MITM Labs/Decrypting HTTPS Traffic with Private Key File

From charlesreid1

Revision as of 15:57, 15 December 2017 by Admin (talk | contribs)

Also see related pages:

This is also a supremely evil attack.

This page covers an HTTPS attack that involves obtaining a private key captured from a browser to decrypt traffic captured from an encrypted session.

Whereas the MITM Labs/Decrypting HTTPS Traffic by Compromising Browser SSL Keys page focuses on using the SSLKEYLOGFILE variable to export SSL information, this page focuses on obtaining an actual .pem key file, used by the browser for HTTPS sessions.

Note both techniques require some degree of local access.

Overview

If you wish to sniff HTTPS traffic, you have two options:

  • Obtain the SSL private key information from the browser via environment variables
  • Obtain the SSL private key file directly from the browser

The MITM Labs/Decrypting HTTPS Traffic by Compromising Browser SSL Keys page covers option 1. This page covers option 2.

Sniffing SSL Traffic

See MITM Labs/Decrypting HTTPS Traffic by Compromising Browser SSL Keys#Sniffing SSL Traffic for the SSL sniffing setup and tips. Once we have the private key from the browser, we can either sniff remotely (e.g., by carrying out an ARP attack or a physical attack) or locally (on the sheep's machine).

Obtaining Pem Private Key File

Let's begin by obtaining the .pem private key from the browser: https://www.identrust.com/irs/fatca/export_certificate.html

Decrypting SSL Traffic

To actually use the private key to decrypt SSL traffic, we have two options:

1. Use Wireshark - this is the easiest, GUI utility, just point it to the .pem file and it's done.

2. Use SSLDump - command line utility for processing in a shell script/other




Flags



Defcon.png
Wireshark
a Swiss-army knife for analyzing networks, network traffic, and pcap files.

Wireshark  · Category:Wireshark

Packet Analysis  · Wireshark/Advanced

Wireshark/HTTPS  · Wireshark/Traffic Analysis  · Wireshark/Conversation Analysis  · Wireshark/Protocol Analysis

Working with SSL/TLS/HTTPS:

MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info  · MITM Labs/Decrypting HTTPS Traffic with Private Key File


Flags  · Template:WiresharkFlag  · e




Defcon.png
monkey in the middle attacks
in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.

MITM

Wireless Attacks: MITM/Wireless

Wired Attacks: MITM/Wired


Layer 1 and 2 MITM Attacks:

MITM/Layer 1 and 2

Network Tap: MITM/Wired/Network Tap

Evil Twin Attack: Evil Twin  · MITM/Evil Twin


Layer 3 and 4 MITM Attacks:

MITM/Layer 3 and 4

Traffic Sniffing: MITM/Sniffing

ARP Poisoning: MITM/ARP Poisoning

Traffic Injection/Modification: MITM/Traffic Injection

DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2

DHCP Attacks: MITM/DHCP

WPAD MITM Attack: MITM/WPAD

Port Stealing: MITM/Port Stealing

Rushing Attack: MITM/Rushing Attack

Attacking HTTPS: MITM/HTTPS


Layer 5 MITM Attacks:

Session Hijacking: MITM/Session Hijacking


Toolz:

Ettercap  · Bettercap  · MITMf  · EvilFOCA

Wireshark  · Aircrack

Dsniff  · Arpspoof  · Dnsspoof

SSLSniff  · SSLStrip  · Frankencert

Driftnet  · Karma


MITM Labs: {{MITMLabs}}


Category:MITM  · Category:Attacks  · Category:Kali Attack Layers

Template:MITMLabs  · Template:MITMFlag

Flags  · Template:MITMFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=MITM_Labs/Decrypting_HTTPS_Traffic_with_Private_Key_File&oldid=22673"