Shulou(Shulou.com)06/01 Report--

In my previous article, I introduced a way to decrypt HTTPS traffic, roughly by the client manually trusting the middleman, and then the middleman re-encapsulates the SSL traffic.

Article address: http://professor.blog.51cto.com/996189/1746183

-

Today I will introduce you to another way to decrypt HTTPS traffic.

The packet capture principle of Wireshark is to read and analyze the Nic data directly. There are two ways to make it decrypt HTTPS traffic:

1) if you have the encrypted private key of the HTTPS website, you can use it to decrypt the encrypted traffic of the website.

2) some browsers support saving symmetric keys used in TLS sessions in external files for Wireshark encryption.

This paper focuses on the second method.

Both Firefox and Chrome support the generation of files in the second way mentioned above, as shown here: NSS Key Log Format. However, Firefox and Chrome will only generate this file if there is a SSLKEYLOGFILE path in the system environment variable. Add this environment variable first (take Windows as an example):

Open the window to set environment variables: systempropertiesadvanced.exe

Add environment variables (can be system environment variables or user environment variables)

Make sure to save.

Then open a new cmd window and enter echo% SSLKEYLOGFILE% to see if you can print out the path you just set.

If you can't print out the path, you should check to see if the setting is correct.

After the setup is complete, exit the Chrome or Firefox program completely and reopen it. (I will demonstrate it with chrome here.)

Open a browser, visit a HTTPS web page, and then open the file path of the value of the SSLKEYLOGFILE environment variable to see the random string record negotiated by TLS.

Open your Wireshark (recommend the latest version 2.0 +)

Open the preferences and modify the protocol-"SSL Settings"

The last column, Pre-Master-Securet log file, adds the log file of the path just set by the SSLKEYLOGFILE variable.

Start grabbing bags:

To avoid catching many other packets, you can add capture filter conditions

Then the browser opens a HTTPS page, and I take Taobao as an example.

You can see that I have added another http display filter, and the data that the cursor stops at happens to be the 302 jump returned by a server.

At this point, the client decrypts the HTTPS traffic, and you can try it yourself.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.