top | item 36769626

(no title)

> with keys that are in memory on the same system

I'm not sure that actually holds — the encryption keys are in memory, but the decryption keys don't necessarily have to be.

The pre-encrypted payloads definitely are in memory at some point; however snatching them probably involves larger-scale reverse-engineering.

discuss

heinrich5991|2 years ago

If they're using standard TLS, the actual data encryption is symmetric, so the encryption keys are the decryption keys and must be in memory during the encryption process.

jborean93|2 years ago

If it is TLS you can get the keys used in the session from lsass’ memory. I’ve even written a tool to do so in PowerShell https://gist.github.com/jborean93/6c1f1b3130f2675f1618da5663.... This will generate a log file that contains the keys needed for Wireshark to decrypt TLS traffic.