My pleasure! Thanks for the comment Ganesh!

Amen to that Christopher! I feel the same. I learn something with every pcap I open.

You will always learn something more in technology

Glad you liked it! Hey every department needs a Packet Head.

Thank you!

Awesome!

Thank you for watching and commenting Alexander!

I am beyond honored that he wanted to interview me on his channel. Great to have you here!

Thank you for the comment! I really appreciate the feedback.

Thanks for the comment!

Just restart the computer. It should work.

Great job! Thanks for the feedback!

Thanks again Di. I appreciate the feedback.

Hey Josh - I probably had to recreate it and share a different one. However the pcap and syslog you get in the link go together and the rest of the video steps are the same.

Great Samuel! Glad to hear that it helped. I'll get some more TLS 1.3 stuff out there soon.

🤦🏻‍♀️

@Bill Proctor - Great to see you here Bill! Hope all is well on your end.

@@ChrisGreer absolutely. Just looking forward to being able to travel again for work. Hope to hang out with you sometime soon!

@@grendal1974 That would be awesome Bill! Let's chat sometime here soon.

Thanks for the comment! Working on more content and I'll get it out there.

I'm also wondering this - did you find this out?

Yes anyone?

i noticed that too, and now i am confused

Thanks!

Glad it was helpful!

it means we can decrypt any password even if it uses https protocol ?

Hey, thanks for the comment. I'll see if I can get it working... (or breaking, depending on how you look at it!)

My pleasure!

Glad you think so!

Probably - I'd have to tinker with a specific app or implementation, but I imagine if you dig deep enough in the code there is a way to do it.

@@ChrisGreer So from a hackers perspective in todays day and age, I imagine the flow is something like this: 1. compromise endhost through zero day or unpatched vulnerability 2.create a reverse tcp shell via proxy chaining on proxy's that dont log user data (or TOR) 3.setup the log environmental variable in OS (congrats you have modified a system that's not yours and have now officially committed a crime, though I guess the reverse tcp shell could be argue as the stage when that happens) 4. discretely capture network traffic, and discretely transfer data back (no idea how that's done) 5. look for PII/PCI decrypted data 6. Clear traces of you being there... also not really sure how they would do that. Probably clear a bunch of internal log files. I know this comment puts you in a precarious situation, because how do you teach content and answer questions without indirectly possibly helping a hacker, but as a company network engineer I still dont understand how hackers pull of what they do. Is it just a matter of hiding in plane sight and due to the sheer amount of data that goes across the wire, you are hoping nobody notices?

@@adammason1587 Very interesting, to transfer the data back in thinking you could do a loopback but that could be traced.

Thanks for the comment!

Nice! That is great Prateek - glad to hear that the videos helped you. More to come!

I have gotten it to work with Firefox and chrome. I have heard it works with edge but have not tried it for myself. All others, a ton to try… I guess it just depends on the api

Hmm... weird. That is frustrating. Ok maybe something changed with an update. I'd suggest trying Firefox. If that doesn't work - I've been able to get it working pretty reliably with Kali Linux and Chrome. I demonstrate that here -kzbin.info/www/bejne/h4O1eXSVas2GaMU

Thanks!

Hey Greg - I have only tried this with Chrome and Firefox. It would def take some more digging to learn where/how/if other API's store the keys.

Hello DataSkull - we would need to see if the app will locally store the TLS keys. As you saw in the video, chrome will do it in an environment variable, but that may not be the case for the application you are trying to decrypt. You have to dig into it and see if the app will store them.

Same issue here looks like better to go with a proxy server

I am facing the same issue and currently looking to setup a proxy server like "Charles" but its quiet complicated....

I used the chrome browser to demonstrate this in the video, but it also works on Firefox Nightly and I have seen it work on Edge too.

Arg - no I don't know why but, let's make sure you are using chrome, you restarted it, and made sure you cleared history/cache. Other than that - I would try installing firefox because I have gotten it to work with that browser too.

@@ChrisGreer All done. Maybe Win 10 21H1 version does not support it.

Most welcome!

Thanks for the comment Tin!

Make sure that you restart chrome completely after setting up the environment variable. Also - if that doesn't work, give it a shot with Firefox.

I've only been able to get it to work with Chrome and Firefox, I haven't tried to store them from any one app.

You would need send all traffic through a man-in-the-middle device on the network, or you could install an agent on the server that will capture them. Either way, it's designed to be hard to get the keys...

@@ChrisGreer isn’t that man in the middle attack / ARP Poisoning doens’t catch the key? please make a video how to get the keys via man in the middle attack sir.

You are very welcome

Thanks Ginadi. Stick around for more around TLS.

You should have to create that folder but the system will create the log.

That is a great question. In theory, you could do a man in the middle attack and intercept their traffic. You can capture it is a passive listener on WiFi, but with the additional layer 1/2 encryption for WiFi (WPA2 for example) it adds another level of complexity. I have never done it.

@@ChrisGreer Thanks for the reply! My mind was going into that direction but wasn't sure if there were other ways/methods. Looking forward to more content as well. Since I'm a newer viewer, I dont know the extent of your expertise. But would love to see some cyber security / forensic stuff as that's what I'm currently studying for an associates degree. I see alot of the attacking and vulnerability side, but would like to see more content on defensive and forensic analysis.

Thanks for the feedback Jack - I would need to figure out how to reproduce that in order to tshoot on my end.

Hi Chris D - Thanks for the comment. Actually I had considered setting something like that up but wasn't sure if anyone would actually do it! I appreciate the suggestion and will definitely look into it.

Hmm... sounds like something to do with the way Wireshark is dissecting. Can you make sure you have the latest version installed? Also - if you like you can send me the pcap and I will take a peek. packetpioneer@gmail.com

To capture the session keys as you see in this video, yes. It's the simplest way to collect them. It can also possibly happen from the server side or from a device along the path that terminates the connection.

it still works... didn't work the first time but on a second attempt it does

Thanks! Appreciate the comment.

ssl.app_data is encrypted.. TLS_AES_256_GCM_SHA384.. got stream as hex to file and out of options (at least for now) :P

looks like I need to get into 'programming' to get some things from handshake and mix it to get 'decoding setup' - could you make something related (like video) or point to 'get going'? Thx Chris!

hahaha it turned out I was using 'old wireshark' and could not see the decoded data' 8-) I see some data decoded and some not (probably because of packets not being in good order) --> going to stream gives mixed content Is there a 'simple' way of reordering the packets? There is Time shift (but it looks like i need to be very specific at time value) Can we 'switch packets by place' like move packet No. 250 to 249 (249 goes to 250)?

thanks for the comment Alex!