PolarProxy in Windows Sandbox
In this video I demonstrate how PolarProxy can be run in a Windows Sandbox to intercept and decrypt outgoing TLS communication. This setup can be used to inspect otherwise encrypted traffic from malware or suspicious Windows applications, which communicate over HTTPS or some other TLS encrypted protocol.
The Windows Sandbox WSB file used in the demo can be downloaded from here: https://www.netresec.com/?download=PolarProxySandbox
Note: Windows Pro or Enterprise is required to run WSB files
Parsing Decrypted TLS Traffic with NetworkMiner
This sandbox also includes NetworkMiner, primarily because it can be used to read a real-time PCAP-over-IP stream with decrypted traffic from PolarProxy. As shown in the video, this feature can be used in order to extract files, images or parameters from the decrypted TLS traffic in near real-time.
For more info about how to run NetworkMiner in Windows Sandbox, please see our blog post Running NetworkMiner in Windows Sandbox.
Configuring a Proxy Server in Windows Sandbox
Windows’ built-in proxy settings are unfortunately not available in Windows Sandbox, which is why I installed a third-party proxy client that redirects all outgoing network traffic to PolarProxy’s SOCKS server. I used Proxifier in the video, which has the additional benefit of being able to redirect all traffic to the proxy, even from applications that aren’t proxy aware. This feature is crucial when attempting to intercept and decrypt TLS traffic from malware that doesn’t respect the proxy settings configured in the operating system.
Start PolarProxy with a PCAP-over-IP listener on TCP 57012, SOCKS server on TCP 1080, HTTP proxy on 8080 and a transparent TLS proxy on port 443:
Test PolarProxy’s SOCKS server by sending an unencrypted HTTP request through the proxy:
Test PolarProxy’s SOCKS server by sending an HTTPS request through the proxy:
Test PolarProxy’s HTTP CONNECT proxy server by sending an HTTPS request through the proxy:
Start Menu Search
As shown in the video, text typed into Windows’ start menu gets sent to Microsoft. For more information about this behavior, and how it can be disabled, check out our Start Menu Search video and blog post.
Posted by Erik Hjelmvik on Monday, 31 January 2022 09:50:00 (UTC/GMT)
Tags: #PolarProxy #NetworkMiner #SOCKS #proxy #Windows Sandbox #Sandbox #PCAP-over-IP #pcapoverip #Windows #TLS #HTTPS