There is a combination of lesser known tools and techniques to capture and later decrypt SSL/TLS network traffic on Windows. This technique is neat because it does not require the installation of additional driver/software when capturing the traffic.
It is quite straight forward and consists of:
- Setting the
SSLKEYLOGFILEenvironment variable to capture TLS session keys on target host - Use
netsh trace startto capture traffic (no need to install additional driver/software!) - Convert the
.etlfile to apcapusing Microsoft’s etl2pcapng - Start
Wireshark, open the pcap and set the sslkeys under: Preferences->Protocols->TLS->Pre-Master secret.
This does not have to be on the same host as steps 1-2. - Enjoy the decrypted traffic!
If you can or want to capture traffic with Wireshark also, there is no need to use netsh of course.
Video Tutorial
Update: YouTube took the video down, because they say it violates some policy. I will work on creating a new video that is less spicy
Update 2: I recreated the video, removing the red team component
I put together a tutorial and you can watch it here.
If you enjoy the content and/or video, please like it and Subscribe to the YouTube channel. I might post videos more regularly if these are useful.
Cheers and Happy Hacking!
Appendix
List of commands:
[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE", "c:\temp\sslkeys\keys", "MACHINE")
taskkill /im chrome.exe /f
netsh trace start capture=yes tracefile=c:\temp\sslkeys\trace.etl report=disabled
netsh trace stop
etl2pcapng trace.etl trace.pcap
