How to get actual network traffic of an application?

Firstly, sorry for bad English.

I have an application that runs on Citrix Workspace and generally I runs application from .ica extension file format. So I can access the database using this application.

My main purpose is to know this application's network traffic to build my own mobile (like Android, iOS) application project for easy access without extra programs like Citrix Workspace.

So after some researching, I decided to capture network traffic via WireShark and I saw that traffic is encrypted. So that again researching on Internet about 2 days ( I really don't know how actually https work so I searched about it.). And a few method I tried and only SSLKEYLOGFILE variable method worked on my Ubuntu 18.04 desktop but it only supports for browser but the application that I need is to run on Citrix Workspace. I can't get ssl.log file. Also I found a link how to decrypt it but it requires a private key that I haven't.

What I am wondering is that, without owner of server or root access of server, is there any methods to get TCP packets ( that encrypted using TLSv1.2 protocol) as decrypted to know that which url is requesting from app and which method (GET,POST,etc.) is using and what the payload is sent. So I can start build mobile platform application.

makgun

Posted 2019-07-28T14:54:12.573

Reputation: 305

Answers

In essence, you are asking how to hack the network to intercept the network content.

This simply cannot be done other than how you already found out.

Wireshark is the way to go, but as the content is encrypted, that's basically all you can do.

Alternatively you would want to go on the server where the database is and extract it from there. You would need to make the database publicly accessible, which is a HUGE security risk. You will need your administrators help to open the ports, but they will quite likely say no because of the security implications.

TL;DR: Basically its not possible.

LPChip

Posted 2019-07-28T14:54:12.573

Reputation: 42 190

Thanks for your response but I wonder that how this application decrypt content and how it uses the response? Also I have access through username and password combination using this application. For example if you want to get some data from a website, instead of browser you can use wget or curl etc. Actually only what I need that follows how browser generates cookies and something else like token etc. So that I can write a script to make this stuff automatically without user reaction. – makgun – 2019-07-28T19:14:24.013

The best way to decrypt traffic from an application that can't create an SSLKEYLOGFILE is to run it via a TLS proxy of some kind (like mitmproxy, burp, fiddler or polarproxy). This way you'll be able to see the decrypted traffic.

If you wanna inspect the decrypted traffic in Wireshark, then PolarProxy is the tool you need. It decrypts and re-encrypts the TLS traffic, while also creating a PCAP file with the decrypted packets.

ErikH

Posted 2019-07-28T14:54:12.573

Reputation: 1

Hi Eric, you are talking about your tools a lot in SE Sites, you should add a disclosure. – bummi – 2019-08-23T06:57:43.773

@bummi: Yes, I'd be happy to do a disclosure about this. Here we go:

I'm the developer who created the TLS proxy PolarProxy. I'd be happy to share more info about this tool, such as why it is needed and insights into all sorts of problems that I've had to overcome to finalize PolarProxy. – ErikH – 2019-08-25T18:33:27.780