i havent touched cybersecurity in over a year but bet your ass stumbling on this video made me turn my PC back on, thank you for the insanely ez lesson
A really interesting video indeed!...Learnt many new things....Could you make a video to learn how I can capture and decrypt my smartphone's browsing traffic using wireshark?(Both connected to the same networks)
Fantastic guide! I don't normally comment, but you need to know that you are doing fantastic work! I am experiencing Wireshark for the very first time in a CTF and this was clear, informative, and helpful!
Remarkably excellent delivery style. Super efficient clarity. Nothing superfluous. Conceptual through point and click guidance. Compellingly engaging with constant forward quick-step momentum. Not too loud not soft spoken. Knowledgeable, conservative, passionate, trustworthy source. Technoratically enjoyable. First video I watched on this channel. Heading to check your other content for more of the same. Thank you!
Thank you for this video Chris, I was following the WCNA study guide book but got stuck when I didnt see what's in the book(HTTP). I realised the time gap between the date of book publishing and the current version of wireshark. So switched my trail to 443 and TLS. This video helped me decrypt my session.
Hi Chris, so sorry, after I tried to save the SSL Key log file, I cannot find the file at all, for some reason. I am the administrator but I just cannot find it. Is there anything I must do? Thanks!
Im so confused. The file that you gave wireshark is completely different from the sslkeylog file that you made earlier. How did you create the file that you gave wireshark?
Hey Josh - I probably had to recreate it and share a different one. However the pcap and syslog you get in the link go together and the rest of the video steps are the same.
Great video! I have a few questions. 1. How are attackers able to decrypt https? Are they able to get this log file somehow? 2. Where are the session keys stored before you set this environment variable, just in memory? 3. If you had a computer disk image and a pcap of that computers traffic could you extract session keys from the image to decrypt the https traffic?
Hi Chris, thanks for this one really learnt a lot here. In saying that I've been seeing more of Application Layer Encryption lately, so in theory if you encrypt at the application level before hitting the pipe and encrypt using TLS, would you be able to get to the cleartext?
Hey thanks for sharing this cool looking video curiosity question after you decrypt the traffic files and you go to open it in a browser and it says that the content isn't available or if the site was taken down or can the content still be viewed?
Hi Chris D - Thanks for the comment. Actually I had considered setting something like that up but wasn't sure if anyone would actually do it! I appreciate the suggestion and will definitely look into it.
Hi Chris, I have a IOT device connected to AWS. I have all certicates... is it possible to decrypt the communication using wireshark? My IOT device is connected to an access point. Actually, I have a switch that I can route all the traffic to the PC but all packets are encrypted. So, I'd like to see the packet contents. Thanks a lot!
I have gotten it to work with Firefox and chrome. I have heard it works with edge but have not tried it for myself. All others, a ton to try… I guess it just depends on the api
Thanks, Chris I really appreciate you making videos. Taking the help of your videos I was able to help my colleagues and solve infrastructure problems. Keep making the good stuff as you explain the stuff in quite simple terms.
@@ChrisGreer So from a hackers perspective in todays day and age, I imagine the flow is something like this: 1. compromise endhost through zero day or unpatched vulnerability 2.create a reverse tcp shell via proxy chaining on proxy's that dont log user data (or TOR) 3.setup the log environmental variable in OS (congrats you have modified a system that's not yours and have now officially committed a crime, though I guess the reverse tcp shell could be argue as the stage when that happens) 4. discretely capture network traffic, and discretely transfer data back (no idea how that's done) 5. look for PII/PCI decrypted data 6. Clear traces of you being there... also not really sure how they would do that. Probably clear a bunch of internal log files. I know this comment puts you in a precarious situation, because how do you teach content and answer questions without indirectly possibly helping a hacker, but as a company network engineer I still dont understand how hackers pull of what they do. Is it just a matter of hiding in plane sight and due to the sheer amount of data that goes across the wire, you are hoping nobody notices?
I followed all the steps as explained by you, but I'm still unable to log the ssl keys into my local directory. May I know why that maybe happening? The file is empty , that is, no keys are logged into it.
Hmm... weird. That is frustrating. Ok maybe something changed with an update. I'd suggest trying Firefox. If that doesn't work - I've been able to get it working pretty reliably with Kali Linux and Chrome. I demonstrate that here -th-cam.com/video/QRRHA_5hS2c/w-d-xo.html
Is there a way to do this for non-web browser traffic? For example, I am trying to decrypt commands and responses with racadm in powershell but the keys don't appear in the log.
Did you create a ssl key log file and add its path is environment variable or creating an environment variable created the file. Because I am not able to see the file. Please help.
I'm stuck at the decrypting part, after adding the ssl key log, nothing happens, the log is there and firefox is indeed writing to it, but wireshark doesnt seem to use it whatsoever
Hello DataSkull - we would need to see if the app will locally store the TLS keys. As you saw in the video, chrome will do it in an environment variable, but that may not be the case for the application you are trying to decrypt. You have to dig into it and see if the app will store them.
I have a question... If I'm using a wifi adapter that's in monitor mode, and passively sniffing the other devices on my home network... Is there any methods for decrypting other clients on the same network? Other clients meaning , if I'm on my laptop and I want to see what's going on with my Android on the same network, what methods (if any) are there to decrypt the androids traffic?
That is a great question. In theory, you could do a man in the middle attack and intercept their traffic. You can capture it is a passive listener on WiFi, but with the additional layer 1/2 encryption for WiFi (WPA2 for example) it adds another level of complexity. I have never done it.
@@ChrisGreer Thanks for the reply! My mind was going into that direction but wasn't sure if there were other ways/methods. Looking forward to more content as well. Since I'm a newer viewer, I dont know the extent of your expertise. But would love to see some cyber security / forensic stuff as that's what I'm currently studying for an associates degree. I see alot of the attacking and vulnerability side, but would like to see more content on defensive and forensic analysis.
Hey Chris really great video it helped me a lot but I just wanna mention that, I don't know for some reason but sslkeylog doesn't store every ssl log, it does stores majority of them but not every, soo I came across some proxy servers like charles which stores every ssl but don't know how to set it up on windows to work perfectly. Please make a video about charles or any other proxy server you recommend to decrypt fully...... Thanks
For sure! I will be doing more content around QUIC and H3 as things continue to develop. Thank you for the comment. I the meantime check out my QUIC decryption video here - th-cam.com/video/QRRHA_5hS2c/w-d-xo.html
Thank you Chris...This is an amazing video...I wanted to know is it possible to do the same with safari browser in Mac os if so can you please point me the steps... Thanks in advance.
You would need send all traffic through a man-in-the-middle device on the network, or you could install an agent on the server that will capture them. Either way, it's designed to be hard to get the keys...
@@ChrisGreer isn’t that man in the middle attack / ARP Poisoning doens’t catch the key? please make a video how to get the keys via man in the middle attack sir.
To capture the session keys as you see in this video, yes. It's the simplest way to collect them. It can also possibly happen from the server side or from a device along the path that terminates the connection.
Arg - no I don't know why but, let's make sure you are using chrome, you restarted it, and made sure you cleared history/cache. Other than that - I would try installing firefox because I have gotten it to work with that browser too.
Thanks as always Chris... really useful 🙏
My pleasure! Thanks for the comment Ganesh!
Even after all the experience I have with IT security/forensics, I’m still learning something new every day.
Amen to that Christopher! I feel the same. I learn something with every pcap I open.
You will always learn something more in technology
'Packet heads' cracked me up. Thanks for the vid!
Glad you liked it! Hey every department needs a Packet Head.
i havent touched cybersecurity in over a year but bet your ass stumbling on this video made me turn my PC back on, thank you for the insanely ez lesson
Awesome!
Chris is a gem...I have learned so much from him over the years, especially on Pluralsight.
Thank you!
Nice to read online that this method apparently works the same with the Firefox web browser :D
Glad you did the Collab with Bombal so I could find your content!
I am beyond honored that he wanted to interview me on his channel. Great to have you here!
how did u get that SYSLOG file in the beginning?
Don't tell me this isn't the same guy as Darknet Diaries. The voice is IDENTICAL.
finally... a video that works. I can't thank you enough dad.
A really interesting video indeed!...Learnt many new things....Could you make a video to learn how I can capture and decrypt my smartphone's browsing traffic using wireshark?(Both connected to the same networks)
Fantastic guide! I don't normally comment, but you need to know that you are doing fantastic work! I am experiencing Wireshark for the very first time in a CTF and this was clear, informative, and helpful!
Thank you for the comment! I really appreciate the feedback.
Remarkably excellent delivery style. Super efficient clarity. Nothing superfluous. Conceptual through point and click guidance. Compellingly engaging with constant forward quick-step momentum. Not too loud not soft spoken. Knowledgeable, conservative, passionate, trustworthy source. Technoratically enjoyable. First video I watched on this channel. Heading to check your other content for more of the same. Thank you!
Thank you for watching and commenting Alexander!
Can somebody help me?
I am not able to capture the log file even though I created an environment variable with the ssl.log in the end.
Just restart the computer. It should work.
I just experimented with this in a ucertify virtual lab I had open for a class assignment, and it was super easy and fun. Thank you for showing this !
Great job! Thanks for the feedback!
Thank you for sharing! Now I can understand ssl/tls handshake clearly and how https works. Love it and Subscribed.
Thanks for the comment!
When I saw you change a hat I knew this lesson would be outstanding
Nice video. Could you do an other video decrypting UDP traffic 🙏 it will help us a lot, thanks
You're a God amongst men sir. Thank you
Thank you for this video Chris, I was following the WCNA study guide book but got stuck when I didnt see what's in the book(HTTP). I realised the time gap between the date of book publishing and the current version of wireshark. So switched my trail to 443 and TLS. This video helped me decrypt my session.
Great Samuel! Glad to hear that it helped. I'll get some more TLS 1.3 stuff out there soon.
Thanks Chris. I like your passion when explan all of this. 🤗
Thanks again Di. I appreciate the feedback.
Thanks Chris. Would you mind sharing the process of path variable for log file in Kali Linux and MAC OS ?
Thanks, Chris. This video helps me a lot.
You explain so much more clearly and succinctly than my packet analysis instructor. This is great! Thank you.
Glad it was helpful!
Thank you, Chris, for such a great educational video)
Why did you not select the log file from the path you created in the system variable?
🤦🏻♀️
Thanks you for your great job. I try it and all it works fine!
it means we can decrypt any password even if it uses https protocol ?
I'm loading the file to Wireshark, but some reason the decryption is not working. I'm using a windows machine.
Great video, please keep sharing more
Thanks for the comment! Working on more content and I'll get it out there.
Hi Chris, so sorry, after I tried to save the SSL Key log file, I cannot find the file at all, for some reason. I am the administrator but I just cannot find it. Is there anything I must do? Thanks!
Great video. Clearly explained.
Chris, as always you are the man.
@Bill Proctor - Great to see you here Bill! Hope all is well on your end.
@@ChrisGreer absolutely. Just looking forward to being able to travel again for work. Hope to hang out with you sometime soon!
@@grendal1974 That would be awesome Bill! Let's chat sometime here soon.
Im so confused. The file that you gave wireshark is completely different from the sslkeylog file that you made earlier. How did you create the file that you gave wireshark?
Hey Josh - I probably had to recreate it and share a different one. However the pcap and syslog you get in the link go together and the rest of the video steps are the same.
Great video! I have a few questions.
1. How are attackers able to decrypt https? Are they able to get this log file somehow?
2. Where are the session keys stored before you set this environment variable, just in memory?
3. If you had a computer disk image and a pcap of that computers traffic could you extract session keys from the image to decrypt the https traffic?
great video. can we decrypt request manually by extracting public certificate of website ?
Hai Chris, how about desktop App not browser, how do we generate that log file?
how would i apply this to a app
Wait so can I store the keys wherever or does it need to be that specific user address?
❤❤It works 💯% dude I don't have a words u are really great!
This is some great stuff, keep going.
Thanks!
Learn it by heart -- By order of the peaky blinders
How do I enable Packet Reassembly and Uncompressed Entity Body?
Thanks for great job and we really appreciate it
Hi Chris, thanks for this one really learnt a lot here. In saying that I've been seeing more of Application Layer Encryption lately, so in theory if you encrypt at the application level before hitting the pipe and encrypt using TLS, would you be able to get to the cleartext?
Thank you Chris!
Thanks, Chris.
about session keys how i could fix that on mac os?
Thank you so much man. Excellent explanation.
Thank you for this. It was kicking my ass.
That’s really interesting!
Amazing Chris :)
Thanks!
My pleasure!
Awesome videos. Thank you
Great video and example, thanks for what you do
Thanks for the comment!
Мужик,лайк тебе ставлю,полезно очень 👍
Hey thanks for sharing this cool looking video curiosity question after you decrypt the traffic files and you go to open it in a browser and it says that the content isn't available or if the site was taken down or can the content still be viewed?
Interesting. Great video. I am puzzled by 2 files in this video. Are the "sslkeylog.log" and "DecryptTraffic_Wireshark.log" the same file?
I'm also wondering this - did you find this out?
Yes anyone?
i noticed that too, and now i am confused
too cool for a dev, thanks
You have some really great content on your Channel. You should start accepting BAT's so we can tip you!
Hi Chris D - Thanks for the comment. Actually I had considered setting something like that up but wasn't sure if anyone would actually do it! I appreciate the suggestion and will definitely look into it.
Best as always.
Glad you think so!
Hey love the video, how can this be done if I'm not using either chrome or firefox?
I would love a video on how to read important info of encrypted data without decrypting it
That is a great skill - because in the real world, most of the troubleshooting I do is without the decryption keys.
@@ChrisGreer I'd love to learn that skill....
Really wish you could make a video on that...
I'll truly appreciate 💜
Hello, was wondering if the decryption could be done using a MITM, for instance the MITM proxy...Would be great to see that happen!!! Ty
Hey, thanks for the comment. I'll see if I can get it working... (or breaking, depending on how you look at it!)
sir, I have tls.pcap packet , how can i decrypt SIP/TLS v1.2 to see RTP ??
Note that
TLS encrypt by CA ?
Thanks grish its really nice and helpful
Hi Chris, I have a IOT device connected to AWS. I have all certicates... is it possible to decrypt the communication using wireshark? My IOT device is connected to an access point. Actually, I have a switch that I can route all the traffic to the PC but all packets are encrypted. So, I'd like to see the packet contents. Thanks a lot!
Is the SSLKEYLOGFILE env variable only used by chrome? Or system wide for anything using SSL?
I have gotten it to work with Firefox and chrome. I have heard it works with edge but have not tried it for myself. All others, a ton to try… I guess it just depends on the api
Thanks, Chris I really appreciate you making videos. Taking the help of your videos I was able to help my colleagues and solve infrastructure problems. Keep making the good stuff as you explain the stuff in quite simple terms.
Nice! That is great Prateek - glad to hear that the videos helped you. More to come!
can you please create a video for decrypting tls traffic in wireshark using private key file
Unable to see the keylog file generated in windows. Any additional steps to be followed
Make sure that you restart chrome completely after setting up the environment variable. Also - if that doesn't work, give it a shot with Firefox.
hi, do you know if there is a way to decrypt https when it isn't from the browser, meaning it doesn't get logged to a key file?
Probably - I'd have to tinker with a specific app or implementation, but I imagine if you dig deep enough in the code there is a way to do it.
@@ChrisGreer So from a hackers perspective in todays day and age, I imagine the flow is something like this:
1. compromise endhost through zero day or unpatched vulnerability
2.create a reverse tcp shell via proxy chaining on proxy's that dont log user data (or TOR)
3.setup the log environmental variable in OS (congrats you have modified a system that's not yours and have now officially committed a crime, though I guess the reverse tcp shell could be argue as the stage when that happens)
4. discretely capture network traffic, and discretely transfer data back (no idea how that's done)
5. look for PII/PCI decrypted data
6. Clear traces of you being there... also not really sure how they would do that. Probably clear a bunch of internal log files.
I know this comment puts you in a precarious situation, because how do you teach content and answer questions without indirectly possibly helping a hacker, but as a company network engineer I still dont understand how hackers pull of what they do. Is it just a matter of hiding in plane sight and due to the sheer amount of data that goes across the wire, you are hoping nobody notices?
@@adammason1587 Very interesting, to transfer the data back in thinking you could do a loopback but that could be traced.
I followed all the steps as explained by you, but I'm still unable to log the ssl keys into my local directory. May I know why that maybe happening? The file is empty , that is, no keys are logged into it.
Hmm... weird. That is frustrating. Ok maybe something changed with an update. I'd suggest trying Firefox. If that doesn't work - I've been able to get it working pretty reliably with Kali Linux and Chrome. I demonstrate that here -th-cam.com/video/QRRHA_5hS2c/w-d-xo.html
Is there a way to do this for non-web browser traffic? For example, I am trying to decrypt commands and responses with racadm in powershell but the keys don't appear in the log.
Hey Greg - I have only tried this with Chrome and Firefox. It would def take some more digging to learn where/how/if other API's store the keys.
Very nice video, TNX.
Thanks!
Thank you so much sir for this wonderful video and it is helpful for us.
Thanks for the comment Tin!
Thank you very much Chris 🙏🏻
You are very welcome
is this still working? dont see any log file being created even after reboot
it still works... didn't work the first time but on a second attempt it does
Thanks Greer, very useful
How to get the bottom filters?
Hey Chris, the pcap link is broken - any chance you'd mind reuploading? Thanks
Hi Chirs
Somehow I am unable to apply frame contains filter
Please you build on video about how to using the wireshark in windows 10
Hey Chris, what about other TLS traffic which is not made from any browser? Thanks
I've only been able to get it to work with Chrome and Firefox, I haven't tried to store them from any one app.
Did you create a ssl key log file and add its path is environment variable or creating an environment variable created the file. Because I am not able to see the file. Please help.
cool man ... but i'd like to see packets on my other wifi devices I see i can put my network card in monitor mode will this get the keys to decrypt??
sir can it also decrypt the traffic of insta ,tele, twitter like websites ?
I haven't tried it with mobile apps yet. But if they store the keys to the keylog, then in theory... yes!
Am i supposed to take that log file i d/l and drop it in SSL Keys folder or will system automatically create one for me?
You should have to create that folder but the system will create the log.
Where the f is the pre master secret log filename came from? that's not in the environmental variables you made right?
I'm stuck at the decrypting part, after adding the ssl key log, nothing happens, the log is there and firefox is indeed writing to it, but wireshark doesnt seem to use it whatsoever
Gracias por compartir toda esta información.!!
Un placer!
Dear Sir wonderful , How do I decrypt Windows desktop application traffic using wireshark , the desktop app use TLS1.2 and Websocket for communication
Hello DataSkull - we would need to see if the app will locally store the TLS keys. As you saw in the video, chrome will do it in an environment variable, but that may not be the case for the application you are trying to decrypt. You have to dig into it and see if the app will store them.
Same issue here looks like better to go with a proxy server
I have a question... If I'm using a wifi adapter that's in monitor mode, and passively sniffing the other devices on my home network... Is there any methods for decrypting other clients on the same network? Other clients meaning , if I'm on my laptop and I want to see what's going on with my Android on the same network, what methods (if any) are there to decrypt the androids traffic?
That is a great question. In theory, you could do a man in the middle attack and intercept their traffic. You can capture it is a passive listener on WiFi, but with the additional layer 1/2 encryption for WiFi (WPA2 for example) it adds another level of complexity. I have never done it.
@@ChrisGreer Thanks for the reply! My mind was going into that direction but wasn't sure if there were other ways/methods. Looking forward to more content as well. Since I'm a newer viewer, I dont know the extent of your expertise. But would love to see some cyber security / forensic stuff as that's what I'm currently studying for an associates degree. I see alot of the attacking and vulnerability side, but would like to see more content on defensive and forensic analysis.
Hey Chris really great video it helped me a lot but I just wanna mention that, I don't know for some reason but sslkeylog doesn't store every ssl log, it does stores majority of them but not every, soo I came across some proxy servers like charles which stores every ssl but don't know how to set it up on windows to work perfectly. Please make a video about charles or any other proxy server you recommend to decrypt fully...... Thanks
Thanks for the feedback Jack - I would need to figure out how to reproduce that in order to tshoot on my end.
Great information 🙂
Please do some video on HTTP3 and its benifits...
Found this channel after watching your colab on David's channel...
Thank you 😊
For sure! I will be doing more content around QUIC and H3 as things continue to develop. Thank you for the comment. I the meantime check out my QUIC decryption video here - th-cam.com/video/QRRHA_5hS2c/w-d-xo.html
Thank you Sir :)
Most welcome!
Thank you Chris...This is an amazing video...I wanted to know is it possible to do the same with safari browser in Mac os if so can you please point me the steps... Thanks in advance.
Hola, saludos desde Argentina 😃
What if we are using an android application such as an online game then how to decrypt the tls1.3 packet
thankyou for sharing, but how we can get the tls key without touching the victim pc / laptop?
You would need send all traffic through a man-in-the-middle device on the network, or you could install an agent on the server that will capture them. Either way, it's designed to be hard to get the keys...
@@ChrisGreer isn’t that man in the middle attack / ARP Poisoning doens’t catch the key? please make a video how to get the keys via man in the middle attack sir.
So you'd have to have access to a target host in order to set up the log file?
To capture the session keys as you see in this video, yes. It's the simplest way to collect them. It can also possibly happen from the server side or from a device along the path that terminates the connection.
Hey chris, Not sure what is wrong but my log file is empty no matter what i visit. Any idea why ?
Arg - no I don't know why but, let's make sure you are using chrome, you restarted it, and made sure you cleared history/cache. Other than that - I would try installing firefox because I have gotten it to work with that browser too.
@@ChrisGreer All done. Maybe Win 10 21H1 version does not support it.