There is a risk of infection if using a Windows computer. Warning: The pcap used for this tutorial contains Windows-based malware. Here is a Github repository with a ZIP archive containing the pcap and a key log file used for this tutorial. Note: Our instructions assume you have customized your Wireshark column display as previously described in “ Customizing Wireshark – Changing Your Column Display.”. Today, we will examine HTTPS activity from a Dridex malware infection. With this key log file, we can decrypt HTTPS activity in a pcap and review its contents. Decryption is possible with a text-based log containing encryption key data captured when the pcap was originally recorded.
This Wireshark tutorial describes how to decrypt HTTPS traffic from a pcap in Wireshark. When reviewing pcaps from malware activity, it’s very helpful to know what’s contained within post-infection traffic. But like most websites, various types of malware also use HTTPS. Why? Because most websites use the Hypertext Transfer Protocol Secure (HTTPS) protocol. When reviewing suspicious network activity, we often run across encrypted traffic. The instructions assume you are familiar with Wireshark, and it focuses on Wireshark version 3.x. You can also use sshdump directly in Wireshark’s GUI.This tutorial is designed for security professionals who investigate suspicious network activity and review packet captures (pcaps) of the traffic.
This command is functionally equivalent to the commands above: sshdump -extcap-interface=sshdump -capture -remote-host remotehost -remote-username remoteuser -fifo=/some/local/directory/tcpdump.pcap
You can now open up the remote capture file by using Wireshark on your computer.Īlternatively, you can use Wireshark’s remote capture tool sshdump. What if you wanted to capture and analyze traffic on a remote server? Wireshark is usually used to analyze traffic on your local network, so you would need to use a tool like tcpdump.įirst, SSH into the remote machine with an account with root access: ssh use tcpdump to capture the traffic on the remote network and save it into a PCAP file: sudo tcpdump -i eth0 -w tcpdump.pcapįinally, copy the capture file to your computer by using the scp command: scp /some/local/directory
0 kommentar(er)
