top of page
Search
jodenebrisky8515b4

Sharing a PCAP with Decrypted HTTPS: What You Need to Know



The TLS decryption was performed by connecting a laptop to a custom WiFi access point, which was a Raspberry Pi configured as in our "Raspberry Pi WiFi Access Point with TLS Inspection" blog post. I additionally enabled the PCAP-over-IP feature in PolarProxy by starting it with the "--pcapoverip 57012" option. This allowed me to connect with Wireshark and NetworkMiner to TCP port 57012 on the TLS proxy and stream the decrypted traffic in order to perform live network traffic analysis.




Sharing a PCAP with Decrypted HTTPS



This tutorial is designed for security professionals who investigate suspicious network activity and review packet captures (pcaps) of the traffic. The instructions assume you are familiar with Wireshark, and it focuses on Wireshark version 3.x.


This Wireshark tutorial describes how to decrypt HTTPS traffic from a pcap in Wireshark. Decryption is possible with a text-based log containing encryption key data captured when the pcap was originally recorded. With this key log file, we can decrypt HTTPS activity in a pcap and review its contents.


A password-protected ZIP archive containing the pcap and its key log file is available at this Github repository. Go to the Github page, click on the ZIP archive entry, then download it as shown in Figures 4 and 5. Of note, the pcap contained in this ZIP archive provides access to a Windows-based malware sample when decrypted with the key log. As always, we recommend you exercise caution and follow steps from this tutorial in a non-Windows environment.


This tutorial reviewed how to decrypt HTTPS traffic in a pcap with Wireshark using a key log text file. Without a key log file created when the pcap was originally recorded, you cannot decrypt HTTPS traffic from that pcap in Wireshark.


Since Wireshark 3.0 you can embed the TLS key log file in a pcapng file. This makes it much easier to distribute capture files with decryption secrets, and makes switching between capture files easier since the TLS protocol preference does not have to be updated. To add the contents of key log file keys.txt to capture file in.pcap and write the result to out-dsb.pcapng:


This creates the file test.pcapng, but it is not decrypted. I know from Wireshark docs that you cannot save decrypted file. You can only open it in Wireshark and provide wifi key or using that command and filter everything you want. Can I somehow read and decrypt on the fly using rdpcap because I created a very long program that uses rdpcap to read pcap and then it extracts all important (relevant) info. I don't want to just delete it, is there any way to decrypt it using rdpcap?


TLS 1.3 is the next iteration after industry standard 1.2, with 1.3 adoptedby most browsers at this point. TLSdecryption is currently broken (bug15537) whencertificate message spans multiple records. In my testing, some javascriptfiles (and other small files) get decrypted, but no html or css files.


The TLS decryption was performed by connecting a laptop to a custom WiFi access point, which was a Raspberry Pi configured as in our "Raspberry Pi WiFi Access Point with TLS Inspection" blog post. I additionally enabled the PCAP-over-IP feature in PolarProxy by starting it with the "--pcapoverip 57012" option. This allowed me to connect with Wireshark andNetworkMiner to TCP port 57012 on the TLS proxy and stream the decrypted traffic in order to perform live network traffic analysis.


Wouldn't it be awesome to have a NIDS likeSnort,Suricata orZeek inspect HTTP requests leaving your network inside TLS encrypted HTTPS traffic? Yeah, we think so too! We have therefore created this guide on how to configureSecurity Onion to sniff decrypted TLS traffic with help of PolarProxy.


PolarProxy is a forward TLS proxy that decrypts incoming TLS traffic from clients, re-encrypts it and forwards it to the server. One of the key features in PolarProxy is the ability to export the proxied traffic in decrypted form using the PCAP format (a.k.a. libpcap/tcpdump format). This makes it possible to read the decrypted traffic with external tools, without having to perform the decryption again. It also enables packet analysis using tools that don't have built-in TLS decryption support.


PolarProxy is primarily a TLS forward proxy, but it can also be used as a TLS termination proxy or reverse TLS proxy to intercept and decrypt incoming TLS traffic, such as HTTPS or IMAPS, before it is forwarded to a server. The proxied traffic can be accessed in decrypted form as a PCAP formatted data stream, which allowsreal-time analysis of the decrypted traffic by an IDS as well as post incident forensics with Wireshark.


Jan Hesse sent us a feature request on Twitter earlier this year, where asked about support for FritzBox captures. We are happy to announce that NetworkMiner now supports the modified pcap format you get whensniffing network traffic with a FritzBox gateway.


Our transparent TLS proxyPolarProxy is gaining lots of popularity due to how effective it is at generating decrypted PCAP files in combination with how easy it is to deploy. In this blog post we will show how to run PolarProxy in Docker.


Create a container called "polarproxy", which has the "pcap" and "polarproxy" directories mounted as volumes. The service on TCP 10080 will serve the proxy's public root cert over HTTP. The localhost:57012 service is a Pcap-over-IP server, from which the decrypted network traffic can be streamed in real-time.


It probably makes more sense to forward the decrypted traffic to an IDS or other type of network security monitoring tool though. See our blog post "Sniffing Decrypted TLS Traffic with Security Onion" for instructions on how to use netcat and tcpreplay to send the decrypted traffic to a monitor interface.


The new "--pcapoveripconnect" option can be used to let PolarProxy connect to aPCAP-over-IP listener and send it a live PCAP stream of decrypted traffic over TCP. This option complements PolarProxy's "--pcapoverip" option, which sets up a PCAP-over-IP listener that serves clients with the same PCAP stream. Thanks to Andy Wick for suggesting adding a PCAP-over-IP connector to PolarProxy!


The latest version of Arkime (The Sniffer Formerly Known As Moloch) can now be fed with a real-time stream of decrypted HTTPS traffic from PolarProxy. All that is needed to enable this feature is to include "pcapReadMethod=pcap-over-ip-server" in Arkime's config.ini file and start PolarProxy with the "--pcapoveripconnect 127.0.0.1:57012" option. PolarProxy will then connect to Arkime's PCAP-over-IP listener on TCP port 57012 and send it a copy of all TLS packets it decrypts.


The output from my "SunburstDomainDecoder.exe" tool will print the "decrypted" 8 byte GUID in the first column, and the decoded domain segment in the second column. A third column with value "(incomplete)" is appended for domains that are known to be truncated. These "incomplete" records will be printed first.


Decryption of HTTP network traffic has been built into Triage from the start but until now had only been visible in the analysis report, which will most likely not include all communications. With this update, we are also making available a new PCAPNG (PCAP Next Generation) file download which contains the full traffic dump with HTTPS already decrypted.


You can effortlessly build pcap visualisation for network communications. Explore network devices map and all communications between nodes. Classify network nodes by their type through pcap analysis. Visualize TCP/UDP communications from pcap file with network graph.


Another one interesting thing could be found in SMB communicsations is users credentials. Like NTLMv2-SSP authentication between nodes. Upload pcap file and you can try to crack found hashes with appropriate tools.


The Message Analyzer Decryption feature enables you to view data for Application layer protocols that are encrypted with TLS and SSL, such as the HTTP and Remote Desktop (RDP) protocols. However, to enable a Decryption session in Message Analyzer, you will need to import a certificate that contains a matching identity for a target server, specify a required password, and then save the configuration. You can then either load a saved trace file into Message Analyzer through a Data Retrieval Session or start a Live Trace Session that will be enabled for decryption. Thereafter, Message Analyzer decrypts the trace by using the server certificate and password that you provided. After the trace results display in the Analysis Grid viewer, a Decryption Tool Window holds the decryption analysis information. If there are decryption failures, errors are reported to the Decryption window, where a red Error icon displays for each message that failed the decryption process. Detailed error descriptions are also provided in the Decryption window to assist in troubleshooting and analysis. If there are no errors reported, then the Decryption window displays either a blue Info icon for each message that was successfully decrypted, or a yellow Warning icon that flags each message for which a certificate could not be found. 2ff7e9595c


8 views0 comments

Recent Posts

See All

Commenti


bottom of page