hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
bashbunny-payloads/payloads/library/credentials/win_sslkeylog/README.md
TW-D 95e1d22dee
Add Win_SSLKeyLog (#485) 
* Add Win_SSLKeyLog

Captures the client network session.
Captures the client side session keys.

1) Partially avoids "PowerShell Script Block Logging".
2) Closing of all windows.
3) Hide "PowerShell" window.
4) Check if current process have "Administrator" privilege.
5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information. 
6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)".
7) Writes the file system cache to disk (thanks to @dark_pyrro).
8) Safely eject (thanks to @Night (9o3)).

* Correction of some information in "README.md"
2022-01-21 18:53:08 -06:00

64 lines
1.5 KiB
Markdown
Raw Blame History

# "Microsoft Windows" SSLKEYLOG
- Title: Win_SSLKeyLog
- Author: TW-D
- Version: 1.0
- Target: Microsoft Windows
- Category: Credentials
## Description
>
> Captures the client network session.
>
> Captures the client side session keys.
>
1) Partially avoids "PowerShell Script Block Logging".
2) Closing of all windows.
3) Hide "PowerShell" window.
4) Check if current process have "Administrator" privilege.
5) Sets the "SSLKEYLOGFILE" environment variable to store SSL session key information.
6) Starts a "Network Tracing Session" with "ETW (Event Tracing for Windows)".
7) Writes the file system cache to disk.
8) Safely eject.
## Configuration
From "payload.txt" change the values of the following constants :
```bash
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
readonly SNIFFING_TIME=300
```
## Required
Utility that converts an .etl file containing a Windows network packet capture into .pcapng format.
[ETL2PCAPNG](https://github.com/microsoft/etl2pcapng)
Wireshark network protocol analyzer.
[WIRESHARK](https://www.wireshark.org/)
## Steps
Convert "capture.etl" file into "capture.pcapng" with "etl2pcapng".
```
.\etl2pcapng.exe .\capture.etl .\capture.pcapng
```
Open your "capture.pcapng" with "Wireshark".
Configure "Wireshark" for HTTPS decryption.
```
Edit - Preferences
Protocols - (SSL and/or TLS)
(Pre)-Master-Secret log filename -> Browse -> SSLKEYLOGFILE.txt
```
Happy hunting.
Reference in New Issue View Git Blame Copy Permalink