Decrypting HTTPS traffic without a key
Last week's post went over decrypting HTTPS traffic using an RSA private key. There are two main downsides to this method:
- It can only be used if you have access to the server-side private key.
- If a key exchange method like Diffie-Hellman is used to create an ephemeral key, the RSA key cannot be used to decrypt the traffic.
It is however possible to capture and decrypt HTTPS traffic without access to the web server.
First make sure
curl are installed. This can be done on CentOS
with the following command:
yum install -y tcpdump curl
Once the required packages are installed, a tcpdump command
similar to the following can be run on the client to capture packets sent
to/from the web server (
tcpdump -w /tmp/https.pcap -B 40960 host 10.0.2.10
tcpdump is listening, the following
curl command can be run to make
the HTTP request:
SSLKEYLOGFILE=ssl_log.txt curl --insecure --ciphers dhe_rsa_aes_128_cbc_sha_256 https://10.0.2.11/message.txt
This will create a log file called
ssl_log.txt which will contain the
ephemeral key generated during the key exchange. The contents of the file will
look something like this:
# SSL/TLS secrets log file, generated by NSS CLIENT_RANDOM 1b3f3d069a30941f67296a95d5f0e593b5ba3fe323e742e58d16e7ddefb3b833 454b10d4c95d877f1a21ac2f67f4ef87a48aede256b2fcf655f5f7607edc6c54fcfaacea72379abeaaaae30f9cbc81c4
Finally end the packet capture by pressing ctrl + c to
SSLKEYLOGFILE environment variable can also be used with other
software that uses NSS libraries, for example Firefox.
To decrypt the packet capture, carry out the following steps:
- Open the packet capture in Wireshark
Edit -> Preferences
- Set the
(Pre) - Master - Secret log filenameto match the path used with the
After running through the steps above you should hopefully see the decrypted HTTP request.
The example above forces curl to use
This can be decrypted with the version of Wireshark (
distributed with CentOS 7.
Unfortunately some ciphers (e.g.
require a later version of Wireshark. To get around this on CentOS Wireshark
can be compiled from source with the following commands:
# Install build dependencies (as root) yum install -y \ libgcrypt-devel openssl-devel nss-devel gnutls-devel qt5-linguist gcc \ gcc-c++ bison flex libpcap-devel qt-devel gtk3-devel rpm-build libtool \ c-ares-devel qt5-qtbase-devel qt5-qtmultimedia-devel desktop-file-utils # Extract the source code tar xf wireshark-2.2.5.tar.bz2 cd wireshark-2.2.5 # Configure with packages needed for decrypting tls ./configure --with-gnutls --with-ssl --with-gcrypt # Finally compile everything make
Note: the source code for Wireshark is available from wireshark.org.