MITM Labs/Decrypting HTTPS Traffic with Private Key File

From charlesreid1

Also see related pages:

This is also a supremely evil attack.

This page covers an HTTPS attack that involves obtaining a private key captured from a browser to decrypt traffic captured from an encrypted session.

Whereas the MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info page focuses on using the SSLKEYLOGFILE variable to export SSL information, this page focuses on obtaining an actual .pem key file, used by the browser for HTTPS sessions.

Note both techniques require some degree of local access.

Overview

If you wish to sniff HTTPS traffic, you have two options:

  • Obtain the SSL private key information from the browser via environment variables
  • Obtain the SSL private key file directly from the browser

The MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info page covers option 1. This page covers option 2.

Sniffing SSL Traffic

See MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info#Sniffing SSL Traffic for the SSL sniffing setup and tips. Once we have the private key from the browser, we can either sniff remotely (e.g., by carrying out an ARP attack or a physical attack) or locally (on the sheep's machine).

Obtaining Pem Private Key File

Let's begin by obtaining the .pem private key from the browser: https://www.identrust.com/irs/fatca/export_certificate.html

Decrypting SSL Traffic

To actually use the private key to decrypt SSL traffic, we have two options:

1. Use Wireshark - this is the easiest, GUI utility, just point it to the .pem file and it's done.

2. Use SSLDump - command line utility for processing in a shell script/other




Flags



Defcon.png
Wireshark
a Swiss-army knife for analyzing networks, network traffic, and pcap files.

Wireshark  · Category:Wireshark

Packet Analysis  · Wireshark/Advanced

Wireshark/HTTPS  · Wireshark/Traffic Analysis  · Wireshark/Conversation Analysis  · Wireshark/Protocol Analysis

Working with SSL/TLS/HTTPS:

MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info  · MITM Labs/Decrypting HTTPS Traffic with Private Key File


Flags  · Template:WiresharkFlag  · e




Defcon.png
attacking SSL with man in the middle attacks
attacking secure socket layer, an encrypted wrapper for TCP/IP traffic, and the public-key encryption process.

Certificates (or, how HTTPS works)


Tools:

Ettercap  · Bettercap  · MITMf

SSLStrip  · SSLSniff

SSLDump  · Stunnel


MITM Labs

MITM Labs

ARP Poisoning

Dsniff ARP Poisoning: MITM Labs/Dsniffing Over Wifi

Bettercap ARP Poisoning: MITM Labs/Bettercap Over Wifi

DNS Hijacking

Bettercap to Hijack DNS: Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2

Traffic Injection

Bettercap to Replace Images: MITM Labs/Bettercap to Replace Images

MITMf to Backdoor Browsers: MITM Labs/MITMf to Backdoor Browsers

HTTPS MITM

Browser + Wireshark/SSLSniff to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic with Private Key File

Browser + Wireshark to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info

Device MITM

Bettercap to MITM Android Phone: MITM Labs/Bettercap Android Evo

Bettercap to MITM iPhone: MITM Labs/Bettercap iPhone


Category:SSL  · Category:Man in the Middle  · Category:Attacks  · Category:Kali Attack Layers

Flags  · Template:MITMSSLFlag  · e





Defcon.png
monkey in the middle attacks
in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.

MITM

Wireless Attacks: MITM/Wireless

Wired Attacks: MITM/Wired


Layer 1 and 2 MITM Attacks:

MITM/Layer 1 and 2

Network Tap: MITM/Wired/Network Tap

Evil Twin Attack: Evil Twin  · MITM/Evil Twin


Layer 3 and 4 MITM Attacks:

MITM/Layer 3 and 4

Traffic Sniffing: MITM/Sniffing

ARP Poisoning: MITM/ARP Poisoning

Traffic Injection/Modification: MITM/Traffic Injection

DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2

DHCP Attacks: MITM/DHCP

WPAD MITM Attack: MITM/WPAD

Port Stealing: MITM/Port Stealing

Rushing Attack: MITM/Rushing Attack

Attacking HTTPS: MITM/HTTPS


Layer 5 MITM Attacks:

Session Hijacking: MITM/Session Hijacking


Toolz:

Ettercap  · Bettercap  · MITMf  · EvilFOCA

Wireshark  · Aircrack

Dsniff  · Arpspoof  · Dnsspoof

SSLSniff  · SSLStrip  · Frankencert

Driftnet  · Karma


MITM Labs: {{MITMLabs}}


Category:MITM  · Category:Attacks  · Category:Kali Attack Layers

Template:MITMLabs  · Template:MITMFlag

Flags  · Template:MITMFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=MITM_Labs/Decrypting_HTTPS_Traffic_with_Private_Key_File&oldid=22681"