My pleasure! Thanks for the comment Ganesh!

Amen to that Christopher! I feel the same. I learn something with every pcap I open.

You will always learn something more in technology

Glad you liked it! Hey every department needs a Packet Head.

Awesome!

Thank you!

I am beyond honored that he wanted to interview me on his channel. Great to have you here!

Thank you for watching and commenting Alexander!

Great job! Thanks for the feedback!

Thank you for the comment! I really appreciate the feedback.

Thanks for the comment!

Great Samuel! Glad to hear that it helped. I'll get some more TLS 1.3 stuff out there soon.

it means we can decrypt any password even if it uses https protocol ?

Glad it was helpful!

Thanks again Di. I appreciate the feedback.

I'm also wondering this - did you find this out?

Yes anyone?

Thanks for the comment! Working on more content and I'll get it out there.

@Bill Proctor - Great to see you here Bill! Hope all is well on your end.

@@ChrisGreer absolutely. Just looking forward to being able to travel again for work. Hope to hang out with you sometime soon!

@@grendal1974 That would be awesome Bill! Let's chat sometime here soon.

Most welcome

Thanks!

🤦🏻‍♀️

Hey Josh - I probably had to recreate it and share a different one. However the pcap and syslog you get in the link go together and the rest of the video steps are the same.

My pleasure!

Nice! That is great Prateek - glad to hear that the videos helped you. More to come!

Most welcome!

Thanks!

Hi Chris D - Thanks for the comment. Actually I had considered setting something like that up but wasn't sure if anyone would actually do it! I appreciate the suggestion and will definitely look into it.

That is a great skill - because in the real world, most of the troubleshooting I do is without the decryption keys.

@@ChrisGreer I'd love to learn that skill.... Really wish you could make a video on that... I'll truly appreciate 💜

Thanks for the comment!

thanks for the comment Alex!

You are very welcome

Thanks for the comment Tin!

Make sure that you restart chrome completely after setting up the environment variable. Also - if that doesn't work, give it a shot with Firefox.

Hello DataSkull - we would need to see if the app will locally store the TLS keys. As you saw in the video, chrome will do it in an environment variable, but that may not be the case for the application you are trying to decrypt. You have to dig into it and see if the app will store them.

Same issue here looks like better to go with a proxy server

Glad you think so!

Thanks for the feedback Jack - I would need to figure out how to reproduce that in order to tshoot on my end.

For sure! I will be doing more content around QUIC and H3 as things continue to develop. Thank you for the comment. I the meantime check out my QUIC decryption video here - kzbin.info/www/bejne/h4O1eXSVas2GaMU

Thanks Ginadi. Stick around for more around TLS.

Hey, thanks for the comment. I'll see if I can get it working... (or breaking, depending on how you look at it!)

Hey Greg - I have only tried this with Chrome and Firefox. It would def take some more digging to learn where/how/if other API's store the keys.

I have gotten it to work with Firefox and chrome. I have heard it works with edge but have not tried it for myself. All others, a ton to try… I guess it just depends on the api

I haven't tried it with mobile apps yet. But if they store the keys to the keylog, then in theory... yes!

Un placer!

Hmm... weird. That is frustrating. Ok maybe something changed with an update. I'd suggest trying Firefox. If that doesn't work - I've been able to get it working pretty reliably with Kali Linux and Chrome. I demonstrate that here -kzbin.info/www/bejne/h4O1eXSVas2GaMU

Thanks for the comment! I really appreciate the feedback.

@@ChrisGreer didn't know it was that easy. I guess the environment variable you added in the beginning is Chrome specific?

It works with Chrome, Firefox, and some chromium based browsers. I am not much of an Edge user so I haven't tried it myself, and I understand Safari in the Mac environment isn't too happy with this variable either.

You should have to create that folder but the system will create the log.

Probably - I'd have to tinker with a specific app or implementation, but I imagine if you dig deep enough in the code there is a way to do it.

@@ChrisGreer So from a hackers perspective in todays day and age, I imagine the flow is something like this: 1. compromise endhost through zero day or unpatched vulnerability 2.create a reverse tcp shell via proxy chaining on proxy's that dont log user data (or TOR) 3.setup the log environmental variable in OS (congrats you have modified a system that's not yours and have now officially committed a crime, though I guess the reverse tcp shell could be argue as the stage when that happens) 4. discretely capture network traffic, and discretely transfer data back (no idea how that's done) 5. look for PII/PCI decrypted data 6. Clear traces of you being there... also not really sure how they would do that. Probably clear a bunch of internal log files. I know this comment puts you in a precarious situation, because how do you teach content and answer questions without indirectly possibly helping a hacker, but as a company network engineer I still dont understand how hackers pull of what they do. Is it just a matter of hiding in plane sight and due to the sheer amount of data that goes across the wire, you are hoping nobody notices?

@@adammason1587 Very interesting, to transfer the data back in thinking you could do a loopback but that could be traced.

You would need send all traffic through a man-in-the-middle device on the network, or you could install an agent on the server that will capture them. Either way, it's designed to be hard to get the keys...

@@ChrisGreer isn’t that man in the middle attack / ARP Poisoning doens’t catch the key? please make a video how to get the keys via man in the middle attack sir.

How! Explain please

Thanks! Appreciate the comment.

That is a great question. In theory, you could do a man in the middle attack and intercept their traffic. You can capture it is a passive listener on WiFi, but with the additional layer 1/2 encryption for WiFi (WPA2 for example) it adds another level of complexity. I have never done it.

@@ChrisGreer Thanks for the reply! My mind was going into that direction but wasn't sure if there were other ways/methods. Looking forward to more content as well. Since I'm a newer viewer, I dont know the extent of your expertise. But would love to see some cyber security / forensic stuff as that's what I'm currently studying for an associates degree. I see alot of the attacking and vulnerability side, but would like to see more content on defensive and forensic analysis.

I've only been able to get it to work with Chrome and Firefox, I haven't tried to store them from any one app.

Hmm... sounds like something to do with the way Wireshark is dissecting. Can you make sure you have the latest version installed? Also - if you like you can send me the pcap and I will take a peek. packetpioneer@gmail.com

Awesome! Thanks for the sub and see you around the channel.