Decrypt HTTPS & LDAPS Traffic using WireShark [100% Working]


Wireshark

In this tutorial I am going to share step by step instructions to decrypt both HTTPS and LDAPS Traffic using WireShark. This tutorial is demonstrated using Ubuntu setup for most of the configuration, if you are interested in using Windows then you can read Wireshark: Decrypt SSL/TLS Practical Examples [Tutorial] which covers similar steps but using Windows machine.

 

What is Encrypted Application Data?

Encrypted application data is the portion of the data stream that contains the actual application data being transmitted over a secure connection. Once an SSL/TLS session is established, all data exchanged between the client and server is encrypted to protect it from eavesdropping, tampering, and forgery.

You can view the same in WireShark:

Decrypt HTTPS & LDAPS Traffic using WireShark [100% Working]

If you try to read the content of these Application Data then you will encrypted content which would lead you to unreadable Hex Code like below:

Transport Layer Security
TLSv1.3 Record Layer: Application Data Protocol: http-over-tls
Opaque Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 1146
Encrypted Application Data: 6b1598c39f9bd93052aa4628992e91193cfed6a4a54e1232e11e504d11649f99fc86644e…
[Application Data Protocol: http-over-tls]

 

How Encryption Works in SSL/TLS

  1. Handshake Process: Before any application data is encrypted, the SSL/TLS handshake takes place. During this handshake:
    • The client and server agree on encryption protocols and cipher suites.
    • They authenticate each other using certificates.
    • They generate session keys to be used for the encryption and decryption of data.
  2. Symmetric Encryption: After the handshake, symmetric encryption is used to encrypt the application data. Symmetric encryption is fast and suitable for encrypting large amounts of data. The session keys generated during the handshake are used in this process.
  3. Encryption Algorithms: The actual encryption of the application data can be done using various algorithms (e.g., AES, DES, ChaCha20). The choice of algorithm is determined during the SSL/TLS handshake.

 

What will you need to Decrypt the Encrypted Packets?

We are going to use SSLKEYLOGFILE to decrypt the HTTPS and LDAPS encrypted packets.

The SSLKEYLOGFILE is crucial because it logs SSL/TLS session keys, enabling the decryption of encrypted traffic captured during network monitoring. Please NOTE that SSLKEYLOGFILE is Session-Specific which means each SSL/TLS session generates unique session keys during the handshake process. If the sessions use ciphers that support PFS, the keys are ephemeral, meaning they are not derived from a fixed master key but are generated uniquely for each session. This further ensures that session keys cannot be reused across different sessions.

Hence, these keys are specific to that session and cannot be used to decrypt traffic from another session.

So to be able to decrypt an encrypted data, you must first setup the environment to capture SSL Key Log content and then initiate the LDAPS or HTTPS traffic. This execution should generate the SSL Key Log content. Next you should provide the respective key log file to Wireshark along with the mapping PCAP file from the same session.

 

Setup Lab Environment - Pre-requisites

To demonstrate the steps, I will be setting up my own Nginx and LDAP server on Ubuntu 22.04. Both Nginx and LDAP server will be secured using MTLS communication where we will generate both server and client key to access the server securely. I will not go into detail on how to generate certificates, as I have a dedicated tutorial covering usage of openssl in detail. You can refer these links if you are interested to learn more:

These are the list of certificates I have created for this exercise. If you are using a third party signed certificate such as Let's Encrypt or similar CA then you don't need these steps.

-rw-rw-r-- 1 deepak  deepak   1318 Jul 14 14:40 ca.crt
-rw------- 1 deepak deepak 1704 Jul 14 14:39 ca.key
-rw-rw-r-- 1 deepak deepak 1216 Jul 14 14:43 client.crt
-rw-rw-r-- 1 deepak deepak 1017 Jul 14 14:42 client.csr
-rw------- 1 deepak deepak 1704 Jul 14 14:42 client.key
-rw-rw-r-- 1 deepak deepak 1387 Jul 14 15:00 server.crt
-rw-rw-r-- 1 deepak deepak 1078 Jul 14 15:00 server.csr
-rw------- 1 deepak deepak 1704 Jul 14 14:49 server.key

If you are interested in setting up your own server for practice then you can follow:

 

Step-1: Set Up SSLKEYLOGFILE for SSL/TLS Key Logging on Linux

SSLKEYLOGFILE is an environment variable that specifies a file path where SSL/TLS session keys will be logged. When a browser or other compatible application is run with this environment variable set, it logs the necessary encryption keys to the specified file. This file can then be used to decrypt SSL/TLS traffic captured with network analysis tools like Wireshark.

Set the SSLKEYLOGFILE environment variable:

echo 'export SSLKEYLOGFILE=/path/to/sslkeylog.log' >> ~/.bashrc
source ~/.bashrc

Verify the environment variable:

echo $SSLKEYLOGFILE

Sample Output:

/home/deepak/certs/sslkeylog.log

 

Step-2: Simulate MTLS Communication and Capture Packet

Open two terminal wherein from one terminal we will initiate MTLS communication while from other we will capture the packet using tcpdump.

 

Capture Packet for HTPS Traffic

On one terminal:

sudo tcpdump -i any -w mtls_traffic.pcap

On other terminal, use curl to send a request to the NGINX server using the client certificate:

curl --interface enp0s8 --cert client.crt --key client.key --cacert ca.crt https://192.168.0.105

Sample Output:

<html><body><h1>Dummy Data</h1><p>This is a test message.</p></body></html>

Press Ctrl+C to exit the tcpdump packet capture:

tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
22 packets captured
42 packets received by filter
0 packets dropped by kernel

At the end of this step you should have PCAP file which contains the packets from MTLS communication and /home/deepak/certs/sslkeylog.log which should contain the keys which will be used to decrypt the HTTPS communication.

This is sample content of my keylog file:

Decrypt HTTPS & LDAPS Traffic using WireShark [100% Working]

Next let's transfer these files to a Windows server as I have my Wireshark installed on a different Windows server. If you have Wireshark locally installed then you can skip the transfer.

 

Capture Packet for LDAPS Traffic

On one terminal:

sudo tcpdump -i any port 636 -w ldaps_traffic.pcap

On other terminal, use ldap to send a search request to LDAPs server:

ldapsearch -H ldaps://192.168.0.105:636 -D "cn=admin,dc=example,dc=com" -W -b "dc=example,dc=com" "(objectClass=*)"
Decrypt HTTPS & LDAPS Traffic using WireShark [100% Working]

Press Ctrl+C to exit the tcpdump packet capture:

tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
29 packets captured
62 packets received by filter
0 packets dropped by kernel

You can now verify and make sure that the keylog file contains the HANDSHAKE secrets. This is sample content of my keylog file:

Decrypt HTTPS & LDAPS Traffic using WireShark [100% Working]

Now that we have packet captured from both HTTPS and LDAPS traffic, let use the SSLKEYLOGFILE to decrypt these traffic.

 

Step-3: Decrypt Application Data Packet with Wireshark

Let's open the content of mtls_traffic.pcap using WireShark. Here as you can see, post successful TLS HandShake, we get a bunch of encrypted Application Data which means our connection was secured.

Decrypt HTTPS & LDAPS Traffic using WireShark [100% Working]

Now let's try to decrypt this encrypted content.

Open Wireshark Preferences:

  • Go to Edit -> Preferences.
  • In the Preferences window, expand Protocols and scroll down to TLS.
Decrypt HTTPS & LDAPS Traffic using WireShark [100% Working]

Set the (Pre)-Master-Secret log filename:

  • Enter the path to the sslkeylog.log file created earlier.
Decrypt HTTPS & LDAPS Traffic using WireShark [100% Working]

Click on Ok and reload the packet file.

Use http to filter for HTTP traffic within the TLS stream.

Decrypt HTTPS & LDAPS Traffic using WireShark [100% Working]

Look for the Decrypted TLS tab within the packet details.

Decrypt HTTPS & LDAPS Traffic using WireShark [100% Working]

As you can see, now we can read the content which was fetched from our web server in plain text. So, we have successfully decrypted ,HTTPS packet using SSLKEYLOGFILE.

 

Similarly, open the ldaps_traffic.pcap file using WireShark and pass the respective sslkeylog.log file which was generated during ldapsearch command execution. Here we can see successful TLS Handshake and Encrypted Application Data.

Decrypt HTTPS & LDAPS Traffic using WireShark [100% Working]

Once you have added SSL Key Log File under Protocols -> TLS, apply ldap as filter.

Decrypt HTTPS & LDAPS Traffic using WireShark [100% Working]

Look for Bind Request, Bind Response, Search Request, and Search Response packets. We should be able to see decrypted data for each request:

Decrypt HTTPS & LDAPS Traffic using WireShark [100% Working]

So we have successfully decrypted LDAPS traffic using SSLKEYLOGFILE.

 

Summary

Decrypting LDAPS (LDAP over SSL) and HTTPS traffic is a critical skill for network administrators and security analysts who need to troubleshoot issues and ensure secure communications. To effectively decrypt and analyze this traffic, it’s essential to understand and utilize the SSLKEYLOGFILE environment variable. By setting this variable on your server, you enable the logging of SSL/TLS session keys, which are crucial for decrypting the traffic captured during network monitoring.

When encrypted traffic is captured using tools like tcpdump, the resulting packet capture (pcap) files contain encrypted data that is not immediately readable. The SSLKEYLOGFILE provides the session keys needed to decrypt this data, making it possible to view the actual contents of the communication. This allows you to see the specific LDAP operations, such as Bind Requests and Search Responses in LDAPS, or HTTP GET and POST requests in HTTPS traffic.

 

Deepak Prasad

Deepak Prasad

Deepak Prasad is the founder of GoLinuxCloud, bringing over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, Networking, and Security. His extensive experience spans development, DevOps, networking, and security, ensuring robust and efficient solutions for diverse projects.

Certifications and Credentials:

  • Certified Kubernetes Application Developer (CKAD)
  • Go Developer Certification
  • Linux Foundation Certified System Administrator (LFCS)
  • Certified Ethical Hacker (CEH)
  • Python Institute PCAP (Certified Associate in Python Programming)
You can connect with him on his LinkedIn profile and join his Facebook and LinkedIn page.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment