I need it for software developing. I can capture the traffic on my laptop, but I need it for my mobile phone. This could capture it, but idk where to start. I have already tried something with tcpdump and with iptables, but nothing worked for me..
Most reputable software developers (along with quite a few disreputable ones) would
- Know how TLS and certificates work
- Have access to a development server where TLS could be either disabled, or set up with a known certificate
1 Like
Not an expert !!! Just copying instructions from random websites but tried once this on my VBox
Believe you can find instructions for Ubuntu 14 and 18 too. Good way to figure out how wordepress works and sniff your own traffic to/from web server ! Jeff please correct me if I am wrong ?
Of course you can enable / disable ssl with your own fake certificate
- You're wrong.
- Why are you posting a link on how to install a web server with Wordpress...ON UBUNTU???
???
What does this have to do with OpenWrt???
- You don't need HTTPS to see connections to your own Wordpress server. They're identical on HTTP and HTTPS anyway.
- If you setup a local server, the traffic never crosses the router anyway.
@Grow needed a way to sniff some https from mobile but somebody told him it is illegal so if he sets up a wordpress server on a vm or just his pc then he could try to sniff traffic from his mobile ( I assume it should go through the openwrt router) to the Wordpress server ? Am I wrong again ?
OK, I read that. It is illegal to sniff others (in most jurisdictions)...but then the OP stated they wish to sniff their own traffic.
YES, in HTTP-only.
Not through the firewall, unless he does more configurations.
Well...even if it goes through the firewall, please explain to @Grow...how does he de-encrypt the traffic???
If the OP now wishes to setup a web server for this problem, then they can also de encrypt the traffic there (since the web server has the certificate and is encrypting the traffic in the first place)!
OpenWrt is not needed. Hence, the OP should ask their questions here:
Sorry I meant @Grow want to capture the traffic as per his first post then maybe he has a way to brute force the captured packets ! My fault
1 Like
If he has a way to brute force TLS 1.3, I'd love to hear about it!!!
That's the problem the OP is experiencing. The OP's other option is to setup a device that decrypts on the fly...that can be done with software located:
- on the phone; and
- on the web server
Never Say Never Again
1 Like
Let's just summarize here and leave it at that:
- OP wants to capture traffic and analyze it.
1.1) If the traffic routes through an OpenWrt device, you can run tcpdump on the router.
1.2) If the traffic bridges through the OpenWrt device you can use port mirroring on the OpenWrt switch config. This gets you the packets. - OP wants to see the traffic encrypted by HTTPS as well.
2.1) The OP needs to either own the webserver or the mobile device, and make the users of the device aware that he is bypassing encryption for the purpose of testing.
2.2) Use appropriate testing certificates generated by the OP and installed on the phone/webserver.
2.3) If the OP can't modify the webserver the OP can place a proxy between the webserver and the phone with certificates installed on the proxy and the phone and carry out a "man in the middle attack" by asking the phone to trust the proxy certificates. squid proxy has a method for doing this, it requires installing a signing cert on the phone so that the phone will trust squid when it says that it is the site the phone is connecting to.
2.4) Details of how to carry out this kind of analysis are well beyond what could be expected to be described for free on the OpenWrt message boards. I suggest starting here: https://wiki.squid-cache.org/Features/SslPeekAndSplice
1 Like
Is that GCHQ?
I'm totally confused...
Are you implying he can brute force like a state communications agency?
Realistically, I think @dlakelan's post is substantive, especially part 2.
(Also, I didn't mention the word "never" - except to note that on a LAN, traffic doesn't pass through the router.)
Unfortunately, I have to repeat: squids PeekAndSplice will work in many scenarios, i.e. when having own control about the destination host. BUT it will NOT work with other destinations, i.e. which might only accept certs from specific authority.
1 Like
The cert pinning is a feature of the phone software, if you don't control this software and you don't control the server then you have no business listening to the connection. Realistically in real legit testing scenarios the squid feature will work.
... or of the browser. And there are (still) quite a few pinned certs, you can not change or remove.
Yes, on sites where you have no business snooping, banks, security sites, etc. If you are legitimately testing you either legitimately control both the server and client, or at least one of them. I can't see a legitimate testing scenario where you need to snoop a pinned cert and you aren't the one who did the pinning 
1 Like
Thanks @dlakelan now I’ll have to try to figure out about certificate pinning too ....
Any nice Wiki about other then random googling ...
Thanks for the James Bond reference! It helped me realize that the OP will need to do a lot more, unless the decryption is done at the mobile and server endpoints:
The OP would have to ensure that Perfect Forward Secrecy is disabled.
The best way to capture http and https traffic from (your) devices within your network is to use a tool like dlakelan (2) described.
Get the burpsuite free edition and you can start within 2 minutes to capture http and https traffic by setting up a proxy.
When it comes to bypassing certificate pinning, it is getting interesting; e.g. https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/january/bypassing-openssl-certificate-pinning-in-ios-apps/
And as long as the purpose is not to specifically "monitoring private communication without the knowing consent of all parties involved", there is no issue with doing it and asking for how to do it.
The topic might not be relevant for OpenWrt (anymore) since capturing traffic on the router might not help in this case and the topic is more or less not related to OpenWrt anymore.
1 Like
If you're willing to spend some time learning, there's a luci-app-wireshark-helper package for that. Check README and the article linked in credits for more info.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.