Decrypting https traffic using WireShark
What is WireShark?
Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
Capture network messages
- First of all we clean the arp cache and flush the dns cache using the following commands:
a) arp -d *
b) arp -a
c) ipconfig /flushdns
2. We will start WireShark and capture network messages in the network interface with a default gateway:
3. The browser is opened in InPrivate mode and we will visit the following url: www.google.com
4. We will stop capturing messages and save the capture in a file.
Decrypting the messages
- First of all an ARP request is sent from the our machine to the router to determine the MAC address of router’s network interface and an ARP reply is sent from the router. In the same manner, our machine resolves the DNS of www.google.com with our router.
2. Next, our machine sends a [SYN] (Synchronisation) message to the google server at 216.58.197.68 and the Google server responds with a [SYN, ACK] (Synchronisation, Acknowledgement) message followed by a [ACK] (Acknowledgement) message from our machine.
3. After TCP connection is setup with SYN and ACK message exchanges, our machine/ browser (client) sends a http request to the google server using a GET method:
4. TLS Handshake takes place with client hello, followed by server ACK, server hello and finally client ACK.
5. Finally, Google server sends a certificate to the client (IE 11), followed by client’s ACK, client key exchange. Google server issues a new session ticket to the client. A secure HTTPS connection has now been established.
6. We can see the 270 bytes public key of the CA in the snapshot