emanuele-f
Generate PCAP with SSLKEYLOGFILE instead of a CA
CA was great for MITM but the new way to decrypt TLS1.3 is your SSLKEYLOGFILE, and now that all devices/servers do TLS1.3 as standard MITM seems to have stopped working.
Is it possible to enable decryption without the CA and only using the SSLKEYLOGFILE?
Hello, there seems to be some confusion here, the SSLKEYLOGFILE is only needed to store and then retrieve the decryption keys, whereas installing a CA into the device to intercept is needed to make the system accept the mitm certificate, so they are different things. mitmproxy, that PCAPdroid-mitm uses, should already support TLS 1.3. Maybe you are facing a different protection of the app, e.g. certificate pinning. Check out https://emanuele-f.github.io/PCAPdroid/tls_decryption#34-caveats-and-possible-solutions for more details
No confusion really, a lot of companies now don't allow other CAs outside their own. I was looking at the document you sent and might help with that so I will check further. From what I have seen when it comes to TLS1.3 all you need are the decryption keys, MITM is from what I have noticed from tests not needed anymore to decrypt packet data, but maybe Android works different from Windows, MAC and Linux.
but maybe
Maybe this will help https://emanuele-f.github.io/PCAPdroid/paid_features#53-pcapng-format
but maybe
Maybe this will help https://emanuele-f.github.io/PCAPdroid/paid_features#53-pcapng-format
No I already use the pcapng format
a lot of companies now don't allow other CAs outside their own
So this is certificate pinning. You have to work around it yourself, it's not a problem of PCAPdroid.
But its more a request to ONLY log SSLKEYLOGFILE as a secondary option and not have to use a CA. A feature request if you like.
If that makes sense, is that possible? or does the CA need to exist to be able to create a SSLKEYLOGFILE on Android?
and not have to use a CA
Do you understand what a certificate pinning is?
or does the CA need to exist to be able to create a SSLKEYLOGFILE on Android?
It can be anything depending on the implementation of a particular application. Even, for example, cryptography on raw sockets. It seems to me that PCAPdroid is already making the most of these opportunities. And it's time to take care of the firewall and statistics ;) Although perhaps Emanuele wants to make full Wireshark for android :)
Yeah I get cert pinning allows you to bypass MITM or I guess also add the CA to the app. This also seems like the solution to my current problem.
I am not great when it comes to Android but other OSes you can dump the SSLKEYLOGFILE and already see a lot of fun stuff, so was hoping maybe Android could do the same.
Yeah I get cert pinning allows you to bypass MITM
This is the answer to the question "why is it needed?" and not "what is it?" ;)
but other OSes you can dump the SSLKEYLOGFILE
Are you sure it's the operating system and not the specific implementation inside the program? ;)
Its in the program, I know, but figured some programs implement this as default. So your going to tell me, Android apps don't support this, thus the reason for Cert pinning / the CA.
I am not great when it comes to Android but other OSes you can dump the SSLKEYLOGFILE and already see a lot of fun stuff, so was hoping maybe Android could do the same.
Oh maybe I can see what you mean. The interception could be performed at a lower layer, by hooking the system calls without installing the CA certificate. In this case, the tool that you use to do this job generates a SSLKEYLOGFILE with the session keys, which can be used to decrypt the pcap file.
This job does not look something PCAPdroid should do, you should instead rely on specific tools that provide this capabiliites. What we could do in PCAPdroid is to integrate with such tools to show live decrypted data, so that they can send the keylog to PCAPdroid-mitm and then decrypt the connections. However, this is just theory, we should check how such tools work and if it's feasible. In any case, we need someone who is accustomed to such tools to suggest on this.
What we could do in PCAPdroid is to integrate with such tools to show live decrypted data
Funny :) These are usually custom scripts integrated into more complex scripting systems. Yes, PCAPdroid can be very useful for integration. That's just depending on which direction of integration ;) Instead of fantasizing about what to integrate into yourself, again, you need to think about how to give the opportunity to use PCAPdroid to the maximum extent possible. And for this a powerful system of intents is needed. Perhaps a more lucid example. Those who need a fully controlled traffic collection under desktop OSes use Wireshark or Tshark in command line mode. And for android apps, the equivalent of the command line is intents ;)
By the way, you once mentioned your community in Telegram. Here's an easy way to check his level. Ask people there about "such tools" ;)
I wanted to add SSLKEYLOGFILE is a well-known OS Environment Variable within the 3 OSes mentioned (Windows, MAC, Linux), you don't need root/admin access on these OSes to adjust the Variable, a user can dump their keys. You don't need aan application installed support this variable, its built into the OSes mentioned, I did try changing this in Android like you would in Linux but this did not work for me.
So you don't need Wireshark for the variable to work in those cases, but from aan OS/GUI standpoint Wireshark is the most user friendly to then use the keys to decrypt and see packet data.
I have noticed the application does choose if they want to make use of the Variable, most browsers do support it as default in the mentioned OSes though.
You don't need aan application installed support this variable, its built into the OSes mentioned
Or is it also a fantasy :) Take some little-known browser and try it ;) Especially if you take a non-browser app.
You don't need aan application installed support this variable, its built into the OSes mentioned
Or is it also a fantasy :) Take some little-known browser and try it ;) Especially if you take a non-browser app.
Works, been tested by yours truly on all OSes mentioned. On Andriod thats were I was hoping to see if you guys can figure out how to get the same.
Works
So you're taking the browser Lynx (https://lynx.browser.org/) or Luakit (https://luakit.github.io/) and the keys are still stored there?
Works
So you're taking the browser Lynx (https://lynx.browser.org/) or Luakit (https://luakit.github.io/) and the keys are still stored there?
No as mentioned its aan OS variable, they are dumped in the filesystem then imported into Wireshark, here's a how-to for all OSes credits F5: https://my.f5.com/manage/s/article/K50557518
No as mentioned
If you are talking about Chrome or Firefox then they have built-in support for this environment variable :) Therefore the comparison is incorrect ;) If they had support for android versions then it would work for Android as well. But it is the policy of companies to make heavily stripped-down versions for mobile systems.
No as mentioned
If you are talking about Chrome or Firefox then they have built-in support for this environment variable :) Therefore the comparison is incorrect ;) If they had support for android versions then it would work for Android as well. But it is the policy of companies to make heavily stripped-down versions for mobile systems.
Aaah ok makes sense, if somehow these keys could be dumped I guess that + capturing the packets and your golden but I guess that's the challenge here. This started of with me creating a firewall + squid proxy and ended me here :)
Thanks for the input its been very helpful
Wait I might have aan option in Squid, this might work. http://www.squid-cache.org/Versions/v6/cfgman/tls_key_log.html
Wait I might have aan option in Squid, this might work
Probably. That's what the proxy is for :) But there are other protocols besides HTTP(S) ;) However, the idea of collecting keys separately for at least HTTPS may also be interesting for PCAPdroid. But there are many ideas and only one developer ;)