2

How can I sniff packets that are being sent from my computer to their server and from their servers to me using a sniffing app like Wireshark?

Right now when I use Wireshark, they are all encrypted, but obviously I should be able to sniff it considering my computer is the one that is encrypting and decrypting them using keys.

I'm using Windows and want to sniff the desktop version if that makes any difference.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Richard Jones
  • 497
  • 1
  • 6
  • 9
  • Your packets are encrypted through an SSL connection. Anyway if you are able(whats not really possible) to turn this off, your packets are encrypted locally on your PC. Thats why they call it End-to-End encryption. All you will be able to see are encrypted packets like you do now. – Cyberduck Oct 01 '18 at 16:43
  • you can't, if they are in a "packet" they have already been encrypted as they use E2E. – dandavis Oct 02 '18 at 15:44

2 Answers2

1

It is not possible to decrypt or get data insights from Telegram captures taken via Wireshark. In the latest captures, I have noticed that Telegram is using some own encryption technique rather than standard SSL.

All you can get is meta-information like total bytes Rx, Tx, ports and session information. for example, you can consider the stats I have mentioned below

"Address A","Port A","Address B","Port B","Packets","Bytes","Packets A → B","Bytes A → B","Packets B → A","Bytes B → A","Rel Start","Duration","Bits/s A → B","Bits/s B → A"


"192.168.0.23",40756,"91.108.56.181",443,1446,1526923,1011,1496950,435,29973,173.378032,39.05492100000001,306634.85403030255,6139.661631885005
schroeder
  • 123,438
  • 55
  • 284
  • 319
Amit Sharma
  • 11
  • 2
0

I'm not aware of any off-the-shelf way to accomplish this. In order for wireshark to decrypt the packets, it would need access to the encryption key which Telegram uses, which it does not have direct access to. You would need some way of accessing the memory which Telegram uses, figuring out which part of that memory is the encryption key, and then using that key to decrypt the data. And if you already have access to the memory which Telegram is using, why not just read the data before it was encrypted?

Dan Landberg
  • 3,312
  • 12
  • 17
  • What do you mean by just read the data before it gets encrypted? how can i read the data without wireshark or an sniffing app before them getting encrypted and sent? also isn't the private key stored on disk as well, or just memory? – Richard Jones Oct 01 '18 at 16:52
  • By reading the data before it gets encrypted, I mean just reading the data directly out of memory. In order to encrypt the data, the data would need to be stored in clear text in memory some place. As far as the private key goes, the private key is not used to encrypt data directly. In order to reduce processor load and to maintain forward secrecy, encryption protocols typically use their private keys to generate a per-session symmetric key. This symmetric key is what is used to actually encrypt the data. It is what you would need to use to decrypt the data. – Dan Landberg Oct 01 '18 at 17:06
  • but how can i know which part of the data section of my process is the encryption key? there are a lot of data in there and they are just 1's and 0's how can i even know where is the starting and ending bytes of the encryption key? – Richard Jones Oct 01 '18 at 17:40
  • Like I said, I'm not aware of an off-the-shelf way of accomplishing your goal. Finding the ending point of the encryption key should be fairly easy. It's just X bits after the start point, where x is the key length. A securely generated encryption key will be random, so you should be able to use a statistical test to determine if the section of memory is random. – Dan Landberg Oct 01 '18 at 18:13
  • The telegram protocol and most clients are open-source. You can just modify a client to dump the data before encryption and the received data after decryption! – Josef Jul 16 '19 at 13:25