Fiddler

From aldeid
Jump to: navigation, search

Description

Fiddler is a free web debugging proxy that has many options and will be very convenient to analyze malwares traffic. One of its feature is to perform MITM to decrypt SSL traffic.

Installation

Info.png
Note
.Net Framework 4 will be required to run Fiddler

User Interface

Web sessions window

Fiddler-ui-web-sessions-list.png

Tabs

Statistics

Shows statistics on a selected session or a group of sessions.

Fiddler-ui-statistics.png

Session inspector

The session inspector shows the request and the response in different formats (Header, Raw, Hex, JSON, XML, ...). The response can even be rendered as image, web preview, highlighted syntax view, ...

Fiddler-ui-session-inspector.png

Auto Responder

Fiddler's AutoResponder tab allows you to return files from your local disk instead of transmitting the request to the server. For more information about rules, refer to the official documentation here: http://docs.telerik.com/fiddler/knowledgebase/autoresponder

Fiddler-ui-autoresponder.png

Composer

The Composer enables to buid a request from scratch or from an existing web session (by dragging it to the composer window).

Fiddler-ui-composer.png

Filters

You can create filters to exclude some traffic from the capture.

Fiddler-ui-filters.png

Log

Fiddler logs window.

Timeline

Fiddler-ui-timeline.png

Quick exec

QuickExec is a field that accepts several commands to control Fiddler from the Command Line (e.g. break on specific keywords or conditions, dump the sessions as zip file, ...).

Fiddler-ui-quickexec.png

For more information on available commands, go here: http://docs.telerik.com/fiddler/knowledgebase/quickexec/

Example: Decrypting malware HTTPS traffic

Prepare Fiddler to intercept and decrypt SSL traffic

First of all, you will need to prepare Fiddler to decrypt SSL traffic (Fiddler will perform Man In the Middle -- MITM). Go to
Tools
>
Fiddler options
, click on
Decrypt SSL traffic
and click on
OK
:

Fiddler-decrypt-ssl-traffic.png

Emulate services

For this part, I have used REMnux with fakedns and INetSim running.

Run malware

It's time to run our malware and see what is in the SSL payloads:

Fiddler-decrypt-ssl-traffic-2.png

Comments

blog comments powered by Disqus

Keywords: fiddler intercept network traffic MITM http https