Wireshark-dev: Re: [Wireshark-dev] Support for TLS1.2 decryption using derived keys
Hello Peter,
On 01.05.2020 01:23, Peter Wu wrote:
>
>> 1. A generic way to export schannel key material in SSLKEYLOG-like
>> format using elevated privilege and lsass.exe debugging / memory.
>> Preferably - the data that wireshark supports already - master secret
>> for tls <= 1.2 and the intermediate traffic secrets for tls 1.3
> That would be great :-)
I wrote a script to do that and documented its usage on
http://b.poc.fun/sslkeylog-for-schannel/. It is in now way generic
(yet), but I successfully use in my research. Feel free to give it a go!
The main problem really is to get crandom and correlate it with master key.
It is currently win-10 only, TLS1.2-only, does not work with resumed TLS
sessions and poorly handles simultaneous connects.