In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
Wireshark how to decrypt HTTPS traffic, I believe that many inexperienced people do not know what to do, so this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.
Encrypted traffic is often encountered when reviewing suspicious network activity. Most websites use the HTTPS protocol, and various types of malware also use HTTPS. Viewing the data generated by malware is very helpful for traffic content.
How to use Wireshark to decrypt HTTPS traffic from pcap.
You can use a text-based log for decryption, which contains the encryption key data that was captured when the pcap was originally recorded.
HTTPS Web traffic
HTTPS traffic usually displays a domain name. For example, when you view https://www.wireshark.org in a Web browser, and when you view it in a custom Wireshark column display, pcap displays www.wireshark.org as the server name for this traffic. However, no other details are known, such as the actual URL or the data returned from the server.
Encryption key log file
The encryption key log is a text file.
When pcap is initially recorded, these logs are created using man-in-the-middle (MitM) technology. If you do not create any such files when recording the pcap, you cannot decrypt HTTPS traffic in that pcap.
Example analyzes HTTPS traffic with key log files
There is a password-protected ZIP file in the Github repository that contains the pcap and its key log files. After the pcap contained in the ZIP is decrypted through the key log, the malware sample can be accessed.
Extract the pcap and key log files from ZIP (password: infected):
Wireshark-tutorial-KeysLogFile.txtWireshark decryption HTTPS-SSL-TLS-traffic.pcap tutorial
HTTPS traffic without key log file
Open the decrypted HTTPS-SSL-TLS-traffic.pcap Wireshark tutorial in Wireshark, using the Web filter:
(http.request or tls.handshake.type eq 1) and! (ssdp)
This pcap comes from Dridex malware on the Windows 10 host, and all Web traffic, including infection activity, is HTTPS. No key log file, no traffic details, only IP address, TCP port and domain name:
Load key log file
Open the decrypted HTTPS-SSL-TLS-traffic.pcap Wireshark in Wireshark and use the menu path Edit-> Preferences to open the Preferences menu:
On the left side of the Preferences menu, click Protocols:
If you are using Wireshark version 2.x, you need to select SSL. If you are using Wireshark version 3.x, you need to choose TLS. After selecting SSL or TLS, you can see the (Pre)-Master-Secret log file name. Click Browse, and then select the key log file named Wireshark-tutorial-KeysLogFile.txt:
HTTPS traffic for key log files
When you click OK, Wireshark lists the decrypted HTTP request under each HTTPS line:
In this pcap, you can see HTTP requests for microsoft.com and skype.com domains hidden in HTTPS communications, as well as the following traffic initiated by Dridex:
Foodsgoodforliver [.] com-GET / invest_ 20.dll105711 [.] com-POST / docs.php
The GET request for foodsgoodforliver [.] com returned the DLL file of Dridex. The POST request for 105711 [.] com is command and control (C2) communication from an Dridex-infected Windows host.
HTTP flow for HTTP GET requests for foodsgoodforliver [.] com:
You can export this malware from pcap, using the menu path file-> Export objects-> HTTP to export the file from pcap:
Use the file command to confirm that this is a DLL file, and then use shasum-a 256 to get the SHA256 hash of the file:
The SHA256 hash for this malware is:
31cf42b2a7c5c558f44cfc67684cc344c17d4946d3a1e0b2cecb8e*173cb2f
C2 traffic from this Dridex infection can also be examined, and the following figure shows an example of one of the HTTP streams:
After reading the above, have you mastered how Wireshark decrypts HTTPS traffic? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.