Cipher Quest TLS Decrypting Guide

CybersecurityCybersecurityBeginner
Practice Now

Introduction

In this lab, you will learn how to decrypt SSL/TLS traffic using Wireshark, a popular network protocol analyzer. SSL/TLS encryption is widely used to secure internet communications, but in certain scenarios, such as troubleshooting or security analysis, it may be necessary to decrypt the encrypted traffic. This lab will guide you through the process of setting up Wireshark to decrypt SSL/TLS traffic, providing you with hands-on experience in a controlled environment.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL cybersecurity(("`Cybersecurity`")) -.-> cybersecurity/WiresharkGroup(["`Wireshark`"]) cybersecurity/WiresharkGroup -.-> cybersecurity/ws_decrypt_ssl_tls("`Wireshark Decrypting SSL/TLS`") subgraph Lab Skills cybersecurity/ws_decrypt_ssl_tls -.-> lab-415943{{"`Cipher Quest TLS Decrypting Guide`"}} end

Configuring SSL/TLS Decryption in Wireshark

In this step, we will install Wireshark and configure it to decrypt SSL/TLS traffic.

  1. Open a terminal and create a new file named pre_master_secret.log in the /home/labex/project/ directory:

    touch /home/labex/project/pre_master_secret.log
  2. Open Wireshark in a terminal using the wireshark command and go to Edit > Preferences > Protocols > TLS. In the (Pre)-Master-Secret log filename section, Enter the path to the pre-master key log file

    /home/labex/project/pre-master-secret.log

    Wireshark TLS Preferences
    Click OK to save the changes.

Capturing The SSL/TLS Traffic

In this step, we will capture and decrypt SSL/TLS traffic using Wireshark.

  1. Go to Wireshark and select the eth1 interface to capture traffic. Click the Start button to begin capturing packets.

  2. Next, open a new terminal window and navigate to the /home/labex/project/ directory:

    cd /home/labex/project/

    Run the following Python script to generate SSL/TLS traffic:

    #!/usr/bin/env python3
    
    import ssl
    import socket
    import os
    
    HOST = "example.com"
    PORT = 443
    
    ## Set the path for the pre-master secret log file
    os.environ['SSLKEYLOGFILE'] = '/home/labex/project/pre_master_secret.log'
    
    ## Create an SSL/TLS context
    context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
    
    ## Create a socket and wrap it with SSL/TLS
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        with context.wrap_socket(sock, server_hostname=HOST) as ssock:
            ssock.connect((HOST, PORT))
            
            ## Send a simple HTTP GET request
            request = "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
            ssock.sendall(request.encode())
            
            ## Receive the response and print all the received data
            data = ssock.recv(4096)
            print(data.decode())

    Save the script as tls_client.py and run it:

    python3 tls_client.py

    This script will establish an SSL/TLS connection to example.com and send an HTTP GET request. The SSL/TLS traffic will be captured by Wireshark.

  3. Switch back to Wireshark and stop the capture. Click on the File menu and select Save As... to save the captured traffic as a PCAPNG file. Name the file tls_traffic.pcapng and save it in the /home/labex/project/ directory.
    Save Captured Traffic

Analyzing Decrypted SSL/TLS Traffic

In this step, we will analyze the decrypted SSL/TLS traffic using Wireshark's filtering and analysis tools.

  1. To filter the traffic, go to the Filter toolbar and enter the following filter expression:

    tls.handshake.type == 1

    This will display only the Client Hello packets, which are the initial packets sent by the client to initiate the SSL/TLS handshake.

    To analyze the decrypted data, right-click on any decrypted packet and select Follow > TLS Stream. This will open a new window displaying the decrypted data in a more readable format.

  2. In the new window, click on the save as... button to save the decrypted data as a text file. Save the file as decrypted_data.txt in the /home/labex/project/ directory.
    Save Decrypted Data

Summary

In this lab, you learned how to configure Wireshark to decrypt SSL/TLS traffic by installing the necessary SSL/TLS keys. You generated self-signed certificates and private keys, captured SSL/TLS traffic using a Python script, and then decrypted and analyzed the traffic using Wireshark's filtering and analysis tools. This hands-on experience will be valuable in scenarios where you need to troubleshoot or analyze encrypted network traffic for security or debugging purposes.

Other Cybersecurity Tutorials you may like