0

I am trying to determine which https urls are being opened on my local machine. I have installed winpkfilter and trying to use C# to capture traffic.

I can capture packets fine and can even see the GET and POST requests in traffic which is not encrypted (standard requests made to sites on HTTP)

My question is:

Is it possible to determine which HTTP-S (CONNECT) urls are being openned? e.g https://facebook.com

Kindly tell if it is possible. I cannot use fiddler or any other proxy tool and must use a network driver to achieve this. Please tell me if this is possible and if not what is the alternate solution?

Thanks

EDIT

I have to do this on local computer where i am running my sample app as an Administrator rights. I am just wondering if i can achieve this without a proxy. If the user opens a url https://www.google.com then i only want to capture that nothing more. Do i still need a man-in-the-middle implementation to get this CONNECT HTTPS url? Kindly clarify. Much appreciated.

Steve Johnson
  • 3,054
  • 7
  • 46
  • 71

2 Answers2

0

Yes, thats right, it is not possible to extract a complete URL without MITM. To organize this you would have to use WinpkFilter to redirect outgoing HTTPS session to local HTTPS proxy and implement some SSL proxification.

However, there is a limited but an alternative. With WinpkFilter you can intercept DNS requests/responses and normally before any HTTPS session a DNS query is sent to convert domain name to IP address. You can use IP to domain name association from DNS responses to figure out what domain name HTTPS session is trying to connect. An example, you capture outgoing TCP SYN packet to 104.16.35.249 port 443, but before that you have seen a DNS response for www.stackoverflow.com where 104.16.35.249 was among IP addresses returned for the domain name. Thus you can easily figure out that HTTPS session is being established to https://www.stackoverflow.com. Of course, this approach won't provide you with a complete URL, but only the domain name, e.g. https://www.stackoverflow.com instead https://www.stackoverflow.com/questions/18045764/can-i-capture-https-connect-urls-using-winpkfilter.But for some tasks it may be enough.

vadim
  • 351
  • 3
  • 6
-1

HTTPS is used to prevent any eavesdropping (which you are trying to do). Consequently when HTTPS is setup right, you can't do anything. If you have control over client computer and software, you can install a fake trusted root certificate to user's system, then intercept HTTPS requests, generate server certificate on-the fly, sign it with trusted root certificate and act as a man-in-the-middle.

BTW find information about man-in-the-middle attacks and read them - that's exactly what you want to do.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • Thank for your answer. I edited my question to include some additional information. I donot need to decrypt https traffic, just need to determine the https url to which user wants to go to and nothing more.... Do i still need a man in the middle implementation for that? – Steve Johnson Aug 04 '13 at 19:02
  • For example, i am interested in determining of user tried to open [h.t.t.p.s://]facebook.com or [h.t.t.p://]facebook.com and take some actions accordingly.. Need to be able to determine this url and traffic type(http/https) from packet data and not using any proxy solution.. – Steve Johnson Aug 04 '13 at 19:05
  • @SteveJohnson you can analyze traffic to find out if it's HTTP request. And if it is, extract the URI. But for HTTPS you are out of luck - everything is hidden behind SSL/TLS. – Eugene Mayevski 'Callback Aug 05 '13 at 05:52