i havent touched cybersecurity in over a year but bet your ass stumbling on this video made me turn my PC back on, thank you for the insanely ez lesson
A really interesting video indeed!...Learnt many new things....Could you make a video to learn how I can capture and decrypt my smartphone's browsing traffic using wireshark?(Both connected to the same networks)
Fantastic guide! I don't normally comment, but you need to know that you are doing fantastic work! I am experiencing Wireshark for the very first time in a CTF and this was clear, informative, and helpful!
Thank you for this video Chris, I was following the WCNA study guide book but got stuck when I didnt see what's in the book(HTTP). I realised the time gap between the date of book publishing and the current version of wireshark. So switched my trail to 443 and TLS. This video helped me decrypt my session.
Remarkably excellent delivery style. Super efficient clarity. Nothing superfluous. Conceptual through point and click guidance. Compellingly engaging with constant forward quick-step momentum. Not too loud not soft spoken. Knowledgeable, conservative, passionate, trustworthy source. Technoratically enjoyable. First video I watched on this channel. Heading to check your other content for more of the same. Thank you!
Im so confused. The file that you gave wireshark is completely different from the sslkeylog file that you made earlier. How did you create the file that you gave wireshark?
Hey Josh - I probably had to recreate it and share a different one. However the pcap and syslog you get in the link go together and the rest of the video steps are the same.
Hi Chris D - Thanks for the comment. Actually I had considered setting something like that up but wasn't sure if anyone would actually do it! I appreciate the suggestion and will definitely look into it.
Hi Chris, so sorry, after I tried to save the SSL Key log file, I cannot find the file at all, for some reason. I am the administrator but I just cannot find it. Is there anything I must do? Thanks!
Hello DataSkull - we would need to see if the app will locally store the TLS keys. As you saw in the video, chrome will do it in an environment variable, but that may not be the case for the application you are trying to decrypt. You have to dig into it and see if the app will store them.
Hey Chris really great video it helped me a lot but I just wanna mention that, I don't know for some reason but sslkeylog doesn't store every ssl log, it does stores majority of them but not every, soo I came across some proxy servers like charles which stores every ssl but don't know how to set it up on windows to work perfectly. Please make a video about charles or any other proxy server you recommend to decrypt fully...... Thanks
Great video! I have a few questions. 1. How are attackers able to decrypt https? Are they able to get this log file somehow? 2. Where are the session keys stored before you set this environment variable, just in memory? 3. If you had a computer disk image and a pcap of that computers traffic could you extract session keys from the image to decrypt the https traffic?
Hi Chris, thanks for this one really learnt a lot here. In saying that I've been seeing more of Application Layer Encryption lately, so in theory if you encrypt at the application level before hitting the pipe and encrypt using TLS, would you be able to get to the cleartext?
For sure! I will be doing more content around QUIC and H3 as things continue to develop. Thank you for the comment. I the meantime check out my QUIC decryption video here - ua-cam.com/video/QRRHA_5hS2c/v-deo.html
I have gotten it to work with Firefox and chrome. I have heard it works with edge but have not tried it for myself. All others, a ton to try… I guess it just depends on the api
Is there a way to do this for non-web browser traffic? For example, I am trying to decrypt commands and responses with racadm in powershell but the keys don't appear in the log.
You would need send all traffic through a man-in-the-middle device on the network, or you could install an agent on the server that will capture them. Either way, it's designed to be hard to get the keys...
@@ChrisGreer isn’t that man in the middle attack / ARP Poisoning doens’t catch the key? please make a video how to get the keys via man in the middle attack sir.
Thanks, Chris I really appreciate you making videos. Taking the help of your videos I was able to help my colleagues and solve infrastructure problems. Keep making the good stuff as you explain the stuff in quite simple terms.
Hey thanks for sharing this cool looking video curiosity question after you decrypt the traffic files and you go to open it in a browser and it says that the content isn't available or if the site was taken down or can the content still be viewed?
Hi Chris, I have a IOT device connected to AWS. I have all certicates... is it possible to decrypt the communication using wireshark? My IOT device is connected to an access point. Actually, I have a switch that I can route all the traffic to the PC but all packets are encrypted. So, I'd like to see the packet contents. Thanks a lot!
I followed all the steps as explained by you, but I'm still unable to log the ssl keys into my local directory. May I know why that maybe happening? The file is empty , that is, no keys are logged into it.
Hmm... weird. That is frustrating. Ok maybe something changed with an update. I'd suggest trying Firefox. If that doesn't work - I've been able to get it working pretty reliably with Kali Linux and Chrome. I demonstrate that here -ua-cam.com/video/QRRHA_5hS2c/v-deo.html
@@ChrisGreer So from a hackers perspective in todays day and age, I imagine the flow is something like this: 1. compromise endhost through zero day or unpatched vulnerability 2.create a reverse tcp shell via proxy chaining on proxy's that dont log user data (or TOR) 3.setup the log environmental variable in OS (congrats you have modified a system that's not yours and have now officially committed a crime, though I guess the reverse tcp shell could be argue as the stage when that happens) 4. discretely capture network traffic, and discretely transfer data back (no idea how that's done) 5. look for PII/PCI decrypted data 6. Clear traces of you being there... also not really sure how they would do that. Probably clear a bunch of internal log files. I know this comment puts you in a precarious situation, because how do you teach content and answer questions without indirectly possibly helping a hacker, but as a company network engineer I still dont understand how hackers pull of what they do. Is it just a matter of hiding in plane sight and due to the sheer amount of data that goes across the wire, you are hoping nobody notices?
It works with Chrome, Firefox, and some chromium based browsers. I am not much of an Edge user so I haven't tried it myself, and I understand Safari in the Mac environment isn't too happy with this variable either.
I have a question... If I'm using a wifi adapter that's in monitor mode, and passively sniffing the other devices on my home network... Is there any methods for decrypting other clients on the same network? Other clients meaning , if I'm on my laptop and I want to see what's going on with my Android on the same network, what methods (if any) are there to decrypt the androids traffic?
That is a great question. In theory, you could do a man in the middle attack and intercept their traffic. You can capture it is a passive listener on WiFi, but with the additional layer 1/2 encryption for WiFi (WPA2 for example) it adds another level of complexity. I have never done it.
@@ChrisGreer Thanks for the reply! My mind was going into that direction but wasn't sure if there were other ways/methods. Looking forward to more content as well. Since I'm a newer viewer, I dont know the extent of your expertise. But would love to see some cyber security / forensic stuff as that's what I'm currently studying for an associates degree. I see alot of the attacking and vulnerability side, but would like to see more content on defensive and forensic analysis.
Thanks as always Chris... really useful 🙏
My pleasure! Thanks for the comment Ganesh!
Even after all the experience I have with IT security/forensics, I’m still learning something new every day.
Amen to that Christopher! I feel the same. I learn something with every pcap I open.
You will always learn something more in technology
'Packet heads' cracked me up. Thanks for the vid!
Glad you liked it! Hey every department needs a Packet Head.
i havent touched cybersecurity in over a year but bet your ass stumbling on this video made me turn my PC back on, thank you for the insanely ez lesson
Awesome!
A really interesting video indeed!...Learnt many new things....Could you make a video to learn how I can capture and decrypt my smartphone's browsing traffic using wireshark?(Both connected to the same networks)
Chris is a gem...I have learned so much from him over the years, especially on Pluralsight.
Thank you!
I just experimented with this in a ucertify virtual lab I had open for a class assignment, and it was super easy and fun. Thank you for showing this !
Great job! Thanks for the feedback!
Nice to read online that this method apparently works the same with the Firefox web browser :D
Glad you did the Collab with Bombal so I could find your content!
I am beyond honored that he wanted to interview me on his channel. Great to have you here!
🔴 Important note the variable name is "SSLKEYLOGFILE" not "SSLKEYLOG" as in the description
Thank you for sharing! Now I can understand ssl/tls handshake clearly and how https works. Love it and Subscribed.
Thanks for the comment!
finally... a video that works. I can't thank you enough dad.
Fantastic guide! I don't normally comment, but you need to know that you are doing fantastic work! I am experiencing Wireshark for the very first time in a CTF and this was clear, informative, and helpful!
Thank you for the comment! I really appreciate the feedback.
Thank you for this video Chris, I was following the WCNA study guide book but got stuck when I didnt see what's in the book(HTTP). I realised the time gap between the date of book publishing and the current version of wireshark. So switched my trail to 443 and TLS. This video helped me decrypt my session.
Great Samuel! Glad to hear that it helped. I'll get some more TLS 1.3 stuff out there soon.
Remarkably excellent delivery style. Super efficient clarity. Nothing superfluous. Conceptual through point and click guidance. Compellingly engaging with constant forward quick-step momentum. Not too loud not soft spoken. Knowledgeable, conservative, passionate, trustworthy source. Technoratically enjoyable. First video I watched on this channel. Heading to check your other content for more of the same. Thank you!
Thank you for watching and commenting Alexander!
Nice video. Could you do an other video decrypting UDP traffic 🙏 it will help us a lot, thanks
Don't tell me this isn't the same guy as Darknet Diaries. The voice is IDENTICAL.
When I saw you change a hat I knew this lesson would be outstanding
Thanks you for your great job. I try it and all it works fine!
it means we can decrypt any password even if it uses https protocol ?
Can somebody help me?
I am not able to capture the log file even though I created an environment variable with the ssl.log in the end.
Just restart the computer. It should work.
how did u get that SYSLOG file in the beginning?
Thanks Chris. Would you mind sharing the process of path variable for log file in Kali Linux and MAC OS ?
Thanks, Chris.
Thanks a lot
Most welcome
Thank you for this. It was kicking my ass.
You're a God amongst men sir. Thank you
How do I enable Packet Reassembly and Uncompressed Entity Body?
too cool for a dev, thanks
can you please create a video for decrypting tls traffic in wireshark using private key file
Мужик,лайк тебе ставлю,полезно очень 👍
Im so confused. The file that you gave wireshark is completely different from the sslkeylog file that you made earlier. How did you create the file that you gave wireshark?
Hey Josh - I probably had to recreate it and share a different one. However the pcap and syslog you get in the link go together and the rest of the video steps are the same.
You explain so much more clearly and succinctly than my packet analysis instructor. This is great! Thank you.
Glad it was helpful!
Great video, please keep sharing more
Thanks for the comment! Working on more content and I'll get it out there.
That’s really interesting!
Thank you Chris!
Please you build on video about how to using the wireshark in windows 10
Thanks Chris. I like your passion when explan all of this. 🤗
Thanks again Di. I appreciate the feedback.
Learn it by heart -- By order of the peaky blinders
Very nice video, TNX.
Thanks!
Why did you not select the log file from the path you created in the system variable?
🤦🏻♀️
You have some really great content on your Channel. You should start accepting BAT's so we can tip you!
Hi Chris D - Thanks for the comment. Actually I had considered setting something like that up but wasn't sure if anyone would actually do it! I appreciate the suggestion and will definitely look into it.
Cool, thank you!
thanks for the comment Alex!
Chris, as always you are the man.
@Bill Proctor - Great to see you here Bill! Hope all is well on your end.
@@ChrisGreer absolutely. Just looking forward to being able to travel again for work. Hope to hang out with you sometime soon!
@@grendal1974 That would be awesome Bill! Let's chat sometime here soon.
Thank you Sir :)
Most welcome!
Hi Chris, so sorry, after I tried to save the SSL Key log file, I cannot find the file at all, for some reason. I am the administrator but I just cannot find it. Is there anything I must do? Thanks!
about session keys how i could fix that on mac os?
Awesome videos. Thank you
Thanks, Chris. This video helps me a lot.
Dear Sir wonderful , How do I decrypt Windows desktop application traffic using wireshark , the desktop app use TLS1.2 and Websocket for communication
Hello DataSkull - we would need to see if the app will locally store the TLS keys. As you saw in the video, chrome will do it in an environment variable, but that may not be the case for the application you are trying to decrypt. You have to dig into it and see if the app will store them.
Same issue here looks like better to go with a proxy server
Interesting. Great video. I am puzzled by 2 files in this video. Are the "sslkeylog.log" and "DecryptTraffic_Wireshark.log" the same file?
I'm also wondering this - did you find this out?
Yes anyone?
i noticed that too, and now i am confused
I'm loading the file to Wireshark, but some reason the decryption is not working. I'm using a windows machine.
Excellent
Thanks doug!
Best as always.
Glad you think so!
I would love a video on how to read important info of encrypted data without decrypting it
That is a great skill - because in the real world, most of the troubleshooting I do is without the decryption keys.
@@ChrisGreer I'd love to learn that skill....
Really wish you could make a video on that...
I'll truly appreciate 💜
Hai Chris, how about desktop App not browser, how do we generate that log file?
Amazing Chris :)
Thanks!
My pleasure!
Hey Chris really great video it helped me a lot but I just wanna mention that, I don't know for some reason but sslkeylog doesn't store every ssl log, it does stores majority of them but not every, soo I came across some proxy servers like charles which stores every ssl but don't know how to set it up on windows to work perfectly. Please make a video about charles or any other proxy server you recommend to decrypt fully...... Thanks
Thanks for the feedback Jack - I would need to figure out how to reproduce that in order to tshoot on my end.
Great video! I have a few questions.
1. How are attackers able to decrypt https? Are they able to get this log file somehow?
2. Where are the session keys stored before you set this environment variable, just in memory?
3. If you had a computer disk image and a pcap of that computers traffic could you extract session keys from the image to decrypt the https traffic?
Hello, was wondering if the decryption could be done using a MITM, for instance the MITM proxy...Would be great to see that happen!!! Ty
Hey, thanks for the comment. I'll see if I can get it working... (or breaking, depending on how you look at it!)
This is some great stuff, keep going.
Thanks!
Thank you, Chris, for such a great educational video)
Hi Chris, thanks for this one really learnt a lot here. In saying that I've been seeing more of Application Layer Encryption lately, so in theory if you encrypt at the application level before hitting the pipe and encrypt using TLS, would you be able to get to the cleartext?
Great video and example, thanks for what you do
Thanks for the comment!
Great information 🙂
Please do some video on HTTP3 and its benifits...
Found this channel after watching your colab on David's channel...
Thank you 😊
For sure! I will be doing more content around QUIC and H3 as things continue to develop. Thank you for the comment. I the meantime check out my QUIC decryption video here - ua-cam.com/video/QRRHA_5hS2c/v-deo.html
Gracias por compartir toda esta información.!!
Un placer!
Thank you so much sir for this wonderful video and it is helpful for us.
Thanks for the comment Tin!
Is the SSLKEYLOGFILE env variable only used by chrome? Or system wide for anything using SSL?
I have gotten it to work with Firefox and chrome. I have heard it works with edge but have not tried it for myself. All others, a ton to try… I guess it just depends on the api
Thank you very much Chris 🙏🏻
You are very welcome
Unable to see the keylog file generated in windows. Any additional steps to be followed
Make sure that you restart chrome completely after setting up the environment variable. Also - if that doesn't work, give it a shot with Firefox.
how would i apply this to a app
great video. can we decrypt request manually by extracting public certificate of website ?
Thank you so much man. Excellent explanation.
Is there a way to do this for non-web browser traffic? For example, I am trying to decrypt commands and responses with racadm in powershell but the keys don't appear in the log.
Hey Greg - I have only tried this with Chrome and Firefox. It would def take some more digging to learn where/how/if other API's store the keys.
thankyou for sharing, but how we can get the tls key without touching the victim pc / laptop?
You would need send all traffic through a man-in-the-middle device on the network, or you could install an agent on the server that will capture them. Either way, it's designed to be hard to get the keys...
@@ChrisGreer isn’t that man in the middle attack / ARP Poisoning doens’t catch the key? please make a video how to get the keys via man in the middle attack sir.
Thanks grish its really nice and helpful
Great tutorial
Thanks Ginadi. Stick around for more around TLS.
Wait so can I store the keys wherever or does it need to be that specific user address?
How to get the bottom filters?
❤❤It works 💯% dude I don't have a words u are really great!
Thanks, Chris I really appreciate you making videos. Taking the help of your videos I was able to help my colleagues and solve infrastructure problems. Keep making the good stuff as you explain the stuff in quite simple terms.
Nice! That is great Prateek - glad to hear that the videos helped you. More to come!
Hey love the video, how can this be done if I'm not using either chrome or firefox?
Hey thanks for sharing this cool looking video curiosity question after you decrypt the traffic files and you go to open it in a browser and it says that the content isn't available or if the site was taken down or can the content still be viewed?
Brilliant!
Thanks Greer, very useful
hi I'm from Indonesia ❤️
sir, I have tls.pcap packet , how can i decrypt SIP/TLS v1.2 to see RTP ??
Note that
TLS encrypt by CA ?
Hi Chris, I have a IOT device connected to AWS. I have all certicates... is it possible to decrypt the communication using wireshark? My IOT device is connected to an access point. Actually, I have a switch that I can route all the traffic to the PC but all packets are encrypted. So, I'd like to see the packet contents. Thanks a lot!
Hey Chris, what about other TLS traffic which is not made from any browser? Thanks
I've only been able to get it to work with Chrome and Firefox, I haven't tried to store them from any one app.
Where the f is the pre master secret log filename came from? that's not in the environmental variables you made right?
Hola, saludos desde Argentina 😃
I followed all the steps as explained by you, but I'm still unable to log the ssl keys into my local directory. May I know why that maybe happening? The file is empty , that is, no keys are logged into it.
Hmm... weird. That is frustrating. Ok maybe something changed with an update. I'd suggest trying Firefox. If that doesn't work - I've been able to get it working pretty reliably with Kali Linux and Chrome. I demonstrate that here -ua-cam.com/video/QRRHA_5hS2c/v-deo.html
sir can it also decrypt the traffic of insta ,tele, twitter like websites ?
I haven't tried it with mobile apps yet. But if they store the keys to the keylog, then in theory... yes!
Great video!
Thanks! Appreciate the comment.
hi, do you know if there is a way to decrypt https when it isn't from the browser, meaning it doesn't get logged to a key file?
Probably - I'd have to tinker with a specific app or implementation, but I imagine if you dig deep enough in the code there is a way to do it.
@@ChrisGreer So from a hackers perspective in todays day and age, I imagine the flow is something like this:
1. compromise endhost through zero day or unpatched vulnerability
2.create a reverse tcp shell via proxy chaining on proxy's that dont log user data (or TOR)
3.setup the log environmental variable in OS (congrats you have modified a system that's not yours and have now officially committed a crime, though I guess the reverse tcp shell could be argue as the stage when that happens)
4. discretely capture network traffic, and discretely transfer data back (no idea how that's done)
5. look for PII/PCI decrypted data
6. Clear traces of you being there... also not really sure how they would do that. Probably clear a bunch of internal log files.
I know this comment puts you in a precarious situation, because how do you teach content and answer questions without indirectly possibly helping a hacker, but as a company network engineer I still dont understand how hackers pull of what they do. Is it just a matter of hiding in plane sight and due to the sheer amount of data that goes across the wire, you are hoping nobody notices?
@@adammason1587 Very interesting, to transfer the data back in thinking you could do a loopback but that could be traced.
Fiddler is good for this 😁
How! Explain please
Am i supposed to take that log file i d/l and drop it in SSL Keys folder or will system automatically create one for me?
You should have to create that folder but the system will create the log.
Does this only work with Chrome? Or will it log keys from windows update and other OS calls?
Great vid, thanks!
Thanks for the comment! I really appreciate the feedback.
@@ChrisGreer didn't know it was that easy. I guess the environment variable you added in the beginning is Chrome specific?
It works with Chrome, Firefox, and some chromium based browsers. I am not much of an Edge user so I haven't tried it myself, and I understand Safari in the Mac environment isn't too happy with this variable either.
Very useful, how we can do it on linux with mitm? Hope to see this in the next video
I have a question... If I'm using a wifi adapter that's in monitor mode, and passively sniffing the other devices on my home network... Is there any methods for decrypting other clients on the same network? Other clients meaning , if I'm on my laptop and I want to see what's going on with my Android on the same network, what methods (if any) are there to decrypt the androids traffic?
That is a great question. In theory, you could do a man in the middle attack and intercept their traffic. You can capture it is a passive listener on WiFi, but with the additional layer 1/2 encryption for WiFi (WPA2 for example) it adds another level of complexity. I have never done it.
@@ChrisGreer Thanks for the reply! My mind was going into that direction but wasn't sure if there were other ways/methods. Looking forward to more content as well. Since I'm a newer viewer, I dont know the extent of your expertise. But would love to see some cyber security / forensic stuff as that's what I'm currently studying for an associates degree. I see alot of the attacking and vulnerability side, but would like to see more content on defensive and forensic analysis.