Decrypting TLS Traffic with PolarProxy on Client PC

The tutorial provides detailed steps for decrypting HTTPS traffic generated on a client computer with PolarProxy installed. Decrypted traffic is then processed by Wireshark running together with PolarProxy on the same PC.

HTTPS is an implementation of TLS encryption on top of the HTTP protocol, which is used by all websites as well as some other web services. Any website that uses HTTPS is therefore employing TLS encryption. However, it doesn’t matter if it is a proprietary protocol running inside the TLS session or if it is a well-known TLS wrapped protocol like HTTP/2, SMTPS, IMAPS or POP3S. They are all decrypted by PolarProxy.

According to its developers, PolarProxy is transparent SSL/TSL proxy that is primarily designed to intercept and decrypt TLS encrypted traffic from malware. PolarProxy allows you to proxy up to 10GB of data or 10 000 TLS session per day without a valid license. This is more than enough if you need to proxy only a few sessions. Furthermore, PolarProxy will still continue forwarding TLS traffic when it reaches daily limit but ill not decrypt the TLS traffic.

In our scenario, PolarProxy is installed directly on client used for generating HTTPS traffic (Picture 1). PolarProxy is listening on the TCP port 10443 for incoming https traffic, decrypt TLS and and save decrypted traffic to PCAP file. Encrypted traffic to port 443 is then send to a real web server. To do so, clients must be configured to redirect outgoing HTTPS traffic destined for the port TCP 443 to the port 10443, PolarProxy service is listening on. This is accomplished by a firewall rule (DNAT). In addition, the root CA certificate used by PolarProxy must be trusted by the client that will have its TLS traffic routed through the proxy to ensure seamless proxy integration.

Picture 1 - Network Topology

1. PolarProxy Installation

The next steps describes installation of PolarProxy on Ubuntu 18.04 Linux. We assume that Wireshark is installed.

$ mkdir ~/PolarProxy
$ cd ~/PolarProxy/
$ curl https://www.netresec.com/?download=PolarProxy | tar -xzf -

Start PolarProxy to send decrypted traffic directly to Wireshark:

$ sudo ./PolarProxy -p 10443,80,443 --certhttp 10080 -w - | sudo wireshark -k -i -

-v: verbose output in syslog (not required)
-p 10443,80,443: listen for TLS connections on tcp/10443, save decrypted traffic in PCAP as tcp/80, forward traffic to tcp/443
--certhttp 10080 - certhttp 10080 : Make the X.509 certificate available to clients over http on tcp/10080
-w -: write pcap to standard output
wireshark -k -i -: start capturing with Wireshak from standard input immediately (-k)

2. Import Root CA certificate to both OS and Browser

The root CA certificate used by PolarProxy must be trusted by all clients that will have their TLS traffic routed through the proxy. Your PolarProxy root CA must be trusted by both the operating system and any browsers or applications that have their own list of trusted root certificates in order to get a seamless integration of the proxy.

In the last command we have used the switch --certhttp 10080, which will make the public root CA cert available on a web server running at the port 10080. Simply start a browser on the client and enter the IP address of PolarProxy, such as http://127.0.0.1:10080/polarproxy.cer (if started with --certhttp 10080), to access the certificate.

Download root certificate from PolarProxy via the HTTP service running on tcp/10080.

$ curl http://127.0.0.1:10080/polarproxy.cer > polarproxy.cer

Import Root CA certificate to Ubuntu:

$ sudo mkdir /usr/share/ca-certificates/extra
$ sudo openssl x509 -inform DER -in polarproxy.cer -out /usr/share/ca-certificates/extra/PolarProxy-root-CA.crt
$ sudo dpkg-reconfigure ca-certificates

Picture 2 - Importing CA Root Certificate to Ubuntu OS

Now, we going to import CA certificate to the Firefox browser. Again, convert from DER to PEM format using openssl.

$ openssl x509 -inform DER -in polarproxy.cer -out polarproxy-pem.crt

Import Root CA certificate to browser (Firefox):

Open: about:preferences#privacy
Scroll down to "Certificates" and press [View Certificates...]
In the "Authorities" tab, press [Import...]
Open "polarproxy-pem.crt"
Trust this CA to identify websites. (check the box)

3. Redirecting Local Traffic with Firewall Rule

To proxy only local TLS traffic from our Ubuntu machine, which also runs PolarProxy, use these iptables rule:

$ sudo iptables -t nat -A OUTPUT -m owner --uid $(id -u) -p tcp --dport 443 -j REDIRECT --to 10443

This configuration will only proxy the traffic for the local user with uid 1000. Make sure PolarProxy runs under a different uid, it will otherwise end up connecting to itself in an endless loop. One way to get around this issue is to start PolarProxy with "sudo" to ensure it us runs as uid 0 (root). Another option is to create a special user just for running PolarProxy, as explained in "Installing PolarProxy as a systemd service in Linux".

3. Testing

Our goal is to decrypt the TLS transmission of a user with ID 1000 who visits the url https://pobox.sk. As already mentioned, PolarProxy is installed on the same computer where the user is logged on. Figure 3 shows the captured credentials of the user who uses them to log in to their email account.

Picture 3 - Username & Password of User Logging in to Pobox.sk

Find the user's credentials in captured_traffic.7z using the Wireshark filter http.request.method == POST. The filter only displays HTTP packets with POST request method.

End.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.