Hi Consider a scenario where attacker has access to client machines and want to further intercept SSL traffic to extract may be bank username, password or anything over SSL!!!
Well first thing attacker need to enable logging of SSL keys!
How can you log SSL Keys in a log file?
By default, Crome and Firefox browser has capability to export SSL keys provided you point your browsers to the flat log file location, well how can you point your browsers to log all keys into the log file ?
For this you need to follow below steps :
- Create user environment "Variable name" = SSLKEYLOGFILE
- Set the "Variable value" = Path of log file where you want to save SSL logs
- Ex. Variable value = C:\users\admin\ssllog.log
- Create blank file on above specified path "c:\users\admin" with same name "ssllog.log"
- That's it!....
- Start browsing any SSL enabled websites Ex. https://www.yahoo.com
- You will see that browser has started depositing SSL key data in your "ssllog.log" file
- Now it's matter of time before you decrypt the traffic using Wire shark
- Open your Wireshark instance
- Go to Edit > Preferences > Protocols > Select SSL and add the location of "ssllog.log" file
- Now your are all set to decrypt SSL traffic of websites being visited on the browser!
- Lets open https://yahoo.com and login with your username and password
- You can see that traffic has been decrypted by wireshark and we can clearly see usernames and passwords in plain text!!!!
That's it, we have successfully decrypted SSL traffic, although its older technique but still effective.