Capture all HTTP & HTTPS traffic

image

Never Say Never Again

1 Like

Let's just summarize here and leave it at that:

  1. OP wants to capture traffic and analyze it.
    1.1) If the traffic routes through an OpenWrt device, you can run tcpdump on the router.
    1.2) If the traffic bridges through the OpenWrt device you can use port mirroring on the OpenWrt switch config. This gets you the packets.
  2. OP wants to see the traffic encrypted by HTTPS as well.
    2.1) The OP needs to either own the webserver or the mobile device, and make the users of the device aware that he is bypassing encryption for the purpose of testing.
    2.2) Use appropriate testing certificates generated by the OP and installed on the phone/webserver.
    2.3) If the OP can't modify the webserver the OP can place a proxy between the webserver and the phone with certificates installed on the proxy and the phone and carry out a "man in the middle attack" by asking the phone to trust the proxy certificates. squid proxy has a method for doing this, it requires installing a signing cert on the phone so that the phone will trust squid when it says that it is the site the phone is connecting to.
    2.4) Details of how to carry out this kind of analysis are well beyond what could be expected to be described for free on the OpenWrt message boards. I suggest starting here: https://wiki.squid-cache.org/Features/SslPeekAndSplice
1 Like

Is that GCHQ?
I'm totally confused...

Are you implying he can brute force like a state communications agency?

Realistically, I think @dlakelan's post is substantive, especially part 2.

(Also, I didn't mention the word "never" - except to note that on a LAN, traffic doesn't pass through the router.)

Unfortunately, I have to repeat: squids PeekAndSplice will work in many scenarios, i.e. when having own control about the destination host. BUT it will NOT work with other destinations, i.e. which might only accept certs from specific authority.

1 Like

The cert pinning is a feature of the phone software, if you don't control this software and you don't control the server then you have no business listening to the connection. Realistically in real legit testing scenarios the squid feature will work.

... or of the browser. And there are (still) quite a few pinned certs, you can not change or remove.

Yes, on sites where you have no business snooping, banks, security sites, etc. If you are legitimately testing you either legitimately control both the server and client, or at least one of them. I can't see a legitimate testing scenario where you need to snoop a pinned cert and you aren't the one who did the pinning :grin:

1 Like

Thanks @dlakelan now I’ll have to try to figure out about certificate pinning too ....

Any nice Wiki about other then random googling ...

Thanks for the James Bond reference! It helped me realize that the OP will need to do a lot more, unless the decryption is done at the mobile and server endpoints:

The OP would have to ensure that Perfect Forward Secrecy is disabled.

The best way to capture http and https traffic from (your) devices within your network is to use a tool like dlakelan (2) described.
Get the burpsuite free edition and you can start within 2 minutes to capture http and https traffic by setting up a proxy.
When it comes to bypassing certificate pinning, it is getting interesting; e.g. https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/january/bypassing-openssl-certificate-pinning-in-ios-apps/

And as long as the purpose is not to specifically "monitoring private communication without the knowing consent of all parties involved", there is no issue with doing it and asking for how to do it.

The topic might not be relevant for OpenWrt (anymore) since capturing traffic on the router might not help in this case and the topic is more or less not related to OpenWrt anymore.

1 Like

If you're willing to spend some time learning, there's a luci-app-wireshark-helper package for that. Check README and the article linked in credits for more info.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.