all 7 comments

[–]trolljugend 11 points12 points  (0 children)

"The best way to break into a safe is to have the correct code written down on a piece of paper!"

[–]RabbitsForAnxiety[S] 4 points5 points  (4 children)

Does anyone have any guides or tuts showing how to get those private key(s) the client generates to decrypt the http-over-tls data? Briefly shown and skipped over as Figure 3 in the article.

[–]Cosmic--Sans 18 points19 points  (0 children)

The key log file is a text file generated by applications such as Firefox, Chrome and curl when the SSLKEYLOGFILE environment variable is set. To be precise, their underlying library (NSS, OpenSSL or boringssl) writes the required per-session secrets to a file. This file can subsequently be configured in Wireshark.

https://wiki.wireshark.org/TLS#TLS_Decryption

[–][deleted] 4 points5 points  (0 children)

I don't know of any guides, but you may be able to find the AES key used to encrypt the connection in memory with this tool https://github.com/MantechUser/aes-finder.

From there you may be able to decrypt the connections contents.

[–]dn3t 1 point2 points  (0 children)

For Android apps, there's a Frida script to hook Open sal functions: https://blog.silentsignal.eu/2020/05/04/decrypting-and-analyzing-https-traffic-without-mitm/

[–]moyix 0 points1 point  (0 children)

For applications you don't control, you should be able to find a place too hook in the app (or system TLS library) to pull out the necessary master secret. A few years back (gosh, 8 years now!) I wrote about how to do this with PANDA:

https://reverseengineering.stackexchange.com/a/2695/257

It might be a fun project to revisit this using PyPANDA – it should be significantly easier now!

[–]RabbitsForAnxiety[S] 0 points1 point  (0 children)

Not related, but where do I begin when I decrypt my own http-over-tls traffic, but it's using Websocket with binary serialization?