Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to export master secret from browser SSL/TLS session?

I'd like to open a browser in Windows, go to an HTTPS site, and perform a sequence of actions while capturing packets with Wireshark. Then I want to use the encrypted packet capture to view the decrypted HTTP traffic. I know of many ways to do this (listed below) if you forego the browser, have access to the server, or add a MITM, but none of these work when you're restricted to the scenario above. Here are my typical approaches:

Server: For sites where I have the server private key, use Wireshark's built-in SSL decryption.

MITM: An SSL proxy (e.g., Burp suite) will allow viewing of decrypted traffic, but this requires using a different certificate and key pair than what is used by the server.

Browser: openssl's s_client can connect, make requests, and export the master secret, but this does not display the associated web pages or run javascript to compute subsequent request parameters.

Is there a way to export the master secret from a "normal" browser so that I can use it to later decrypt a packet capture of the browser session?

For example, is SSL/TLS state stored on disk when a browser is closed? If so, how would I access it? Is it accessible in memory while the browser is running (and if so how would I find it)?

Or, is all SSL state data stored by the OS (Windows) and not accessible directly?

Alternatively, is there a way to force a browser to use a particular master secret (and any other associated SSL state data like session ID, etc.) for a particular HTTPS connection? If so, I could set up the SSL session using s_client, and then transfer the key data to the browser and open a new connection in the same session. This would accomplish the same goal through different means.

like image 445
juhraffe Avatar asked Jan 14 '23 03:01

juhraffe


1 Answers

For browsers that use the NSS library (e.g. Firefox) you can set the SSLKEYLOGFILE environment variable, which will cause NSS to save the necessary secrets. You can then directly use that file with Wireshark. There's more information to be found here.

like image 94
Brendan Dolan-Gavitt Avatar answered Jan 30 '23 00:01

Brendan Dolan-Gavitt