0

I want to be able to do this thing where I can extract path andor hostname (preferably both) of all the embedded requests (HTTP and HTTPS) going within a webpage. I have tried using tshark for this, but when I use this command:

sudo tshark -i etho0 -Y 'http.request.method == "GET"' -T fields -e http.request.method -e http.request.uri

it displays the right embedded requests paths for HTTP, but it doesn't really display anything in the case of HTTPS requests, only invisible blocks of lines between sequences of numbers. I understand that HTTPS requests are encrypted and therefore, I may not be able to see the exact path. I looked into Wireshark for this, and came across links where you can direct the environment variable SSLKEYLOGFILE to a text file to which your browsers (Firefox/Chrome) will then subsequently log your private keys for each session. But that doesn't work in Firefox from version 48 onwards. For tshark as well, I cannot figure out how to actually obtain the private key of the server, and the entire process is not very clear to me, even after going through dozens of links. Could anyone please point in the right direction, especially with regards to how I can programmatically obtain (on the terminal) all the HTTPS request paths in a page similar to the tshark command for HTTP above (or the way we can clearly see the path in Firefox/Chrome's developer tools.)

Thanks!

QPTR
  • 257
  • 2
  • 7
  • 1
    *I cannot figure out how to actually obtain the private key of the server* - If you don't have access to it, then you not being able to decrypt HTTPS traffic is pretty much the purpose of it all. – domen Oct 21 '16 at 10:25
  • @domen Yep, true, but can we do something similar to what mitmproxy does, or the way browsers are able to show the HTTP request headers sent via TLS. In Firefox for example in the Network tab. – QPTR Oct 21 '16 at 10:43
  • 1
    You cannot decrypt TLS traffic without one of the processes that participated in establishing the connection giving you the keys. With the old deprecated RSA key exchange, you could decrypt traffic by having the server's private key, but most connection use ECDHE now and you don't have the key anyway. You can use the `SSLKEYLOGFILE` environment variable. – Z.T. Oct 21 '16 at 11:54
  • "yo, bro, if you could just break HTTPS i'll totally upvote." – rook Oct 21 '16 at 15:38
  • @Z.T.The `SSLKEYLOGFILE` doesn't seem to work with newer versions of Firefox. – QPTR Oct 21 '16 at 17:09
  • @rook I am not talking about actually breaking HTTPS, just if there was a way to man in the middle it on my own machine. – QPTR Oct 21 '16 at 17:10
  • @QPTR it's enabled for official binaries of firefox 50. https://bugzilla.mozilla.org/show_bug.cgi?id=1188657 – Z.T. Oct 22 '16 at 09:25

0 Answers0