Decrypting TLS in Wireshark - savannahc502/SavC-TechJournal-SEC260 GitHub Wiki

"If Wireshark knows the session key of a TLS session (the symmetric that gets created) it can decode encrypted TLS packets.

Systems can store these keys in a logfile if the SSLKEYLOGFILE environmental variable is set. Some browsers (Chrome and Firefox) will look for this variable and store the keys there" (Champlain College Canvas)

I. Tell Windows to create the Log File

image

  • On your Windows VM, go to Environment Variables
  • Create a new System Variable:
    • Variable name: SSLKEYLOGFILE
    • Variable Value: c:\users\champuser\sslkeylog.log

image

II. Test Logging

image

  • Kill all running instances of any browser (if any)
  • Open Chrome and go to any HTTPS website
  • Look in Windows Explorer for logfile you created above

image

  • Open in Notepad - you should see some key info recorded
  • Do not go on to the next step until you see key data
  • Close the .log file

III. Configure Wireshark

image

  • Open up Wireshark > Edit > Preferences

  • Click on Protocols and browse to TLS

  • Under Pre Master Secret Log File - browse to the file you created above

  • Restart Wireshark

  • Start a capture

  • Browse to https://192.168.4.243 until you see its page display

  • Stop capture

  • View results and filter on IP address above

image

  • Can you find GETs and Responses decrypted? Can you see the content?

image

  • Post a screenshot of the keys in your SSL KeyLog file and post a screenshot of decrypted SSL packet in Wireshark with the super secret phrase!