Decrypt HTTPS traffic with Wireshark

Category: Tag:

This article describes how to use Wireshark to decrypt HTTPS traffic from pcap. You can use a text-based log for decryption, which contains the encryption key data captured when the pcap was originally recorded.

HTTPS web traffic
HTTPS traffic usually shows a domain name. For example, when viewing https://www.wireshark.org in a web browser and viewing it in the custom Wireshark column display, pcap will display www.wireshark.org as the server name for this traffic. But there is no way to know other details, such as the actual URL or the data returned from the server.

 

Encryption key log file
The encryption key log is a text file.

When pcap was originally recorded, man-in-the-middle (MitM) technology was used to create these logs. If no such file is created when recording the pcap, the HTTPS communication in the pcap cannot be decrypted.

Example analysis
HTTPS traffic with key log file
There is a password-protected ZIP file in the Github repository, which contains pcap and its key log files. After the pcap contained in the ZIP is decrypted by the key log, the malware samples can be accessed.

 

Extract pcap and key log files from ZIP (password: infected):

Wireshark-tutorial-KeysLogFile.txt
Wireshark decrypt HTTPS-SSL-TLS-traffic.pcap tutorial

HTTPS traffic without key log file
Open the decrypted HTTPS-SSL-TLS-traffic.pcap Wireshark tutorial in Wireshark, use the web filter:

(http.request or tls.handshake.type eq 1)and!(ssdp)

This pcap comes from the Dridex malware on the Windows 10 host, and all web traffic (including infection activity) is HTTPS. Without the key log file, you can’t see any detailed information about the traffic, only the IP address, TCP port and domain name:

Load key log file
Open the decrypted HTTPS-SSL-TLS-traffic.pcap Wireshark in Wireshark, and use the menu path Edit -> Preferences to open the Preferences menu:

On the left side of the Preferences menu, click Protocols:

If you are using Wireshark version 2.x, you need to select SSL. If you are using Wireshark 3.x, you need to select TLS. After selecting SSL or TLS, you can see the (Pre)-Master-Secret log file name. Click “Browse” and select the key log file named Wireshark-tutorial-KeysLogFile.txt:

HTTPS traffic for key log files
After clicking “OK”, Wireshark will list the decrypted HTTP requests under each HTTPS line:

In this pcap, you can see the HTTP requests for the microsoft.com and skype.com domains hidden in the HTTPS communication, and the following traffic initiated by Dridex:

foodsgoodforliver[.]com – GET /invest_20.dll
105711[.]com – POST /docs.php

The GET request to foodsgoodforliver[.]com returned Dridex’s DLL file. The POST request to 105711[.]com is a command and control (C2) communication from a Windows host infected with Dridex.

HTTP flow for HTTP GET request for foodsgoodforliver[.]com:

 

This malware can be exported from pcap, use the menu path File -> Export Object -> HTTP to export the file from pcap:

Use the file command to confirm that this is a DLL file, and then use shasum -a 256 to get the SHA256 hash of the file:

The SHA256 hash of the malware is:

31cf42b2a7c5c558f44cfc67684cc344c17d4946d3a1e0b2cecb8e*173cb2f

You can also inspect C2 traffic from this Dridex infection. The following figure shows an example of one of the HTTP flows:

 

Reviews

There are no reviews yet.

Be the first to review “Decrypt HTTPS traffic with Wireshark”

Your email address will not be published. Required fields are marked *