First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

decrypted frame

  • retag add tags

Hello everyone,

I first want to analyze the frames in order to find the request on a site. When I analyze the frames I see that the protocol used is TLSv1.3. I created an environment variable to store the keys then put the file containing the keys in the wireshark preferences. But I still can't decode the frames. My goal is to find the arguments of the request in decrypted form

Picsoufr's avatar
1
Picsoufr
asked 2023-11-10 18:29:36 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

The procedure is described here: https://wiki.wireshark.org/TLS#using-...

Make sure your capture contains the TLS handshake, otherwise the decryption will fail.
And the SSLKEYLOGFILE environment needs to be set for the TLS client (browser) or TLS server (web-service).
SSLKEYLOGFILE does not work on libraries that do not support it, like Windows Secure Channel (Schannel).

André's avatar
176
André
answered 2023-11-10 20:53:06 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

And the SSLKEYLOGFILE environment needs to be set for the TLS client (browser) or TLS server (web-service).

When I delete the contents of this file, launch my browser and make a request to a website, the key file does not fill up. If I open discord there the file fills up. But i want a key for website

My final goal would be to first retrieve the contents of a Get method with wireshark

Picsoufr's avatar
1
Picsoufr
answered 2023-11-10 21:03:49 +0000
edit flag offensive 0 remove flag delete link
more

Comments

When I delete the contents of this file, launch my browser and make a request to a website, the key file does not fill up.

So the SSLKEYLOGFILE is not picked up by your browser. As the procedure describes; "1. Close the browser completely (check your task manager just to be sure).", thus including any background processes before restarting it with the variable set.

André's avatar André (2023-11-10 21:19:04 +0000) edit
more
  • delete

when I close Chrome and open the task manager I no longer see the Chrome application. and I don't see any chrome processes either. When I restart Chrome nothing is written in the key file it remains blank.

Picsoufr's avatar Picsoufr (2023-11-10 21:32:23 +0000) edit
more
  • delete

If I restart my PC, and I launch Chrome, I will definitely have the key to decrypt the request made on Chrome?

Picsoufr's avatar Picsoufr (2023-11-10 21:38:53 +0000) edit
more
  • delete

To launch Chrome do:

On Windows on a command prompt:

set SSLKEYLOGFILE=%CD%\keylogfile.txt
"%ProgramFiles%\Google\Chrome\Application\chrome.exe"

On Linux:

SSLKEYLOGFILE=$PWD/keylogfile.txt chrome &

On MacOS:

export SSLKEYLOGFILE=$PWD/keylogfile.txt
open -a chrome
André's avatar André (2023-11-10 22:46:38 +0000) edit
more
  • delete

I have succeeded in fill the key file by temporarily uninstalling my antivirus.

Then I can see the HTTP frames in wireshark. But in none of these frames I can find the query request which is entered in the browser

Picsoufr's avatar Picsoufr (2023-11-12 13:35:57 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer