5/7/2023 0 Comments Wireshark https trafficOnce everything is good to go run Wireshark and capture login traffic. Then I followed this guide to get everything set up for SSL. I removed the MySQL portion since I wanted to just test SSL. It was a simple php login form that I borrowed and modified from here. I set up a server on one of my VM’s to go through the process of implementing SSL and then capturing and decrypting traffic. Hooray! That was easy and now everything should be decrypted. Once you hit ok then apply it should re-analyze the pcap for you and you should see decrypted traffic. Then add the key file and password if you have one. Set the protocol to HTTP (this tells it to decrypt it and analyze it like it is http traffic). Set the port to the port it is running on. Set the IP address to your web server (or to 0.0.0.0 if you want it to try to decrypt all traffic). Hit edit to add keys and you will see the following menu. On this screen click on Protocols on the left and start typing SSL, which will get you there faster than scrolling. Once you have that go to Edit > Preferences. Open your pcap (I assume you know how to do this) C:\Program Files\Apache Software Foundation\Apache2.2\conf\nf (search this for the location)Īfter you have all your ingredients, add them one at a time into Wireshark.If you have apache and can’t find it, look in the configuration file (often found in /etc/apache2/) for the following: SSLCertificateKeyFile. Sometimes it is hard to find encryption keys in your pantry so here are some common locations that they may be stored: Linux This allowed us to decrypt the traffic and view all of the commands issued. It was quite exciting being able to watch every step of the attack, so I would like to share the steps so that you can do it yourself! A Recipe for Decrypting SSL in Wireshark All of the traffic was over HTTPS, but we fortunately had the key. The attacker got a web shell on one of the servers and was mucking around with that. I recently was involved in an responding to an incident and one thing that was key to our investigation was decrypting SSL traffic.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |