LabEx
Log In Join For Free

Cipher Quest TLS Decrypting Guide

Cyber SecurityCyber SecurityBeginner
Practice Now

Introduction

In this lab, you will learn how to decrypt SSL/TLS traffic using Wireshark, a popular network protocol analyzer. SSL/TLS encryption is widely used to secure internet communications, but in certain scenarios, such as troubleshooting or security analysis, it may be necessary to decrypt the encrypted traffic. This lab will guide you through the process of setting up Wireshark to decrypt SSL/TLS traffic, providing you with hands-on experience in a controlled environment.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL cysec(("`Cyber Security`")) -.-> cysec/WiresharkGroup(["`Wireshark`"]) cysec/WiresharkGroup -.-> cysec/ws_decrypt_ssl_tls("`Wireshark Decrypting SSL/TLS`") subgraph Lab Skills cysec/ws_decrypt_ssl_tls -.-> lab-373558{{"`Cipher Quest TLS Decrypting Guide`"}} end

Configuring SSL/TLS Decryption in Wireshark

In this step, we will install Wireshark and configure it to decrypt SSL/TLS traffic.

  1. Open a terminal and create a new file named pre_master_secret.log in the /home/labex/project/ directory:

    touch /home/labex/project/pre_master_secret.log

  2. Open Wireshark in a terminal using the wireshark command and go to Edit > Preferences > Protocols > TLS. In the (Pre)-Master-Secret log filename section, Enter the path to the pre-master key log file

    /home/labex/project/pre-master-secret.log

    Wireshark TLS Preferences
    Click OK to save the changes.

Capturing The SSL/TLS Traffic

In this step, we will capture and decrypt SSL/TLS traffic using Wireshark.

  1. Go to Wireshark and select the eth1 interface to capture traffic. Click the Start button to begin capturing packets.

  2. Next, open a new terminal window and navigate to the /home/labex/project/ directory:

    cd /home/labex/project/

    Run the following Python script to generate SSL/TLS traffic:

    #!/usr/bin/env python3

import ssl
import socket
import os

HOST = "example.com"
PORT = 443

## Set the path for the pre-master secret log file
os.environ['SSLKEYLOGFILE'] = '/home/labex/project/pre_master_secret.log'

## Create an SSL/TLS context
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)

## Create a socket and wrap it with SSL/TLS
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
    with context.wrap_socket(sock, server_hostname=HOST) as ssock:
        ssock.connect((HOST, PORT))
        
        ## Send a simple HTTP GET request
        request = "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
        ssock.sendall(request.encode())
        
        ## Receive the response and print all the received data
        data = ssock.recv(4096)
        print(data.decode())

    Save the script as tls_client.py and run it:

    python3 tls_client.py

    This script will establish an SSL/TLS connection to example.com and send an HTTP GET request. The SSL/TLS traffic will be captured by Wireshark.

  3. Switch back to Wireshark and stop the capture. Click on the File menu and select Save As... to save the captured traffic as a PCAPNG file. Name the file tls_traffic.pcapng and save it in the /home/labex/project/ directory.
    Save Captured Traffic

Analyzing Decrypted SSL/TLS Traffic

In this step, we will analyze the decrypted SSL/TLS traffic using Wireshark's filtering and analysis tools.

  1. To filter the traffic, go to the Filter toolbar and enter the following filter expression:

    tls.handshake.type == 1

    This will display only the Client Hello packets, which are the initial packets sent by the client to initiate the SSL/TLS handshake.

    To analyze the decrypted data, right-click on any decrypted packet and select Follow > TLS Stream. This will open a new window displaying the decrypted data in a more readable format.

  2. In the new window, click on the save as... button to save the decrypted data as a text file. Save the file as decrypted_data.txt in the /home/labex/project/ directory.
    Save Decrypted Data

Summary

In this lab, you learned how to configure Wireshark to decrypt SSL/TLS traffic by installing the necessary SSL/TLS keys. You generated self-signed certificates and private keys, captured SSL/TLS traffic using a Python script, and then decrypted and analyzed the traffic using Wireshark's filtering and analysis tools. This hands-on experience will be valuable in scenarios where you need to troubleshoot or analyze encrypted network traffic for security or debugging purposes.

Other Cyber Security Tutorials you may like

Related Cyber Security Courses
Quick Start with Nmap

Quick Start with Nmap

Cyber Security
Beginner
Quick Start with Wireshark

Quick Start with Wireshark

Cyber Security
Beginner
Build a Web Based TCP Port Scanner

Build a Web Based TCP Port Scanner

PythonHTMLFlaskInfoSec
Beginner

We use cookies for a number of reasons, such as keeping the website reliable and secure, to improve your experience on our website and to see how you interact with it. By accepting, you agree to our use of such cookies. Privacy Policy