how to use fiddler and wireshark to decrypt ssl

时间:2022-09-07 16:07:08

原文地址: http://security14.blogspot.jp/2010/07/how-to-use-fiddler-and-wireshark-to.html

Requirements

2 Computers (Physical or Virtual Machines):
Computer 1 – Client (In this example I used Windows 7 64bit Enterprise)
Computer 2 – Proxy (In this example I used Windows XP Pro SP3)
Software:
Wireshark (and WinPcap) – Network Analysis
Fiddler – Web Debugging Proxy
OpenSSL – A Great Suite of PKI/SSL Tools
Assuming Internet Explorer 8 on both computers

Download and install the current version of Wireshark along with the included version of WinPcap:
http://www.wireshark.org/download.html
For this example, I used version 1.2.9.

Download and install the current version of Fiddler:
http://www.fiddler2.com/Fiddler2/version.asp
For this example, I used version 2.2.9.7

Download and install the current version of OpenSSL:
http://www.slproweb.com/products/Win32OpenSSL.html
I had to install the Visual C++ 2008 Redistributables to get OpenSSL to install correctly.
For this example, I used version 1.0.0a.

On Both Computers

Setup a Local Certificate Management Console:
Start, Run: mmc
From the Microsoft Management Console:
File, Add/Remove Snap-in…
Click Add…
Select Certificates and click Add
Make sure My User Account is selected and click Finish
Again, make sure Certificates is selected and click Add
This time select Computer Account and click Next
My sure Local Computer is selected and click Finish
Click Close
Click OK
You should now have a Management Console that looks like this:
how to use fiddler and wireshark to decrypt ssl

 
 
 
 
 
 
 
 
 

Optionally, you can save this:
File, Save
Enter a name: Local Certificate Management
Click Save

On the Proxy Computer

Open up Fiddler:
Click Tools, Fiddler Options…
Optionally you can disable HTTP protocol violation warnings. My experience has been that these warnings happen often and are more annoying than useful.
how to use fiddler and wireshark to decrypt ssl

 
 
 
 
 
 

Click on the HTTPS Tab:
Click on the Decrypt HTTPS traffic option
This will bring up a dialogue box to trust Fiddler’s Root Certificate – Click Yes
Note: This will allow you to decrypt SSL sessions without the client browser displaying a certificate error/warning.
how to use fiddler and wireshark to decrypt ssl

 
 
 
 
 
 
 
 
 
 

Click Yes to add the Fiddler Root Certificate

how to use fiddler and wireshark to decrypt ssl

Next, enable the ignore server certificate errors (unless you want to see the warnings).
Click Export Fiddler Root Certificate to Desktop

how to use fiddler and wireshark to decrypt ssl

Next, click on the Connections Tab
Click Allow remote computers to connect

Note: This is necessary because if you have your browser talk to Fiddler on the same host it will use a loopback/local connection and Wireshark will not be able to see the traffic between the browser and Fiddler. In order to decrypt the SSL traffic, Wireshark must be able to see the traffic between the browser and Fiddler. I accomplish this by having the browser connect to Fiddler from a different computer (the Client computer).
how to use fiddler and wireshark to decrypt ssl

Important Note: In order for Fiddler to accept incoming proxy requests from remote computers, you will need to exit out of Fiddler and then re-start it.

Warning – Once you have this setup, any SSL traffic on this computer will be decrypted with all information such as usernames and passwords visible in Fiddler. Make sure this system is only used for analyzing client SSL traffic and only where you have permission.

Setup target web server:
Open up the Internet Explorer browser and navigate to the web server that needs to be analyzed:
I will use a test web server as an example:

how to use fiddler and wireshark to decrypt ssl

Now, go to the Local Certificate Management Console that you setup earlier.
You will need to hit F5 to refresh the console. After doing this, you should see a Certificates Folder under the Personal Folder for the Current User. In this folder, you should see a certificate for the web server you just went to. Notice that it is issued by Fiddler. Right click on this certificate and select All Tasks, Export…
Click Next, select Yes, Export the Private Key, disable strong protection, leave the password blank, and save the file on your desktop. I called it msappsrv-fiddler.pfx.

how to use fiddler and wireshark to decrypt ssl

Open a Command Prompt
Use the following sequence to extract the private key from the PFX file you just created. In this example, I use the msappsrv-fiddler.pfx file I just created.
Note: If the openssl binary is not in your path you will need to add it or specify the full path – e.g. c:\OpenSSL-Win32\bin\openssl …

Extract the private key from the PFX file:
openssl pkcs12 -in msappsrv-fiddler.pfx -nocerts -out msappsrv-fiddler.ekey
Note 1: The import password should be blank (just hit enter) – this assumes that when you exported the PFX file you didn’t enter a password
Note 2: When it asks for a PEM pass phrase you must enter a password or this won’t work. I use the password: secret
Decrypt the private key:
openssl rsa -in msappsrv-fiddler.ekey -out msappsrv-fiddler.ukey
Note: When it asks for the pass phrase enter the password you just used

Verify the results – the file should look similar to this:
type msappsrv-fiddler.ukey
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDMyzpyOm+xAR0lzc11JlXZgMQ9Parz6g/4X8Z+Ok/FaHvK4kez
(…)
/7BlxxDuLHhbytM3/Ba1A3VBjYxNqZeHkl3MJrmp2sS6cw==
-----END RSA PRIVATE KEY-----

Create a folder in the root of the C:\ drive called certs and move all the certificate, PFX, and key files to this directory.
Note: This is important - the SSL preferences in Wireshark cannot handle a space in the path. In Windows XP, the Desktop directory is located under “Documents and Settings” and so it will not work.

Open Wireshark
Click Edit, Preferences…
Click on the + box next to Protocols to open the list
Scroll down to and select SSL
For the RSA keys list, enter the following: Local (Proxy) System IP Address, SSL Port, Protocol, and Path to the unencrypted private key
In this example, the local system has an IP Address of 192.168.234.182, the SSL Port is 8888 (the proxy port for Fiddler), the protocol is http, and the path to the private key is c:\certs\msappsrv-fiddler.ukey
So in the RSA keys list I enter: 192.168.234.182,8888,http,c:\certs\msappsrv-fiddler.ukey
For the SSL debug file I use the same directory as the key: c:\certs\ssldebug.log
how to use fiddler and wireshark to decrypt ssl

As soon as you click OK, Wireshark will create the ssldebug log file. If you open it up you should see a successful key load:
From c:\certs\ssldebug.log:
ssl_init keys string:
192.168.234.182,443,http,c:\certs\msappsrv-fiddler.ukey
ssl_init found host entry 192.168.234.182,443,http,c:\certs\msappsrv-fiddler.ukey
ssl_init addr '192.168.234.182' port '443' filename 'c:\certs\msappsrv-fiddler.ukey' password(only for p12 file) '(null)'
Private key imported: KeyID F6:E5:EF:CE:66:A0:D3:62:1E:7C:7C:D3:FF:14:16:99:...
ssl_init private key file c:\certs\msappsrv-fiddler.ukey successfully loaded
association_add TCP port 443 protocol http handle 02E13BF0

Start a network capture on Wireshark on the correct interface.
Note: For prolonged network captures, consider using tshark or dumpcap instead. Also consider using a capture filter to limit the traffic to only what you are interested in.

Before moving on to the client computer I would like to explain why I am using two computers – why not do everything from the same computer? In short, because I couldn’t figure out how to get it to work! In Windows, you cannot capture network traffic that goes through the loopback (local) interface – at least not with WinPcap. In other words, if I have two processes communicating on the same computer, you need to use something else to capture the traffic between them.
Check out the following articles for additional discussion around this as well as alternatives:
http://wiki.wireshark.org/CaptureSetup/Loopback
http://www.hsc.fr/ressources/articles/win_net_srv/missing_loopback.html

While there are tricks and drivers you can install to get around this, the options seem to be somewhat impractical (IMHO) for general use or involve paid software.

On the Client Computer

Open the Internet Explorer Browser
Click Tools, Internet Options
Click on Connections Tab
Setup the browser to use the Proxy System
In this case I configure the proxy as 192.168.234.182
Fiddler listens on port 8888
how to use fiddler and wireshark to decrypt ssl

Copy the FiddlerRoot.cer file from the Proxy Computer to this computer. If you followed the directions, this should be in the C:\certs folder.

Open the Local Certificate Management Console that you setup earlier.
Open Certificates – Current User, Trusted Root Certification Authorities, Certificates
Right click in the Certificate Area on the right and choose All Tasks, Import…
Browse to the FiddlerRoot.cer file
For Certificate Store, make sure place all certificates in the following store is selected with Trusted Root Certification Authorities
Click Yes to the security warning:
how to use fiddler and wireshark to decrypt ssl

You should now see this certificate in your Personal Trusted Root Certification Authority Store

Warning – Once you have trusted this certificate and configured your browser to use the proxy computer, any SSL traffic on this computer can be decrypted with all information such as usernames and passwords visible in on the proxy computer. Make sure this is clearly understood by any users of this system. When you are done capturing traffic for network analysis, you should remove this certificate.

Open the Internet Explorer browser and navigate to the web site to be analyzed:
how to use fiddler and wireshark to decrypt ssl

The site should come up with no errors.

If you see this, something is not configured correctly:
how to use fiddler and wireshark to decrypt ssl

You can verify that Fiddler is doing a man-in-the-middle analysis by looking at the certificate chain:
From Internet Explorer, click on the pad lock located on the right side of the address box and then click View certificates.
how to use fiddler and wireshark to decrypt ssl

In the Certificate dialogue box, select the Certification Path:
how to use fiddler and wireshark to decrypt ssl

 
 
 
 
 
 
 

When you start an analysis you should clear Internet Explorer’s cache:
Note: Depending on what you are looking at, you may also want to clear cookies, form data, and passwords.

how to use fiddler and wireshark to decrypt ssl
 
 
 
 
 
 
 

You should also clear the SSL cache from Internet Explorer. In order to analyze an SSL session, the full SSL handshake must be captured. If there is an existing SSL session that is re-used, Wireshark will be unable to decrypt the session (even with the private key).

how to use fiddler and wireshark to decrypt ssl
 
 
 
 
 
 
 

Finally, close all instances of Internet Explorer on the computer and launch a new instance for the troubleshooting session.
Now, browse to the web site in question and use it as desired noting the time when any problems occur. This is important to correlate the problem event with the corresponding traffic in Wireshark. When finished return to the proxy computer to analyze the SSL session.

Back On the Proxy Computer

Review the capture in Wireshark and verify that it successfully decrypted the SSL session.
You can filter by tcp.port==8888 to focus only on the proxied traffic.
Since the traffic is going to a non-standard port, you will need to highlight one of the frames going to Fiddler on port 8888. Right click on the frame, select Decode As… Make sure the Tab is on Transport, the port is set to 8888 and choose SSL:
how to use fiddler and wireshark to decrypt ssl

 
 
 
 

In Wireshark, look for the following sequence to see if SSL decryption is working:

Working:
how to use fiddler and wireshark to decrypt ssl

 
 
Not working:
how to use fiddler and wireshark to decrypt ssl
 
 
If it isn’t working, look at the first Client Hello frame in the capture:

Good:
how to use fiddler and wireshark to decrypt ssl

 
 
 
 
 

Bad - won’t work:
how to use fiddler and wireshark to decrypt ssl

 
 
 
 

If the first SSL Session in the capture has a Session ID, it means the client is resuming an SSL session and Wireshark won’t be able to decrypt it!

When SSL decryption is working, you should also be able to see what’s going on behind the encryption:
Before decrypting:
how to use fiddler and wireshark to decrypt ssl

 
After decrypting:
how to use fiddler and wireshark to decrypt ssl
 
 
I hope you find this useful!

Credits and References

First of all, I would like to thank Sak Blok. I could not have figured this out without his fantastic presentation on dealing with SSL in Wireshark:
http://www.cacetech.com/sharkfest.09/AU2_Blok_SSL_Troubleshooting_with_Wireshark_and_Tshark.pps
Next, one of the most knowledgeable people and instructors that I know of for Network Analysis is Laura Chappell. Her latest book on Wireshark, Wireshark Network Analysis is invaluable:
http://amzn.com/1893939995

For PKI, I found Brian Komar’s book both comprehensive and illuminating - Windows Server 2008 PKI and Certificate Security:
http://amzn.com/0735625166
Note – it also discusses general PKI and general Windows PKI including XP and up and 2003

For OpenSSL I have just googled the Web – if you have any recommendations on great books for this I would love to hear them.

For Fiddler, I only recently learned about this tool. I looks quite impressive but I am a novice at it. There are some resources on the web site – if you have any you’d recommend, please let me know.

Jim Small
jim dot small at mail dot com

how to use fiddler and wireshark to decrypt ssl的更多相关文章

  1. 利用Fiddler和Wireshark解密SSL加密流量

    原文地址:http://kelvinh.github.io/blog/2014/01/12/decrypt-ssl-using-fiddler-and-wireshark/ Fiddler是一个著名的 ...

  2. 利用Fiddler,解密wireshark抓的HTTPS包

    背景介绍 HTTPS加密方式介绍 浏览器-->SSL Client Hello(我支持这些加密方式)-->服务器 浏览器<-SLL Server Hello(就用这种加密,然后下面是 ...

  3. 转:APP开发浅谈-Fiddler抓包详解

    原文地址:http://www.luoxudong.com/?p=306 Fiddler抓包工具在APP开发过程中使用非常频繁,对开发者理解HTTP网络传输原理以及分析定位网络方面的问题非常有帮助.今 ...

  4. Fiddler抓取https数据包

    Wireshark和Fiddler的优缺点: ①Wireshark是一种在网络层上工作的抓包工具,不仅自带大量的协议分析器,而且可以通过编写Wireshark插件来识别自定义的协议.虽然Wiresha ...

  5. APP开发浅谈-Fiddler抓包详解

    Fiddler抓包工具在APP开发过程中使用非常频繁,对开发者理解HTTP网络传输原理以及分析定位网络方面的问题非常有帮助.今天抽点时间出来总结一下Fiddler在实际开发过程中的应用. 我开发过程中 ...

  6. Fiddler抓包原理和使用详解

    iddler抓包工具在APP开发过程中使用非常频繁,对开发者理解HTTP网络传输原理以及分析定位网络方面的问题非常有帮助.今天抽点时间出来总结一下Fiddler在实际开发过程中的应用. 我开发过程中使 ...

  7. 使用fiddler查看https请求

    首先点击菜单栏Tools>>>Fiddler Options>>>HTTPS 把Decrypt HTTPS Traffic 复选框勾选上 勾上之后,会弹窗提示你. ...

  8. Fiddler抓包学习

    今天看到一个抓包笔记, 因为是老早抓包的需求, 后期不用就忘了, 换电脑桌面软件图标都没了, 点开看了一下一脸懵逼... 这是啥...  以后有需要在看一遍吧! Fiddler抓包使用教程-扫盲篇 h ...

  9. Fiddler抓包使用教程-扫盲篇

    转载请标明出处:http://blog.csdn.net/zhaoyanjun6/article/details/72823370 本文出自[赵彦军的博客] 1.什么是抓包? 不同主机之间的数据通信都 ...

随机推荐

  1. python-generator生成杨辉三角

    根据廖雪峰老师的评论区摘录. 1: def triangles(): L = [1] while True: yield L L1 = [0] + L[:] L = [L[i]+L1[i] for i ...

  2. 基于OpenMP的矩阵乘法实现及效率提升分析

    一.  矩阵乘法串行实现 例子选择两个1024*1024的矩阵相乘,根据矩阵乘法运算得到运算结果.其中,两个矩阵中的数为double类型,初值由随机数函数产生.代码如下: #include <i ...

  3. 常见设计模式解析和实现(C&plus;&plus;)FlyWeight模式

    作用:运用共享技术有效地支持大量细粒度的对象 UML结构图: 解析: Flyweight模式在大量使用一些可以被共享的对象的时候使用.比如,在QQ聊天时很多时候你懒得回复又不得不回复,一般会用一些客套 ...

  4. hunnu 小明的烦恼——找字符串

    http://acm.hunnu.edu.cn/online/?action=problem&type=show&id=11544&courseid=0 小明的烦恼——找字符串 ...

  5. 数字信号处理Day1自制电子音乐

    第一天的课程感觉比較简单,主要介绍Karplus-Strong Algorithm 给出方程 y[n]=αy[n−M]+x[n], x[n]是输入,M是延迟,α是衰弱系数 我们要衰减D次,总的採样数就 ...

  6. 【JavaScript学习】-JS内置对象2-Data对象

    Date对象: Data对象可以储存任意一个日期,并且可以精确到毫秒数(1/1000 秒). 定义: //默认初始值定义: var dataName=new Date(); /*使用关键字new;Da ...

  7. Centos下分布式跟踪工具Pinpoint的完整部署记录

    一.Pinpoint简单介绍Pinpoint是一款对Java编写的大规模分布式系统的APM工具,有些人也喜欢称呼这类工具为调用链系统.分布式跟踪系统.一般来说,前端向后台发起一个查询请求,后台服务可能 ...

  8. Liunx-cp命令

    1. 复制当前目录的test文件夹 到/201904 目录 出现如下截图问题是因为test目录下还有文件,所以得加-r,使用递归拷贝.我现在用这个命令拷贝文件都加-r了,不管有文件还是没文件 2.复制 ...

  9. &lbrack;Spring学习笔记 1 &rsqb; Spring 简介,初步知识--Ioc容器详解 基本原理。

    一.Spring Ioc容器详解(1) 20131105 1.一切都是Bean Bean可是一个字符串或者是数字,一般是一些业务组件. 粒度一般比较粗. 2.Bean的名称 xml配置文件中,id属性 ...

  10. 【Centos】systemd入门教程

    systemd使用教程 常用指令 运行一个服务: systemctl start <服务名> 关闭一个服务: systemctl stop <服务名> 重启一个服务: syst ...