mttjohnson · April 12, 2018 14:57
diff --git a/decrypting_ssl_tcpdump_curl_wireshark.sh b/decrypting_ssl_tcpdump_curl_wireshark.sh
 # Use this to capture packets on the web server side and then analyze in wireshark using 
 # curl as the HTTP client to log the pre master secret so that the packets can be 
 # decrypted and analyzed within wireshark

 # This will work without exposing the server's private key and works with TLS 1.2 and DH ciphers
 # During the handshake both client and server generate a new unique secret used to encrypt all 
 # communication that happens after the handshake. Curl can log that secret and wireshark can
 # reference that log to decrypt packets captured by tcpdump.

 # Tested with curl 7.59.0
 # Starting with curl 7.58 by default the binaries were compiled with support for the 
 # SSLKEYLOGFILE environment variable. You may need to update curl to get the newer version.
 brew upgrade curl


 # From server side to start capturing packets
 # apply additional expressions to filter packets more granularly if needed
 # write output to a file
 sudo tcpdump -nnvvXSs 0 -i eth1 'tcp port 443' -w captured_tcp_packets.pcap

 # From client side with curl version >= 7.58
 # set environment variable to log the pre master secret for wireshark to use later
 # issued HTTPS request to server
 # use --resolve to override DNS and direct request to a specific IP
 SSLKEYLOGFILE=~/key_log_file.pms curl -sv https://www.example.com/ --resolve 'www.example.com:443:1.2.3.4'

 # stop the tcpdump process on the server to end the capture and save the file

 # From client copy the file from the server to the system to analyze in wireshark
 # and open the capture file in wireshark
 scp 1.2.3.4:~/captured_tcp_packets.pcap ~/temp/
 wireshark ~/temp/captured_tcp_packets.pcap

 # Setup Wireshark to use the (Pre)-Master-Secret log filename
 # Preferences -> Protocols -> SSL -> (Pre)-Master-Secret log filename: ~/key_log_file.pms
	# Use this to capture packets on the web server side and then analyze in wireshark using
	# curl as the HTTP client to log the pre master secret so that the packets can be
	# decrypted and analyzed within wireshark

	# This will work without exposing the server's private key and works with TLS 1.2 and DH ciphers
	# During the handshake both client and server generate a new unique secret used to encrypt all
	# communication that happens after the handshake. Curl can log that secret and wireshark can
	# reference that log to decrypt packets captured by tcpdump.

	# Tested with curl 7.59.0
	# Starting with curl 7.58 by default the binaries were compiled with support for the
	# SSLKEYLOGFILE environment variable. You may need to update curl to get the newer version.
	brew upgrade curl


	# From server side to start capturing packets
	# apply additional expressions to filter packets more granularly if needed
	# write output to a file
	sudo tcpdump -nnvvXSs 0 -i eth1 'tcp port 443' -w captured_tcp_packets.pcap

	# From client side with curl version >= 7.58
	# set environment variable to log the pre master secret for wireshark to use later
	# issued HTTPS request to server
	# use --resolve to override DNS and direct request to a specific IP
	SSLKEYLOGFILE=~/key_log_file.pms curl -sv https://www.example.com/ --resolve 'www.example.com:443:1.2.3.4'

	# stop the tcpdump process on the server to end the capture and save the file

	# From client copy the file from the server to the system to analyze in wireshark
	# and open the capture file in wireshark
	scp 1.2.3.4:~/captured_tcp_packets.pcap ~/temp/
	wireshark ~/temp/captured_tcp_packets.pcap

	# Setup Wireshark to use the (Pre)-Master-Secret log filename
	# Preferences -> Protocols -> SSL -> (Pre)-Master-Secret log filename: ~/key_log_file.pms
No results found