It’s highly recommended that you take a look at this post if you are new to packet sniffing: Where to Capture Packets with Packet Analyzer on Network.
Not matter you are a network app developer or network administrator, you may need to debug or troubleshoot encrypted network protocol HTTPS. Wireshark is a powerful and useful tool that we use in troubleshooting. If the traffic, however, is encrypted, the network traffic you captured is useless.
Look at the figure above that there is TLSv1 protocol and application data is encrypted. We can’t tell a thing with the encrypted data. Wireshark is able to use server private key and decrypt the packets. To decrypt the packets, we need first get the private key from the server. Note that the private key is on the server not the client machine (you must know where to find the certificate on a browser). So don’t think you can use a client private key to hack a server’s encryption. Let’s see how to get the private key from the server.
Step 1. Export private key
Open IIS Manager > right-click website > Properties > Directory Security > View Certificate
Open Details tab > Copy to File > Choose Yes, export the private key
Choose Personal Information Exchange – PKCS #12 (.PFX) with all three options below unchecked
You are required to use a password to protect the private key, this screen can’t be skipped.
Specify a location and a file to save the file (note that the extension is .pfx)
Done, the .pfx file is what we want.
Step 2. Extract the private key from .pfx to .pem
To extract the private key, we need to use a tool – OpenSSL – an open source toolkit implementing the SSL and TLS v1 protocols. Download OpenSSL. Use the command below to extract the private key.
openssl pkcs12 -in test.pfx -nocerts -out privateKey.pem -nodes
This command uses the text.pfx and extracts it to a new file format .pem. During extracting, you need to enter the password you used in Step 1.
Step 3. Load the private key to Wireshark
Run Wireshark > Edit > Preferences > Protocols > SSL
In RSA keys list, type the command below:
- 10.88.229.196: the server IP address
- 443: HTTPS port number
- HTTP: target protocol you want decrypt the packets to.
- C:\privateKey.pem: the private key extracted in step 2.
Once you click OK, you’ll see the changes. Now on Wireshark, the TLSv1 packet is decrypted to HTTP already.