Decrypt TLS sessions of Chrome & Firefox

How to decrypt TLS Sessions of browsers like Chrome and Firefox without Man-in-the-Middle MitM/Adversary-in-the-Middle AitM (Att&ck T1557) like ARP Cache Poisoning, DNS Spoofing, LLMNR/NBT-NS Poisoning and SMB Relay, DHCP Spoofing, Proxy, burp, PAC, WPAD, etc:

This is a silent way to debug issues. However your EDR/SIEM/logings solution should check for SSLKEYLOGFILE entries in your environment variables because this is a silent way to break TLS without informing the user.

Use the SSLKEYLOGFILE in your environmentvariables of your windows, linux or macos system.

Windows

Simply create an environmentvariable called SSLKEYLOGFILE and set the value of the path to the text-file, in which the TLS private keys should be saved:

Windows environmentvariables SSLKEYLOGFILE TLS decrypt
Linux

Simply create an environmentvariable called SSLKEYLOGFILE and set the value of the path to the text-file, in which the TLS private keys should be saved:

export SSLKEYLOGFILE=$HOME/tlsprivatekeys.txt

Linux SSLKEYLOGFILE decrypt TLS

Decrypt TLS sessions with Wireshark

  1. Open the wireshark prefecenses
  2. Go to TLS 
  3. Select your SSLKEYLOGFILE text file as (Pre)-Master-Secret filename as shown in the following screenshot:
Wireshark to decrypt TLS using privatekeys SSLKEYLOGFILE





No comments:

Post a Comment