1
1
Currently using:
OS: Official Kali Linux 2019.4
Browser: Chromium Version 76.0.3809.100 (Developer Build) built on Debian bullseye/sid, running on Debian kali-rolling (64-bit)
Wireshark 2.6.10 (Git v2.6.10 packaged as 2.6.10-1)
Session keys and capture: https://anonfile.com/J6n7we57n6/keys_and_cap_tar
I decided to begin the long arduous process of learning a tool like Wireshark about about 2 days ago. My primary interest was/is using Wireshark to view the traffic between my computer and websites and I immediately encountered SSL/TLS encryption for the first time. From my googling foray, I saw that there are two common methods for approaching the decryption: using the server RSA key and using the SSLKEYLOGFILE method. Of course, I chose the latter.
I stumbled upon this Youtube tutorial on setting it up for session by session capture and decryption: https://www.youtube.com/watch?v=X4aT63h_fjk. I set a terminal instance environment variable, opened Chromium via that terminal instance after opening Wireshark, accessed 5 sites:
- Wireshark.org
- Youtube.com
- Deviantart.com
- Pizzahut.com
- Bitstamp.net
(not necessarily in this order)
Nothing more than just accessing their main pages. Then I stopped Wireshark, saved the capture, configured the preferences so that it would use the SSLKEYLOGFILE generated by the session, reopened the capture, and set the following display filter:
- ip.src==10.0.2.29 and (http contains "GET" or http2)
I expected to see a GET for each site main page that I loaded but I only found one (Bitstamp) in HTTP1.1 and two (Pizzahut and Youtube) in HTTP2. So I repeated the procedure but this time just for accessing the main page of Wireshark.org. Where I expected to see an HTTP2 GET that had somehow escaped the first capture, I found none. I assume that the situation will be similar if I repeated the procedure a third time for Deviantart.com. Additionally, it seems that Wireshark is only decrypting the HTTP2 headers; data is still arriving in TLS record layers (for both captures done).
So I led another foray into Google and found this post here on SU.
In light of my findings, I have a number of questions:
- Is there really no way of using Wireshark to decrypt SSL/TLS without the server RSA?
- Why is it that Wireshark is capable of decrypting headers using the SSLKEYLOGFILE but not the rest of the data?
- [A little unrelated to Wireshark but:] Why is it that Wireshark picked up on an HTTP GET to Bitstamp and HTTP2 GET requests to Youtube and Pizzahut but none to Wireshark(.org) and Deviantart?
I have downloaded Fiddler in the meantime for viewing HTTPS traffic in case anyone was planning to suggest it but I appreciate the thought as well as any help!
I noticed that your username is similar to the link you provided. Please disclose any affiliation you have with the site (re: https://superuser.com/help/promotion)
– Jeff Schaller – 2019-09-11T14:24:23.807@jeff-schaller: Yes, I am the developer of PolarProxy. As far as I know it is the only free tool that can create a PCAP with decrypted TLS traffic. But I noticed that something similar has been introduced in SSLsplit recently. It's probably worth checking out if you wanna have an alternative to my PolarProxy tool.
– netresec – 2019-09-11T14:34:47.400