原文地址: http://security14.blogspot.jp/2010/07/how-to-use-fiddler-and-wireshark-to.html

Requirements

2 Computers (Physical or Virtual Machines):
Computer 1 – Client (In this example I used Windows 7 64bit Enterprise)
Computer 2 – Proxy (In this example I used Windows XP Pro SP3)
Software:
Wireshark (and WinPcap) – Network Analysis
Fiddler – Web Debugging Proxy
OpenSSL – A Great Suite of PKI/SSL Tools
Assuming Internet Explorer 8 on both computers

Download and install the current version of Wireshark along with the included version of WinPcap:
http://www.wireshark.org/download.html
For this example, I used version 1.2.9.

Download and install the current version of Fiddler:
http://www.fiddler2.com/Fiddler2/version.asp
For this example, I used version 2.2.9.7

Download and install the current version of OpenSSL:
http://www.slproweb.com/products/Win32OpenSSL.html
I had to install the Visual C++ 2008 Redistributables to get OpenSSL to install correctly.
For this example, I used version 1.0.0a.

On Both Computers

Setup a Local Certificate Management Console:
Start, Run: mmc
From the Microsoft Management Console:
File, Add/Remove Snap-in…
Click Add…
Select Certificates and click Add
Make sure My User Account is selected and click Finish
Again, make sure Certificates is selected and click Add
This time select Computer Account and click Next
My sure Local Computer is selected and click Finish
Click Close
Click OK
You should now have a Management Console that looks like this:

 
 
 
 
 
 
 
 
 

Optionally, you can save this:
File, Save
Enter a name: Local Certificate Management
Click Save

On the Proxy Computer

Open up Fiddler:
Click Tools, Fiddler Options…
Optionally you can disable HTTP protocol violation warnings. My experience has been that these warnings happen often and are more annoying than useful.

 
 
 
 
 
 

Click on the HTTPS Tab:
Click on the Decrypt HTTPS traffic option
This will bring up a dialogue box to trust Fiddler’s Root Certificate – Click Yes
Note: This will allow you to decrypt SSL sessions without the client browser displaying a certificate error/warning.

 
 
 
 
 
 
 
 
 
 

Click Yes to add the Fiddler Root Certificate

Next, enable the ignore server certificate errors (unless you want to see the warnings).
Click Export Fiddler Root Certificate to Desktop

Next, click on the Connections Tab
Click Allow remote computers to connect

Note: This is necessary because if you have your browser talk to Fiddler on the same host it will use a loopback/local connection and Wireshark will not be able to see the traffic between the browser and Fiddler. In order to decrypt the SSL traffic, Wireshark must be able to see the traffic between the browser and Fiddler. I accomplish this by having the browser connect to Fiddler from a different computer (the Client computer).

Important Note: In order for Fiddler to accept incoming proxy requests from remote computers, you will need to exit out of Fiddler and then re-start it.

Warning – Once you have this setup, any SSL traffic on this computer will be decrypted with all information such as usernames and passwords visible in Fiddler. Make sure this system is only used for analyzing client SSL traffic and only where you have permission.

Setup target web server:
Open up the Internet Explorer browser and navigate to the web server that needs to be analyzed:
I will use a test web server as an example:

Now, go to the Local Certificate Management Console that you setup earlier.
You will need to hit F5 to refresh the console. After doing this, you should see a Certificates Folder under the Personal Folder for the Current User. In this folder, you should see a certificate for the web server you just went to. Notice that it is issued by Fiddler. Right click on this certificate and select All Tasks, Export…
Click Next, select Yes, Export the Private Key, disable strong protection, leave the password blank, and save the file on your desktop. I called it msappsrv-fiddler.pfx.

Open a Command Prompt
Use the following sequence to extract the private key from the PFX file you just created. In this example, I use the msappsrv-fiddler.pfx file I just created.
Note: If the openssl binary is not in your path you will need to add it or specify the full path – e.g. c:\OpenSSL-Win32\bin\openssl …

Extract the private key from the PFX file:
openssl pkcs12 -in msappsrv-fiddler.pfx -nocerts -out msappsrv-fiddler.ekey
Note 1: The import password should be blank (just hit enter) – this assumes that when you exported the PFX file you didn’t enter a password
Note 2: When it asks for a PEM pass phrase you must enter a password or this won’t work. I use the password: secret
Decrypt the private key:
openssl rsa -in msappsrv-fiddler.ekey -out msappsrv-fiddler.ukey
Note: When it asks for the pass phrase enter the password you just used

Verify the results – the file should look similar to this:
type msappsrv-fiddler.ukey
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDMyzpyOm+xAR0lzc11JlXZgMQ9Parz6g/4X8Z+Ok/FaHvK4kez
(…)
/7BlxxDuLHhbytM3/Ba1A3VBjYxNqZeHkl3MJrmp2sS6cw==
-----END RSA PRIVATE KEY-----

Create a folder in the root of the C:\ drive called certs and move all the certificate, PFX, and key files to this directory.
Note: This is important - the SSL preferences in Wireshark cannot handle a space in the path. In Windows XP, the Desktop directory is located under “Documents and Settings” and so it will not work.

Open Wireshark
Click Edit, Preferences…
Click on the + box next to Protocols to open the list
Scroll down to and select SSL
For the RSA keys list, enter the following: Local (Proxy) System IP Address, SSL Port, Protocol, and Path to the unencrypted private key
In this example, the local system has an IP Address of 192.168.234.182, the SSL Port is 8888 (the proxy port for Fiddler), the protocol is http, and the path to the private key is c:\certs\msappsrv-fiddler.ukey
So in the RSA keys list I enter: 192.168.234.182,8888,http,c:\certs\msappsrv-fiddler.ukey
For the SSL debug file I use the same directory as the key: c:\certs\ssldebug.log

As soon as you click OK, Wireshark will create the ssldebug log file. If you open it up you should see a successful key load:
From c:\certs\ssldebug.log:
ssl_init keys string:
192.168.234.182,443,http,c:\certs\msappsrv-fiddler.ukey
ssl_init found host entry 192.168.234.182,443,http,c:\certs\msappsrv-fiddler.ukey
ssl_init addr '192.168.234.182' port '443' filename 'c:\certs\msappsrv-fiddler.ukey' password(only for p12 file) '(null)'
Private key imported: KeyID F6:E5:EF:CE:66:A0:D3:62:1E:7C:7C:D3:FF:14:16:99:...
ssl_init private key file c:\certs\msappsrv-fiddler.ukey successfully loaded
association_add TCP port 443 protocol http handle 02E13BF0

Start a network capture on Wireshark on the correct interface.
Note: For prolonged network captures, consider using tshark or dumpcap instead. Also consider using a capture filter to limit the traffic to only what you are interested in.

Before moving on to the client computer I would like to explain why I am using two computers – why not do everything from the same computer? In short, because I couldn’t figure out how to get it to work! In Windows, you cannot capture network traffic that goes through the loopback (local) interface – at least not with WinPcap. In other words, if I have two processes communicating on the same computer, you need to use something else to capture the traffic between them.
Check out the following articles for additional discussion around this as well as alternatives:
http://wiki.wireshark.org/CaptureSetup/Loopback
http://www.hsc.fr/ressources/articles/win_net_srv/missing_loopback.html

While there are tricks and drivers you can install to get around this, the options seem to be somewhat impractical (IMHO) for general use or involve paid software.

On the Client Computer

Open the Internet Explorer Browser
Click Tools, Internet Options
Click on Connections Tab
Setup the browser to use the Proxy System
In this case I configure the proxy as 192.168.234.182
Fiddler listens on port 8888

Copy the FiddlerRoot.cer file from the Proxy Computer to this computer. If you followed the directions, this should be in the C:\certs folder.

Open the Local Certificate Management Console that you setup earlier.
Open Certificates – Current User, Trusted Root Certification Authorities, Certificates
Right click in the Certificate Area on the right and choose All Tasks, Import…
Browse to the FiddlerRoot.cer file
For Certificate Store, make sure place all certificates in the following store is selected with Trusted Root Certification Authorities
Click Yes to the security warning:

You should now see this certificate in your Personal Trusted Root Certification Authority Store

Warning – Once you have trusted this certificate and configured your browser to use the proxy computer, any SSL traffic on this computer can be decrypted with all information such as usernames and passwords visible in on the proxy computer. Make sure this is clearly understood by any users of this system. When you are done capturing traffic for network analysis, you should remove this certificate.

Open the Internet Explorer browser and navigate to the web site to be analyzed:

The site should come up with no errors.

If you see this, something is not configured correctly:

You can verify that Fiddler is doing a man-in-the-middle analysis by looking at the certificate chain:
From Internet Explorer, click on the pad lock located on the right side of the address box and then click View certificates.

In the Certificate dialogue box, select the Certification Path:

 
 
 
 
 
 
 

When you start an analysis you should clear Internet Explorer’s cache:
Note: Depending on what you are looking at, you may also want to clear cookies, form data, and passwords.

 
 
 
 
 
 
 

You should also clear the SSL cache from Internet Explorer. In order to analyze an SSL session, the full SSL handshake must be captured. If there is an existing SSL session that is re-used, Wireshark will be unable to decrypt the session (even with the private key).

 
 
 
 
 
 
 

Finally, close all instances of Internet Explorer on the computer and launch a new instance for the troubleshooting session.
Now, browse to the web site in question and use it as desired noting the time when any problems occur. This is important to correlate the problem event with the corresponding traffic in Wireshark. When finished return to the proxy computer to analyze the SSL session.

Back On the Proxy Computer

Review the capture in Wireshark and verify that it successfully decrypted the SSL session.
You can filter by tcp.port==8888 to focus only on the proxied traffic.
Since the traffic is going to a non-standard port, you will need to highlight one of the frames going to Fiddler on port 8888. Right click on the frame, select Decode As… Make sure the Tab is on Transport, the port is set to 8888 and choose SSL:

 
 
 
 

In Wireshark, look for the following sequence to see if SSL decryption is working:

Working:

 
 
Not working:

 
 
If it isn’t working, look at the first Client Hello frame in the capture:

Good:

 
 
 
 
 

Bad - won’t work:

 
 
 
 

If the first SSL Session in the capture has a Session ID, it means the client is resuming an SSL session and Wireshark won’t be able to decrypt it!

When SSL decryption is working, you should also be able to see what’s going on behind the encryption:
Before decrypting:

 
After decrypting:

 
 
I hope you find this useful!

Credits and References

First of all, I would like to thank Sak Blok. I could not have figured this out without his fantastic presentation on dealing with SSL in Wireshark:
http://www.cacetech.com/sharkfest.09/AU2_Blok_SSL_Troubleshooting_with_Wireshark_and_Tshark.pps
Next, one of the most knowledgeable people and instructors that I know of for Network Analysis is Laura Chappell. Her latest book on Wireshark, Wireshark Network Analysis is invaluable:
http://amzn.com/1893939995

For PKI, I found Brian Komar’s book both comprehensive and illuminating - Windows Server 2008 PKI and Certificate Security:
http://amzn.com/0735625166
Note – it also discusses general PKI and general Windows PKI including XP and up and 2003

For OpenSSL I have just googled the Web – if you have any recommendations on great books for this I would love to hear them.

For Fiddler, I only recently learned about this tool. I looks quite impressive but I am a novice at it. There are some resources on the web site – if you have any you’d recommend, please let me know.

Jim Small
jim dot small at mail dot com

how to use fiddler and wireshark to decrypt ssl的更多相关文章

  1. 利用Fiddler和Wireshark解密SSL加密流量

    原文地址:http://kelvinh.github.io/blog/2014/01/12/decrypt-ssl-using-fiddler-and-wireshark/ Fiddler是一个著名的 ...

  2. 利用Fiddler,解密wireshark抓的HTTPS包

    背景介绍 HTTPS加密方式介绍 浏览器-->SSL Client Hello(我支持这些加密方式)-->服务器 浏览器<-SLL Server Hello(就用这种加密,然后下面是 ...

  3. 转:APP开发浅谈-Fiddler抓包详解

    原文地址:http://www.luoxudong.com/?p=306 Fiddler抓包工具在APP开发过程中使用非常频繁,对开发者理解HTTP网络传输原理以及分析定位网络方面的问题非常有帮助.今 ...

  4. Fiddler抓取https数据包

    Wireshark和Fiddler的优缺点: ①Wireshark是一种在网络层上工作的抓包工具,不仅自带大量的协议分析器,而且可以通过编写Wireshark插件来识别自定义的协议.虽然Wiresha ...

  5. APP开发浅谈-Fiddler抓包详解

    Fiddler抓包工具在APP开发过程中使用非常频繁,对开发者理解HTTP网络传输原理以及分析定位网络方面的问题非常有帮助.今天抽点时间出来总结一下Fiddler在实际开发过程中的应用. 我开发过程中 ...

  6. Fiddler抓包原理和使用详解

    iddler抓包工具在APP开发过程中使用非常频繁,对开发者理解HTTP网络传输原理以及分析定位网络方面的问题非常有帮助.今天抽点时间出来总结一下Fiddler在实际开发过程中的应用. 我开发过程中使 ...

  7. 使用fiddler查看https请求

    首先点击菜单栏Tools>>>Fiddler Options>>>HTTPS 把Decrypt HTTPS Traffic 复选框勾选上 勾上之后,会弹窗提示你. ...

  8. Fiddler抓包学习

    今天看到一个抓包笔记, 因为是老早抓包的需求, 后期不用就忘了, 换电脑桌面软件图标都没了, 点开看了一下一脸懵逼... 这是啥...  以后有需要在看一遍吧! Fiddler抓包使用教程-扫盲篇 h ...

  9. Fiddler抓包使用教程-扫盲篇

    转载请标明出处:http://blog.csdn.net/zhaoyanjun6/article/details/72823370 本文出自[赵彦军的博客] 1.什么是抓包? 不同主机之间的数据通信都 ...

随机推荐

  1. 两种常量类型-readonly和const

    C#中有两种常量类型,分别为readonly(运行时常量)与const(编译时常量),本文将就这两种类型的不同特性进行比较并说明各自的适用场景. 工作原理 readonly 为运行时常量(动态常量), ...

  2. 【坐在马桶上看算法】算法7:Dijkstra最短路算法

           上周我们介绍了神奇的只有五行的Floyd最短路算法,它可以方便的求得任意两点的最短路径,这称为“多源最短路”.本周来来介绍指定一个点(源点)到其余各个顶点的最短路径,也叫做“单源最短路径 ...

  3. Angularjs里面跨作用域的实战!

    好久没有来写博客了,最近一直在用Google的AngularJS,后面我自己简称AngularJS就叫AJ吧! 学习AngularJS一路也是深坑颇多啊--!就不多说了,不过还是建议大家有时间去学下下 ...

  4. Android 4.4 API

    Android 4.4 (KITKAT) 是新的 Android 平台版本,为用户和应用开发者提供了新功能.本文旨在介绍其中最值得关注的新 API. 作为应用开发者,您应尽快从 SDK 管理器下载 A ...

  5. fedroa20中将ssh,ssl升级到当前最新版本

    Fedroa20下手工安装openssh-server 本例以Fedroa20为例,需要下载:zlib-1.2.8.tar.openssl-1.0.2e.tar. openssh-7.1p1.tar. ...

  6. pathon 基础学习-集合(set),单双队列,深浅copy,内置函数

    一.collections系列: collections其实是python的标准库,也就是python的一个内置模块,因此使用之前导入一下collections模块即可,collections在pyt ...

  7. 无root或sudo权限,安装mysql

    这其实才是真正的linux,恰当使用权限. 网上找到的中文博客,基本上就那么几篇原创,都要编译源码.但89服务器性能太差编译一次大约半小时无法忍受,在本机上创建了standard用户去尝试几篇博客所言 ...

  8. jenkins 2:用ssh agent插件在pipeline里实现scp和远程执行命令

    昨晚测试成功了. 现在ssh agent的认证,已不支持明文用户密码,而只能用加密方式实现. 所以我先在jenknis和nginx服务器之后,实现ssh免密码rsa证书登陆. 私钥放jenkins,公 ...

  9. ResourceBundle.getBundle方法demo

    这个参考链接 http://blog.csdn.net/tgyman/article/details/56012706

  10. Linux系统的组成

    <linux系统7大子系统> a:SCI(system call interface) ————用户程序通过软件中断后,调用系统内核提供的功能,这个在用户空间和内核提供的服务之间的接口称为 ...