Friday, 15 April 2016

Decrypting SSL traffic via tshark


Just a thought what is we get domain access, can access any machine within network and further eavesdrop on SSL connections on multiple machines? one step ahead, send data to attacker!

tshark -n -r ssl.pcapng -o http.ssl.port:443,4430-4433 -o ssl.keylog_file:sslkeylog.log -Y ssl -V -Y "http.request" | find "pass"

  1. "ssl.pcappng" is our pcap dump file
  2. "sslkeylog.log" is our pre master secret file containing SSL keys generated by browser
  3. "-o" is used to change preferences setting for SSL protocol to get SSL keys from log file.

Hope this helps!

No comments:

Post a Comment