0

Situation

We're wanting to use an HTTP logger/proxy/analyzer to inspect the access code, access token, and id token that are part of the code flow. The flow is happening among Google (the Authorization Server), a locally running web browser (the User Agent), and a locally running web application (the client).

What We've Tried #1

We've tried using Fiddler, WireShark, and RawCap and yet have not been able to view any of those. Here is an example of what we've tried.

  1. Start a RawCap session on our our IPv4 device.
    • rawcap -f 192.168.1.82 ipv4.pcap
    • rawcap -f 127.0.0.1 loopback.pcap
  2. Go thru the code flow with the local web application and Google.
  3. Stop the RawCap session.
  4. Open the .pcap files in WireShark.
  5. View the packet list results and match them to the code flow steps.

Problem

All the communication between the local web application, Google, and the user agent appears hidden behind TLS. How can we view the codes and tokens? The Windows 10 loopback is always ::1 so RawCap doesn't capture it.

What We've Tried #2

Install WireShark.

Install Npcap. This is for capturing IPv6 loopback traffic on Windows 10.

Run the following in PowerShell. This sets an environmental variable, which tells Firefox and Chrome to log their pre-master secret to a file.

[System.Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", "C:\Wireshark\sslkeylog.log", [System.EnvironmentVariableTarget]::Machine);

Restart Windows. You might not have to do this but doing so is thorough.

Start Wireshark.

  • Configure SSL. Edit > Preferences > Protocols > SSL > (Pre)-Master-Secret log filename: C:\Wireshark\sslkeylog.log
  • Start capture and include loopback. Capture > Options > Input. Choose both the npcap Loopback Adapter and Wi-Fi.
  • Set a display filter. The filter only displays SSL traffic between my computers and duckduckgo.com. ssl and ip.dst == 192.168.1.82 and ip.src == 54.215.176.19. (Of course we can apply this to Google too.)

At this point, we will see the Decrypted SSL data (xxx bytes) tab in WireShark's Packet Bytes panel.

enter image description here

Export the Decrypted Data

  1. File > Export Packet Dissections > As Plain Text
  2. Packet Range > All Packets > Displayed
  3. Packet Format > Packet Bytes.
  4. File name > Whatever.txt
  5. Save as type > Plain text (*.txt)
  6. Save!

The resultant file will show each Frame and its Decrypted SSL Data. The decrypted data will unfortunately be in a hard-to-read columnar format.

See also

Community
  • 1
Shaun Luttin
  • 1,423
  • 3
  • 12
  • 13
  • 1
    This link might help: https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/ – Jesse K Jul 20 '16 at 21:08
  • Are you trying to see how to capture it? It seems like it'd be pretty easy to just have your web server console log it... – Robert Mennell Jul 20 '16 at 21:11
  • @RobertMennell Sounds good. How does one capture it with the web server console? I am wanting to observe the actual HTTP traffic. – Shaun Luttin Jul 20 '16 at 21:13
  • Depends on the language your web server is written in. You just need to have it dump the appropriate payload. This is a pretty simple task for a Node.js server to do. You can also set your routing software(nginx, apache) to do logging of requests as well. Otherwise you'd have to maintain a full MITM attack between the server and client and google. – Robert Mennell Jul 20 '16 at 21:15
  • Aha. I see. I am using ASP.NET Core and will need to look into this a bit more. – Shaun Luttin Jul 20 '16 at 21:19
  • @JesseKeilson The link you sent was worthwhile. I have the captured data and the logged SSL Key log. What's missing is WireShark's "Decrypted SSL Data" tab. My windows does not have that tab. – Shaun Luttin Jul 20 '16 at 21:51
  • You might have an older version of wireshark? Ages ago, it didn't support that. You might also need to configure the key for it to show the tab. – Jesse K Jul 20 '16 at 22:07
  • @JesseKeilson We're on version 2.0.4. We've also set the Edit > Preferences > Protocols > SSL > (Pre)-Master-Secret log filename. What do you mean by configuring the key? – Shaun Luttin Jul 20 '16 at 22:13

0 Answers0