ubuntu

Decrypting Encrypted TLS Traffic Using Wireshark on Linux

Before we start, I have to clarify, this is not a way of “hacking” TLS to decrypt any encrypted traffic! This is (probably) not possible. What we will do in this tutorial is to temporarily extract the TLS session keys used in encrypting traffic going to the browser into a “TLS keys log file”, and then use this log file along with the captured pcap to decrypt the traffic and view it on Wireshark.

For this to work, you’ll need a browser such as Firefox, or Chrome, a Linux-based machine, and Wireshark.

First, make sure that you start Wireshark, but just don’t start capturing traffic yet. Then, close all open browser windows.

Second, use the following command:

export SSLKEYLOGFILE="/home/$USER/tlskeys.log"

This command, will instruct the OS to store all sessions keys in a file named tlskeys.log in the home folder of your user. there are a few things to note here;

This commands will work for this terminal session only. Once the terminal session windows is closed, the TLS keys will not be stored in the log file anymore. The storage of these keys applies to TLS keys of this process and all processes spawned from it only. this means that after running the command, if you start your browser from the GUI, the keys will not be stored. You need to start the browser from within the commands line. Before you do that, start capturing the traffic in Wireshark.

Now start your browser (such as Firefox) from the command line:

firefox &

Visit an HTTPS based website like, google.com and go through searches or even try to sign in. Then, stop the packet capturing, and take a look at the tlskeys.log file.

cat tlskeys.log

You’ll see a few session keys for each session. It’d probably look something like this:

 

Now, if you look at the traffic captured by Wireshark, you’ll see that it is encrypted, like this:

To use the TLS keys to decrpyt this traffic, go to Edit >> Preferences >> Protocols, and scroll down to get TLS. In the last field in the windows, you’l see “Pre-MasterSecret log filename”, click on “Browse…” next to it, and show Wireshark the location of the tlskeys.log file. Then, click “OK”.

Now, you’ll notice that the previously-encrypted TLS payload is now decrypted (mostly into HTTP2).

You’ll see that you’ll be able to extract a lot of HTTP objects that were not accessible before because of encryption.

 

Installing Volatility Framework on an Ubuntu Virtual Machine

Edit 19-Feb-2024: This article was written for Volatility 2 which was based on Python 2.x.

Although a bit old, Volatility Framework is still one of  the favourite tools for memory forensic investigations. Its wide range of plugins enables easy extraction, although without a fancy interface, of a lot of important pieces of information.

Today, we’ll walk through the process of installing volatility framework on an fresh installation of Ubuntu. Let’s kick this off:

Part 1: Creating a VM and installing Ubuntu

My personal favourite is VMWare Workstation Pro, but you can easily use VirtualBox to achieve the same goal.

1. Download Ubuntu 18.04LTS from this link:

https://releases.ubuntu.com/18.04.6/ubuntu-18.04.6-desktop-amd64.iso

2. Create a new VM with 4GB of RAM, and at least 20GB (I recommend 40GB to have some space for the memory dumps you’ll examine)

3. Create a username and a password of your choice. For my installation, I’ll use “mohammed” as my username.

4. Leave the rest of the installation settings to the default.

Part 2: Preparing the Python environment

Volatility Framework was written for python 2.x, not 3.x. This means that you’ll need to prepare an environment of python 2.x with all the dependencies.

1. Download Miniconda from this link:

https://docs.conda.io/en/latest/miniconda.html#linux-installers

2. Start the installation at the terminal window by moving to the ~/Downloads folder and issuing the following command:

sudo sh Miniconda3-py39_4.10.3-Linux-x86_64.sh

Change this “Miniconda3-py39_4.10.3-Linux-x86_64.sh” to the name of the file you just downloaded if it is different. During the installation, leave the installation location to the default, and respond with “yes” to “Do you wish the installer to initialize Miniconda3”.

3. After the installation is done, close the terminal window and open a new one. You should see the prompt (base) before your terminal prompt. Just like this:

4. To check the version of Python that is currently installed, type the command:

python --version

It should show you 3.9.5.

5. to be able to create a new conda environment, you will need to change the ownership of the .conda folder in your miniconda installation. This can be done by:

sudo chown mohammed:mohammed /home/mohammed/.conda

Replace all the “mohammed”s in this command with your selected username, including the folder name.

6. As Volatility Framework requires Python 2, not 3, we will create a new environment using the following commands:

conda create --name py2.7 python=2.7

7. After the creation of the new conda environment, we can activate it using the command:

conda activate py2.7

This will change the prompt to py2.7.

8. Now we will re-check the version of python using the command:

python --version

It should show 2.7.18.

9. Now we install the libraries needed by volatility using these commands:

sudo apt install pcregrep libpcre++-dev python-dev git gcc -y

pip install distorm3

pip install yara-python

pip install PyCrypto

pip install pillow

pip install OpenPyxl

pip install ujson

Part 3: Installing and Using Volatility Framework

1. Move to the ~/ folder using cd ~/ command.

2. Download the volatility framework using this command:

git clone https://github.com/volatilityfoundation/volatility.git

3. Change the folder to ~/volatility using the command cd volatility

4. Test the installation using the command:

python vol.py –info

5. Take a look at the different plugins and profiles. You’ll notice that the profiles included in the framework are all Windows profiles. The framework doesn’t include any Linux or Mac profiles by default. You’ll need to download these profiles from here:

https://github.com/volatilityfoundation/profiles

6. For Linux profiles, it is tricky to find the profile that fits your particular distribution and kernel versions. It is a common practice that you compile a profile from the machine where you’re capturing the memory dump using tools such as “Lime”.

7. A typical command to have the framework check automatically what is the most suitable profile would look like this:

python vol.py --file="/home/mohammed/Desktop/memdump.dump" imageinfo

After finding the suitable profile for your memory dump, you can issue commands like this:

python vol.py --file="/home/mohammed/Desktop/memdump.dump" --profile=Win7SP1x64 psscan

The psscan plugin would show you the processes running in memory at the time of the capture.