-
Notifications
You must be signed in to change notification settings - Fork 251
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate PCAP with SSLKEYLOGFILE instead of a CA #399
Comments
Hello, there seems to be some confusion here, the SSLKEYLOGFILE is only needed to store and then retrieve the decryption keys, whereas installing a CA into the device to intercept is needed to make the system accept the mitm certificate, so they are different things. mitmproxy, that PCAPdroid-mitm uses, should already support TLS 1.3. Maybe you are facing a different protection of the app, e.g. certificate pinning. Check out https://emanuele-f.github.io/PCAPdroid/tls_decryption#34-caveats-and-possible-solutions for more details |
No confusion really, a lot of companies now don't allow other CAs outside their own. I was looking at the document you sent and might help with that so I will check further. |
Maybe this will help |
No I already use the pcapng format |
So this is certificate pinning. You have to work around it yourself, it's not a problem of PCAPdroid. |
But its more a request to ONLY log SSLKEYLOGFILE as a secondary option and not have to use a CA. If that makes sense, is that possible? or does the CA need to exist to be able to create a SSLKEYLOGFILE on Android? |
Do you understand what a certificate pinning is?
It can be anything depending on the implementation of a particular application. Even, for example, cryptography on raw sockets. |
Yeah I get cert pinning allows you to bypass MITM or I guess also add the CA to the app. I am not great when it comes to Android but other OSes you can dump the SSLKEYLOGFILE and already see a lot of fun stuff, so was hoping maybe Android could do the same. |
This is the answer to the question "why is it needed?" and not "what is it?" ;)
Are you sure it's the operating system and not the specific implementation inside the program? ;) |
Its in the program, I know, but figured some programs implement this as default. |
Oh maybe I can see what you mean. The interception could be performed at a lower layer, by hooking the system calls without installing the CA certificate. In this case, the tool that you use to do this job generates a SSLKEYLOGFILE with the session keys, which can be used to decrypt the pcap file. This job does not look something PCAPdroid should do, you should instead rely on specific tools that provide this capabiliites. What we could do in PCAPdroid is to integrate with such tools to show live decrypted data, so that they can send the keylog to PCAPdroid-mitm and then decrypt the connections. However, this is just theory, we should check how such tools work and if it's feasible. In any case, we need someone who is accustomed to such tools to suggest on this. |
This comment was marked as off-topic.
This comment was marked as off-topic.
By the way, you once mentioned your community in Telegram. Here's an easy way to check his level. |
I wanted to add SSLKEYLOGFILE is a well-known OS Environment Variable within the 3 OSes mentioned (Windows, MAC, Linux), you don't need root/admin access on these OSes to adjust the Variable, a user can dump their keys. So you don't need Wireshark for the variable to work in those cases, but from aan OS/GUI standpoint Wireshark is the most user friendly to then use the keys to decrypt and see packet data. I have noticed the application does choose if they want to make use of the Variable, most browsers do support it as default in the mentioned OSes though. |
Or is it also a fantasy :) |
Works, been tested by yours truly on all OSes mentioned. On Andriod thats were I was hoping to see if you guys can figure out how to get the same. |
So you're taking the browser Lynx (https://lynx.browser.org/) or Luakit (https://luakit.github.io/) and the keys are still stored there? |
No as mentioned its aan OS variable, they are dumped in the filesystem then imported into Wireshark, here's a how-to for all OSes credits F5: |
If you are talking about Chrome or Firefox then they have built-in support for this environment variable :) |
Aaah ok makes sense, if somehow these keys could be dumped I guess that + capturing the packets and your golden but I guess that's the challenge here. This started of with me creating a firewall + squid proxy and ended me here :) Thanks for the input its been very helpful |
Wait I might have aan option in Squid, this might work. |
Probably. That's what the proxy is for :) |
CA was great for MITM but the new way to decrypt TLS1.3 is your SSLKEYLOGFILE, and now that all devices/servers do TLS1.3 as standard MITM seems to have stopped working.
Is it possible to enable decryption without the CA and only using the SSLKEYLOGFILE?
The text was updated successfully, but these errors were encountered: