When we sniffing with, lets say ettercap, we receive all packets from victim, and with that we can see Destination IP address from particular packet. So, can we obtain the domain name from that IP address, even when https is used, when we know that the IP addresses of the servers are publicly available and known?
-
1You can get the information from the TLS handshake, from DNS lookups etc. See [Does HTTPS encrypt metadata?](http://security.stackexchange.com/questions/142833/does-https-encrypt-metadata) – Steffen Ullrich Nov 25 '16 at 14:11
-
So, can we somehow sniff domain names, just to know which sites victim visits? – Ewe Nov 25 '16 at 14:38
-
Yes, you can get the name from the TLS ClientHello, from the certificate in the handshake or from associating sniffed DNS lookups with IP addresses. Reverse lookup of IP address is possible too but not in all cases since not all sites are configured correctly for reverse lookup and it does not work when multiple names use the same IP address. – Steffen Ullrich Nov 25 '16 at 15:08
1 Answers
So your question asks if a URL or Domain Name can be obtained. The actual URLs in the session will NOT be be visible to the person observing the traffic if HTTPS is used because the encrypted session is established before HTTP requests are made to the server. The Domain Name of the public IP address can be obtained by looking at the certificate used in the handshake. Also, it is sometimes possible to find/deduce the domain name by DNS, however multiple domain names can be assigned to one IP address, so just going off the IP address isn't always fruitful. There are services that use Passive DNS to keep track of domain names associated to IP addresses, so you may look into that as an option.
ALSO, if this is your corporate network and you want to monitor activity on your companies machines, you can install your own certificate into your workstations and decrypt the traffic in a secure segment of your network, then encrypt it again before it leaves your network. This will allow you to observer all URLS, content, etc even if HTTPS is used.
- 303
- 2
- 9