Use Wireshark to Decrypt HTTPS

It’s highly recommended that you take a look at this post if you are new to packet sniffing: Where to Capture Packets with Packet Analyzer on Network.

Not matter you are a network app developer or network administrator, you may need to debug or troubleshoot encrypted network protocol HTTPS. Wireshark is a powerful and useful tool that we use in troubleshooting. If the traffic, however, is encrypted, the network traffic you captured is useless.

Encrypted HTTPS packets in Wireshark

Encrypted HTTPS packets in Wireshark

Look at the figure above that there is TLSv1 protocol and application data is encrypted. We can’t tell a thing with the encrypted data. Wireshark is able to use server private key and decrypt the packets. To decrypt the packets, we need first get the private key from the server. Note that the private key is on the server not the client machine (you must know where to find the certificate on a browser). So don’t think you can use a client private key to hack a server’s encryption. Let’s see how to get the private key from the server.

Step 1. Export private key

Open IIS Manager > right-click website > Properties > Directory Security > View Certificate

Export private key from IIS Manager

Export private key from IIS Manager

Open Details tab > Copy to File > Choose Yes, export the private key

Export private key from IIS Manager

Export private key from IIS Manager

Choose Personal Information Exchange – PKCS #12 (.PFX) with all three options below unchecked

Export private key from IIS Manager

Export private key from IIS Manager

You are required to use a password to protect the private key, this screen can’t be skipped.

Export private key from IIS Manager

Export private key from IIS Manager

Specify a location and a file to save the file (note that the extension is .pfx)

Export private key from IIS Manager

Export private key from IIS Manager

Done, the .pfx file is what we want.

Step 2. Extract the private key from .pfx to .pem

To extract the private key, we need to use a tool – OpenSSL – an open source toolkit implementing the SSL and TLS v1 protocols. Download OpenSSL. Use the command below to extract the private key.

openssl pkcs12 -in test.pfx -nocerts -out privateKey.pem -nodes

This command uses the text.pfx and extracts it to a new file format .pem. During extracting, you need to enter the password you used in Step 1.

Step 3. Load the private key to Wireshark

Run Wireshark > Edit > Preferences > Protocols > SSL

Load private key on Wireshark

Load private key on Wireshark

In RSA keys list, type the command below:

10.88.229.196,443,http,C:\privateKey.pem

  • 10.88.229.196: the server IP address
  • 443: HTTPS port number
  • HTTP: target protocol you want decrypt the packets to.
  • C:\privateKey.pem: the private key extracted in step 2.

Once you click OK, you’ll see the changes. Now on Wireshark, the TLSv1 packet is decrypted to HTTP already.

HTTPS packets decrypted on Wireshark

HTTPS packets decrypted on Wireshark

, , , ,

  1. No comments yet.
(will not be published)

  1. No trackbacks yet.