2018年12月24日 星期一

(轉)Filter in Wireshark for TLS's Server Name Indication field

Filter in Wireshark for TLS's Server Name Indication field

Does wireshark have a filter for TLS's Server Name Indication field?




4

Shawn E's answer is probably the correct answer but my wireshark version doesnt have that filter. Following filters do exists, however:
To check if the SNI field exists:
ssl.handshake.extension.type == 0
or
ssl.handshake.extension.type == "server_name"

2018年12月23日 星期日

(轉)Decrypting TLS Browser Traffic With Wireshark – The Easy Way!

Decrypting TLS Browser Traffic With Wireshark –

The Easy Way!


Intro

Most IT people are somewhat familiar with Wireshark.  It is a traffic analyzer, that helps you learn how networking works, diagnose problems and much more.
2015-02-11 22_29_11-
One of the problems with the way Wireshark works is that it can’t easily analyze encrypted traffic, like TLS.  It used to be if you had the private key(s) you could feed them into Wireshark and it would decrypt the traffic on the fly, but it only worked when using RSA for the key exchange mechanism.  As people have started to embrace forward secrecy this broke, as having the private key is no longer enough derive the actual session key used to decrypt the data.  The other problem with this is that a private key should not or can not leave the client, server, or HSM it is in.  This lead me to coming up with very contrived ways of man-in-the-middling myself to decrypt the traffic(e.g. sslstrip or mitmproxy).

Session Key Logging to the Rescue!

Well my friends I’m here to tell you that there is an easier way!  It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file.  You can then point Wireshark at said file and presto! decrypted TLS traffic.  Read on to learn how to set this up.

Setting up our Browsers

We need to set an environmental variable.

On Windows:

Go into your computer properties, then click “Advance system settings” then “Environment Variables…”
2015-02-11 21_36_51-Clipboard
Add a new user variable called “SSLKEYLOGFILE” and point it at the location that you want the log file to be located at.
2015-02-11 21_38_57-Environment Variables

On Linux or Mac OS X:

1
$ export SSLKEYLOGFILE=~/path/to/sslkeylog.log
You can also add this to the last line of your
1
~/.bashrc
on Linux, or
1
~/.MacOSX/environment
on OS X so that it is set every time you log in.
The next time that we launch Firefox or Chrome they will log your TLS keys to this file.
Edit: If you are having trouble getting it to work on OS X take a look at the comments below.  It seems that Apple has changed how environmental variables work in recent versions of OS X.  Try launching firefox and wireshark within the same terminal window with,
1
2
3
# export SSLKEYLOGFILE=/Users/username/sslkeylogs/output.log
# open -a firefox
# wireshark
Thanks Tomi for sharing this.

Setting up Wireshark

You need at least Wireshark 1.6 for this to work.  We simply go into the preferences of Wireshark
2015-02-11 21_45_30-
Expand the protocols section:
2015-02-11 21_48_49-2015-02-11 21_45_59-Wireshark_ Preferences - Profile_ Default
Browse to the location of your log file
2015-02-11 21_47_10-Wireshark_ Preferences - Profile_ Default

The Results

This is more along the lines of what we normally see when look at a TLS packet,
2015-02-11 22_29_11-
This is what it looks like when you switch to the “Decrypted SSL Data” tab.  Note that we can now see the request information in plain-text!  Success!
2015-02-11 22_30_28-_Wi-Fi   [Wireshark 1.12.3  (v1.12.3-0-gbb3e9a0 from master-1.12)]

Conclusion

I hope you learned something today, this makes capturing TLS communication so much more straightforward.  One of the nice things about this setup is that the client/server machine that generates the TLS traffic doesn’t have to have Wireshark on it, so you don’t have to gum up a clients machine with stuff they won’t need, you can either have them dump the log to a network share or copy it off the machine and reunite it with the machine doing the packet capture later.  Thanks for stopping by!
References:
Photo Credit: Mike

2018年11月16日 星期五

(轉貼)windows 10 firewall keeps turning itself ON how to stop it

Hello sosolola

You can disable the Windows Firewall from the Services window. To do so:

> In the Cortana search bar, type SERVICES.MSC.

> Click the Services option that appears in the suggestion list.

> From the opened Services window, from the right pane, double-click the Windows Firewallservice.

> On the Windows Firewall Properties box, ensure that you are on the General tab.

> Click the Stop button from under the Service status label and click Apply. (Accept any prompt or confirmation that/if appears to stop any dependencies.)

> After this, choose Disabled from the Startup type drop-down list and click Apply again.

> Click OK and close all the opened boxes.

> Restart the computer and see if this keeps Windows Firewall from turning on automatically.

Also, here you can find a few other methods to turn Windows Firewall off. You may want to give them a try if the above solution doesn't work for you.

Ref: http://www.tomshardware.com/forum/id-2977635/windows-firewall-turning-stop.html