Skip to content

Instantly share code, notes, and snippets.

@jshen28

jshen28/sniff-ssl-traffic.md

Last active October 30, 2018 03:35
Show Gist options
  • Save jshen28/2f4dc0bb086a81e316c0a485ecf50b2f to your computer and use it in GitHub Desktop.
Save jshen28/2f4dc0bb086a81e316c0a485ecf50b2f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sniff-ssl-traffic.md

SNIFF SSL TRAFFIC

Recently I get confused on how to sniff HTTPS traffic, I think I need a proxy and it turns out correct. I setup a proxy chain by using stunnel.

SETUP

I use two machines (which is not optimal), one is used for executing command and serving stunnel server; then other one is used for stunnel client and sniffing.

STUNNEL SERVER & CLIENT

A stunnel server resides on targeted machine and acted like server hosting HTTPS traffic. A client (which effectively still a server) accepts traffic from server and sends to where you define it to go (by configuration).

Server configuration,

debug = 3
#foreground = yes
pid =

[server]
client = no
cert= ./server.pem
accept = 127.0.0.1:443
connect = 10.40.149.13:4434

Clinet configuration,

debug = 3
#foreground = yes
pid =

[client]
client = yes
accept = 0.0.0.0:4434
connect = openapi.mytest.cn:443

Still you need to make sure that in the machine where server resides on, you should have "${IP} openapi.mytest.cn" in your /etc/hosts, in order to force your client to use local proxy server.

SNIFF ON CLIENT MACHINE

sudo tcpdump -ieth0 -s0 -w ./captured.pcap 'port 4434 and tcp'

Then download captured.pcap and visualize result with wireshark.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment