Mastering Network Forensics by Jaswal Nipun;

Author:Jaswal, Nipun; [Jaswal, Nipun]
Language: eng
Format: epub
Publisher: BPB Publications
Published: 2023-06-15T00:00:00+00:00

Figure 6.1: Wireshark displaying TLS handshake packets

Upon using the filter, tls.handshake.extentions_server_name == "www.nipunjaswal.com", we find that the TLS handshake has occurred for the said website. We will discuss the server name extensions more in the book’s later half. For now, let us use the IP address to filter the communication, as shown below in Figure 6.2:

Figure 6.2: Wireshark displaying TLSv1.3 encrypted communication

The user tried opening http://www.nipunjaswal.com and got redirected to port 443, running the HTTPS service where the encrypted communication occurred. We know that the end-user was browsing the site www.nipunjaswal.com. However, we need to find out the exact URLs and the response he got from the requests he made because everything is encrypted using TLS v1.3.

Most browsers and industry-leading tools respect the environment variable SSLKEYLOGFILE to dump the master SSL/TLS keys to the user-specified location. The implementation of the SSLKEYLOGFILE facility is supported by Wireshark to decrypt SSL/TLS connections even when we do not have the private key or when using key exchange methods that will prevent decryption even if we do (such as Diffie-Hellman). We will quickly set it up and see if we can decrypt the communication to a TLS-encrypted website. To setup the environment variable, we can go to system properties and press Environment Variables, as shown in Figure 6.3:

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.