Wireshark and HTTPS

[Snowman]

It's obviously not that hard to find a user/pass when you sniff an HTTP packet w/ wireshark because it is in plaintext. But... since HTTPS is encrypted (friggin TLS :-p), what is the best way to decrypt it the packets you sniff? Thanks :-)

[digip]

It's obviously not that hard to find a user/pass when you sniff an HTTP packet w/ wireshark because it is in plaintext. But... since HTTPS is encrypted (friggin TLS :-p), what is the best way to decrypt it the packets you sniff? Thanks :-)

You would have to inject the victim with a forged certificate, hope they agree to use said certificate, and then have a way to decrypt all the traffic once saved to a file for decrypting. I can't remember the name of the program, but there is one that allows you to decrypt the traffic based on the fake certs you supply to the end user.

If you are on windows, I think Cain does this automatically and searches for the passwords for you if the user clicks to allow the certificate, but wireshark won't be able to read the traffic since cain is doing the decryoting for itself

You could try to take it further, with say, session hijacking. For that, you would need something like hamster and ferret on windows, or on linux I think it wifizoo. Sometimes in ssl connections you get plain text cookies sent back and forth or session data that is not encrypted during handshakes, so even on a https site, you may be able to log on to the site as the victim if they have this flaw. Not sure if TLS exibits this flaw though.