If you’re interested in an advanced, technical dive into tracing and monitoring activity within Windows, tune in to my webinar, Advanced Windows OS Tracing and Monitoring Techniques.
How to sniff HTTPS & and steal logon credentialsFor today’s lesson, let’s explore how a hacker might sniff HTTPS traffic using Event Tracing for Windows (ETW) – a framework that provides logging capabilities with very little overhead-to-run-time performance. As an integral part of the Microsoft Windows operating system, ETW is heavily used by several system components, and can be successfully used by third-party software. ETW can provide a staggering amount of information. If you want to see a small example of what information can be found in ETW logs, follow the steps I’ve outlined below and try to dump some data of web requests made by the web browser that uses WinInet library calls. If you want to learn Windows Internals – start from ETW!
- First, you need to download and install Windows Performance Toolkit tools (WPT is a part of the Windows ADK: http://www.microsoft.com/en-US/download/details.aspx?id=39982) and added path to the xperf.exe to your PATH environment variable to make the usage comfortable. To sniff the credentials for basically any HTTPS- based portal, you must be logged out of the portal you desire to target.
- Start the cmd.exe as member of the Local Administrators group, as ETW requires administrative privileges.
- Next, start logger session named WinInetTest and capture events from the Microsoft-Windows-WinInet. To achieve that, run the following command:
>xperf.exe -start WinInetTest -on Microsoft-Windows-WinInet -FileMode Circular -MaxFile 50 -f WinInetTest.etl
- Use Internet Explorer and navigate to the target HTTP-based site. Enter user name & password (doesn’t have to be a real one) and click ‘sign in’:
- Switch back to the cmd.exe, and stop the logger session in the following way:
>xperf.exe -stop WinInetTest
- Now, it’s time to dump all the events from the wininet.etl file to the wininet.txt file:
>xperf -i wininettest.etl -o wininet.txt -a dumper
- We are almost ready to see the result of the monitoring. To search the file for specific events use the following command:
>findstr /i "WININET_REQUEST_HEADER_OPTIONAL" wininet.txt