2
1
I've got a proprietary windows-only application that uses HTTPS to speak with a (also proprietary, undocumented) web service.
To ultimately be able to use the web service's functionality on my linux machines, I want to reverse-engineer the web service API by analyzing the requests sent by the application.
Now the question: How can I decrypt and log the HTTPS traffic?
I know of several solutions which don't apply in my case:
- Fiddler is a man-in-the-middle HTTPS proxy which I cannot use since the application doesn't support proxies. Also, I do not (yet) know if it works with self-signed server certificates, which I doubt.
- Wireshark is able to decrypt SSL streams if you have the server's private certificate, which I don't have.
- any browser extension since the application is not a browser
If I remember correctly, there have been some trojans that capture online banking information by hooking into/replacing the window's crypto API. Since the machine is mine, low level changes are possible. Maybe there is a non-trojan (white-hat) network log application out there which does the same?
There is a blackhat presentation with some details available to read. They refer to Microsoft Research Detours for easy API hooking. See an Detours hooking example.
Related questions:
This. The only way to see the encrypted traffic is to feed the application your own certificate so you can decrypt it in the middle. Then you need to re-encrypt it for transmission to the https server. Hopefully the client doesn't check that the certificate is not valid, or is not the same certificate it expects. But this will be the only way - short of attaching a debugger to the app and watching it send/receive traffic before it's encrypted. – Ian Boyd – 2011-06-30T03:05:44.490
I was lucky and the application did not check the server certficate. Using Fiddler worked, and I have the dumps of the HTTPS traffic now. – cweiske – 2011-07-03T00:16:34.203