Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 15: Analyzing Encrypted Traffic

by | Jan 15, 2025

Objective

Learn how to analyze encrypted HTTPS traffic using Wireshark to identify key elements like visited domains and understand the encryption handshake without decrypting sensitive data.

Scenario

As a cybersecurity analyst, you’re responsible for monitoring network traffic to detect potential threats. Although HTTPS encrypts data, certain metadata can still reveal important insights without compromising sensitive information. In this exercise, you’ll use Wireshark to capture HTTPS traffic, analyze the Server Name Indication (SNI), and review the certificate exchange and key negotiation processes. You’ll also learn why Perfect Forward Secrecy (PFS) is essential for securing HTTPS communications.

⚠️ Important: This exercise must be conducted in a legal and controlled environment. Never intercept encrypted traffic on unauthorized networks.

Lab Instructions

Step 1: Set Up the Lab Environment

  • Wireshark: Installed on a monitoring machine.
  • Target Device: Any device with browser access to websites over HTTPS.

Step 2: Capture HTTPS Traffic with Wireshark

  • Launch Wireshark on the monitoring machine.
  • Select the correct network interface (e.g., eth0 or wlan0).
  • Start capturing traffic.
  • On the Target Device, open a browser and visit a few HTTPS websites (e.g., https://www.google.com, https://www.wikipedia.org).
  • Stop the capture after browsing.

Step 3: Filter and Analyze Captured Traffic

Apply the filter for TLS/SSL traffic in Wireshark: 

tls

Locate the Client Hello packet in the TLS handshake.

Expand the Extensions section and find the Server Name Indication (SNI) field.

This reveals the domain name the client is trying to access.

Step 4: Review Certificate Exchange

  • Find the Server Hello packet.
  • Expand the Certificate section to review:
    • Issuer: The Certificate Authority (CA) that issued the certificate.
    • Subject: The domain the certificate is issued for.
    • Validity Period: Start and expiration dates.
    • Public Key Information: Encryption algorithm used.

Step 5: Analyze Key Negotiation Process

  • Examine the Key Exchange Algorithms and Cipher Suites selected during the TLS handshake.
  • Look for the use of Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) or similar algorithms, which enable Perfect Forward Secrecy (PFS).

Solution & Explanation

What Can Be Analyzed in Encrypted Traffic

  • Server Name Indication (SNI): Reveals the domain being accessed, even in encrypted connections.
  • Certificate Details: Provide insight into the legitimacy of the website and the encryption methods used.
  • Cipher Suites: Indicate the strength and type of encryption securing the session.

Perfect Forward Secrecy (PFS)

  • Definition: PFS ensures that session keys are not reused, and compromising one session key does not compromise past or future sessions.
  • How It Works: Uses ephemeral keys (e.g., ECDHE) generated for each session.
  • Importance: Even if a server’s private key is compromised, previously captured data cannot be decrypted.

Example TLS Handshake Breakdown

  1. Client Hello: Initiates connection, lists supported cipher suites, includes SNI.
  2. Server Hello: Server selects a cipher suite and sends its certificate.
  3. Key Exchange: Negotiates session keys using algorithms like ECDHE.
  4. Finished: Encrypted session begins.

Testing & Verification

  • Confirm that the SNI field reveals the domain accessed.
  • Verify that the certificate details match the domain and are issued by a trusted CA.
  • Check that ECDHE or another PFS-enabled cipher suite is in use.

Security Considerations

  1. Limitations of SNI: Since SNI is transmitted in plaintext, attackers can observe the domains users visit.
  2. Encrypted Client Hello (ECH): A newer standard encrypting SNI to prevent domain leakage.
  3. Strong Cipher Suites: Using strong ciphers with PFS ensures robust encryption.

Additional Script (Optional)

Capture and filter TLS traffic automatically:

#!/bin/bash
# Capture TLS traffic on eth0 for 60 seconds
sudo tshark -i eth0 -f "tcp port 443" -a duration:60 -w tls_capture.pcap

echo "Capture complete. Saved as tls_capture.pcap."

Run the script:

chmod +x capture_tls.sh
sudo ./capture_tls.sh

Conclusion

In this exercise, you captured and analyzed encrypted HTTPS traffic using Wireshark. You examined the SNI field, reviewed the server’s certificate details, and explored the key negotiation process. Understanding how HTTPS works and the role of Perfect Forward Secrecy (PFS) is essential for maintaining secure network communications without decrypting sensitive data.

0 Comments