There is a combination of lesser known tools and techniques to capture and later decrypt SSL/TLS network traffic on Windows. This technique is neat because it does not require the installation of additional driver/software when capturing the traffic.
Technique, Tools and Steps
It is quite straight forward and consists of:
- Setting the
SSLKEYLOGFILEenvironment variable to capture TLS session keys on target host
netsh trace startto capture traffic (no need to install additional driver/software!)
- Convert the
.etlfile to a
pcapusing Microsoft’s etl2pcapng
Wireshark, open the pcap and set the sslkeys under: Preferences->Protocols->TLS->Pre-Master secret. This does not have to be on the same host as steps 1-2.
- Enjoy the decrypted traffic!
If you can or want to capture traffic with Wireshark also, there is no need to use
netsh of course.
Update: YouTube took the video down, because they say it violates some policy. I will work on creating a new video that is less spicy
Update 2: I recreated the video, removing the red team component
I put together a tutorial and you can watch it here.
If you enjoy the content and/or video, please like it and Subscribe to the YouTube channel. I might post videos more regularly if these are useful.
Cheers and Happy Hacking!
List of commands:
[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", "c:\temp\sslkeys\keys", "MACHINE") taskkill /im chrome.exe /f netsh trace start capture=yes tracefile=c:\temp\sslkeys\trace.etl report=disabled netsh trace stop etl2pcapng trace.etl trace.pcap