Decrypting SSL/TLS browser traffic with Wireshark (using netsh trace start)

preview_player
Показать описание
Walk-through on how to use built-in Windows netsh tool to capture https browser network traffic, convert it using etl2pcapng, and then afterwards decrypt it with Wireshark.

To do this we use SSLKEYLOGFILE and the netsh command line to create a network trace and TLS session keys.

Sorry, audio seems to have some hiccups - but hopefully not too bad.

Microsoft's ETL to pcap conversion tool is here:

Intro 0:00
Capture TLS session keys via SSLKEYLOGFILE 0:10
Use netsh trace to capture traffic on Windows 0:30
Convert etl file to pcap using etl2pcapng 1:40
Decrypting the pcap using the capture TLS session keys 2:50
Wrap-up 3:20
  1. Embrace The Red
Рекомендации по теме
Decrypting SSL/TLS browser 0:03:47

Decrypting SSL/TLS browser traffic with Wireshark (using netsh trace start)

How to DECRYPT 0:08:41

How to DECRYPT HTTPS Traffic with Wireshark

How to Decrypt 0:09:46

How to Decrypt SSL/TLS Web Browser traffic

Decrypt SSL / 0:14:27

Decrypt SSL / TLS traffic using wireshark.

Decrypting HTTPS Traffic 0:15:49

Decrypting HTTPS Traffic With Wireshark

HTTPS Decryption with 0:31:14

HTTPS Decryption with Wireshark // Website TLS Decryption

Decrypt TLS traffic 0:08:18

Decrypt TLS traffic on the client-side with Wireshark

Decrypt HTTPS traffic 0:03:59

Decrypt HTTPS traffic with Wireshark on Windows

Decrypting TLS, HTTP/2 0:28:00

Decrypting TLS, HTTP/2 and QUIC with Wireshark

Decrypting and reading 0:03:52

Decrypting and reading HTTP and SPDY traffic in Wireshark over TLS/SSL

TLS Handshake Deep 1:05:40

TLS Handshake Deep Dive and decryption with Wireshark

Analyzing TLS session 0:13:13

Analyzing TLS session setup using Wireshark

Decrypt SSL traffic 0:04:15

Decrypt SSL traffic with the SSLKEYLOGFILE environmental variable

How to Decrypt 0:02:47

How to Decrypt QUIC and HTTP3 // Decrypting TLS with Kali Linux // Wireshark Tutorial

How to decrypt 0:12:02

How to decrypt HTTPS TLS traffic two directions in Wireshark

Wireshark Decrypting SSL 0:08:44

Wireshark Decrypting SSL | 'Ssleepy' TJCTF 2018

Decrypting TLS Browser 0:01:21

Decrypting TLS Browser Traffic With Wireshark - Body is still encrypted

Troubleshooting with Wireshark: 0:01:48

Troubleshooting with Wireshark: Analyzing and Decrypting TLS Traffic in Wireshark (Using HTTPs)

SSL TLS decryption 0:15:08

SSL TLS decryption demo with PFS Key exchange using Wireshark and export SSLKEYLOGFILE

Security Decrypted - 0:20:01

Security Decrypted - SSL/TLS Internals (Part 1)

Wireshark: Basic Tutorial 0:09:57

Wireshark: Basic Tutorial on TLSv1.2 Decryption

Taking over HTTPS 0:10:53

Taking over HTTPS traffic with BETTERCAP using SSLSTRIP and explaining HSTSHijack - testing MiTM

TLS Decryption 0:03:32

TLS Decryption

SSL/TLS or HTTPS 0:05:11

SSL/TLS or HTTPS decryption

Комментарии
Автор

Only works, if the traffic comes from the browser - in your example, chrome provides the session keys.
So, no - not really workable on a server.

mortenwormdue
Автор

wireshark's team need to integrate converter etLtoPcapng in their product

bratecyo
Автор

What is that key file? how do i create it and use it?
I created it from scratch but after doing the commands it has 0 length

itamarcohen
Автор

Didn't work on Windows 10 running Chrome. Followed all your steps, it created the files just fine, i converted to pcap and when trying to decrypt in wireshark using the keys file it didn't work. anything special between your windows version and/or Chrome?

shibbyshaggy
Автор

how to do it for traffic outside of browser? say I have a desktop app

Sway
Автор

[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", "c:\temp\sslkeys\keys", "MACHINE")

netsh trace start capture=yes report=disabled

netsh trace stop

RandomAccess
Автор

won't decrypt credentials to plain text, correct?

geeksified