hunting a spyware and decrypting traffic

asked 2024-06-16 04:56:27 +0000

Virgo gravatar image

updated 2024-06-16 04:58:27 +0000

Hello guys, how are you ? Oh, maybe I'm not here to ask you about that. Well I'm hunting a very advanced spyware that exfiltrate data maybe throught email or google talk. So I tried to decrypt the traffic exporting the SSLKEYLOGFILE variable to a file. Then I inserted the file in the wireshark TLS protocol option. But unfortunately only the 1% of the 443 traffic had been decrypted (HTTP2 protocol).

Anyone can help me to understand what's happening ?

Also, how do I troubleshoot why the packets haven't been decrypted ?

Is there debug or log ?

Also how I know which packets have not decrypted ?

It's enough somehting like "tls and not http2" display filter ?

Thank u all.

edit retag flag offensive close merge delete


From a practical point of view decrypting traffic is rather limited these days.A lot of the documentation is out dated by todays standards and those "tricks"won't work.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2024-07-01 13:23:48 +0000 )edit