Fiddler

From aldeid
Jump to navigation Jump to search

Description

Fiddler is a free web debugging proxy that has many options and will be very convenient to analyze malware traffic. One of its feature is to perform MITM to decrypt SSL traffic.

Installation

Note
.Net Framework 4 will be required to run Fiddler

User Interface

Web sessions window

Tabs

Statistics

Shows statistics on a selected session or a group of sessions.

Session inspector

The session inspector shows the request and the response in different formats (Header, Raw, Hex, JSON, XML, ...). The response can even be rendered as image, web preview, highlighted syntax view, ...

Auto Responder

Fiddler's AutoResponder tab allows you to return files from your local disk instead of transmitting the request to the server. For more information about rules, refer to the official documentation here: http://docs.telerik.com/fiddler/knowledgebase/autoresponder

Composer

The Composer enables to buid a request from scratch or from an existing web session (by dragging it to the composer window).

Filters

You can create filters to exclude some traffic from the capture.

Log

Fiddler logs window.

Timeline

Quick exec

QuickExec is a field that accepts several commands to control Fiddler from the Command Line (e.g. break on specific keywords or conditions, dump the sessions as zip file, ...).

For more information on available commands, go here: http://docs.telerik.com/fiddler/knowledgebase/quickexec/

Example: Decrypting malware HTTPS traffic

Prepare Fiddler to intercept and decrypt SSL traffic

First of all, you will need to prepare Fiddler to decrypt SSL traffic (Fiddler will perform Man In the Middle -- MITM). Go to Tools > Fiddler options, click on Decrypt SSL traffic and click on OK:

Emulate services

For this part, I have used REMnux with fakedns and INetSim running.

Run malware

It's time to run our malware and see what is in the SSL payloads:

Comments

Keywords: fiddler intercept network traffic MITM http https