the key log, the malware sample can be accessed.

Extract the pcap and key log files from ZIP (password: infected):

Wireshark-tutorial-KeysLogFile.txtWireshark decryption HTTPS-SSL-TLS-traffic.pcap tutorial

HTTPS traffic without key log file

Open the decrypted HTTPS-SSL-TLS-traffic.pcap Wireshark tutorial in Wireshark, using the Web filter:

(http.request or tls.handshake.type eq 1) and! (ssdp)

This pcap comes from Dridex malware on the Windows 10 host, and all Web traffic, including infection activity, is HTTPS. No key log file, no traffic details, only IP address, TCP port and domain name:

Load key log file

Open the decrypted HTTPS-SSL-TLS-traffic.pcap Wireshark in Wireshark and use the menu path Edit-> Preferences to open the Preferences menu:

On the left side of the Preferences menu, click Protocols:

If you are using Wireshark version 2.x, you need to select SSL. If you are using Wireshark version 3.x, you need to choose TLS. After selecting SSL or TLS, you can see the (Pre)-Master-Secret log file name. Click Browse, and then select the key log file named Wireshark-tutorial-KeysLogFile.txt:

HTTPS traffic for key log files

When you click OK, Wireshark lists the decrypted HTTP request under each HTTPS line:

In this pcap, you can see HTTP requests for microsoft.com and skype.com domains hidden in HTTPS communications, as well as the following traffic initiated by Dridex:

Foodsgoodforliver [.] com-GET / invest_ 20.dll105711 [.] com-POST / docs.php

The GET request for foodsgoodforliver [.] com returned the DLL file of Dridex. The POST request for 105711 [.] com is command and control (C2) communication from an Dridex-infected Windows host.

HTTP flow for HTTP GET requests for foodsgoodforliver [.] com:

You can export this malware from pcap, using the menu path file-> Export objects-> HTTP to export the file from pcap:

Use the file command to confirm that this is a DLL file, and then use shasum-a 256 to get the SHA256 hash of the file:

The SHA256 hash for this malware is:

31cf42b2a7c5c558f44cfc67684cc344c17d4946d3a1e0b2cecb8e*173cb2f

C2 traffic from this Dridex infection can also be examined, and the following figure shows an example of one of the HTTP streams:

After reading the above, have you mastered how Wireshark decrypts HTTPS traffic? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.