The main point is to save the SSL/TLS keys those used by the web browser (SSLKEYLOGFILE=/tmp/tmp-google/.ssl-key.log).
In the example below we run brand new instance of Google Chrome (--user-data-dir=/tmp/tmp-google do the trick):
SSLKEYLOGFILE=/tmp/tmp-google/.ssl-key.log /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --user-data-dir=/tmp/tmp-google
Then run the Wireshark and open the Preferences -> Protocols -> SSL, where we put the path to the SSL keys log file into the (Pre)-Master-Secret log filename field.
Now all SSL/TLS traffic from this browser instance will be decrypted.
Phil Hagen philhagen
philhagen
/ wireshark.md
Created
November 8, 2024 14:45
— forked from EddiG/wireshark.md
How to decrypt SSL/TLS traffic in Wireshark on MacOS
philhagen
/ zeek_commands.md
Last active
May 19, 2024 21:58
Helpful Commands for parsing Zeek log files in JSON format with jq
A former FOR572 student, John D, helfully provided some useful command lines that you might be able to take advantage of, specifically while parsing Zeek's log files when created in JSON format. These commands use the jq utility, which is widely available for most operating systems. Another useful resource is the JSON and jq Quick Start Guide, which is used in FOR572 and provided as a public resource.
Querying Zeek files:
dce_rpc.logcat dce_rpc.log | jq '{ operation, "named_pipe", endpoint, ts, "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p"}'- Example output:
{ "operation": "NetrShareGetInfo", "named_pipe": "\\PIPE\\srvsvc",
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"ts":1602265824.123071,"uid":"CHFRflzsgM15k9et4","id.orig_h":"192.168.75.169","id.orig_p":58506,"id.resp_h":"192.168.75.1","id.resp_p":53,"proto":"udp","trans_id":50763,"rtt":0.022633075714111329,"query":"www.sansgear.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["vhost1.identityvector.com","70.32.97.206"],"TTLs":[3600.0,3600.0],"rejected":false} |
philhagen
/ remove-macos-gtm.sh
Last active
August 6, 2020 19:06
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # USE THIS SCRIPT AT YOUR OWN RISK!!! | |
| # YOU ALONE ARE RESPONSIBLE FOR REVIEWING THE CONTENT AND | |
| # ENSURING IT WILL NOT CAUSE UNINTENDED DAMAGE TO YOUR SYSTEM! | |
| if [[ $EUID -ne 0 ]]; then | |
| echo "This script must be run with sudo" | |
| exit 1 | |
| fi | |
| set -x |
philhagen
/ keybase.md
Last active
July 20, 2016 02:10
I hereby claim:
- I am philhagen on github.
- I am philhagen (https://keybase.io/philhagen) on keybase.
- I have a public key ASAEYvINHkgXauuXhE5rJULIBfTwIIBMTXyZyi7N87GJSQo
To claim this, I am signing this object:
philhagen
/ gist:5698359
Created
June 3, 2013 14:03
convert ALIAS records for all of your DNSimple domains to A records, including a TXT record to identify which domains were converted. The TXT record will allow automated reversal at a later date. The actual add/delete functions are commented here to allow you to run in "safe mode" first.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from dnsimple import DNSimple | |
| import socket | |
| dns = DNSimple(email='foo@bar.com', api_token='your_token_here') | |
| domains = dns.domains() | |
| for domain in domains: | |
| dname = domain['domain']['name'] |