ecapture v0.4 releases: capture SSL/TLS text content without CA cert
ecapture
capture SSL/TLS text content without CA cert by eBPF. eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules.
uprobe HOOK
openssl hook
eCapture hookSSL_write \ SSL_read function of shared library /lib/x86_64-linux-gnu/libssl.so.1.1. get text context, and send message to userspace by eBPM map.
bash readline.so hook
hook /bin/bash readline symbol name.
How eCapture works
- SSL/TLS text context capture, support openssl\gnutls\nspr(nss) libraries.
- bash audit, capture bash command for Host Security Aduot.
- mysql query SQL audit, support mysqld 5.6\5.7\8.0, and MariaDB.
eCapture Architecture
Changelog v0.4
Note
Support
Wireshark
to open directly. Do not need to setting upMaster Secrets
files.Capture
raw packet
by Traffic Control eBPF filter. AddedMaster Secrets
information into pcapng
withDecryption Secrets Block
(DSB).
Warning
change
loggerFile
flag as-l
from-w
, because-w
is reserved forWireshark
, and keep same as-w
fortcpdump
. useecapture -h
for help.
changemaster secrets
filename fromecapture_masterkey_[pid].log
toecapture_masterkey.log
.
What’s Changed
- new feature: capture TLS 1.3 master secret by @cfc4n in #143
- user : echo String() or StringHex() by CLI argument. by @cfc4n in #149
- cli/cmd : clean up all probe while process exit. (#150) by @cfc4n in #151
- save as Pcapng files #145 by @cfc4n in #148
- user : Support writing pcapng files with Decryption Secrets Block (DSB). by @cfc4n in #153
🚀 Features
- new feature: capture TLS 1.3 master secret
- PR: #143
- save as Pcapng files #145
- PR: #148
- user : Support writing pcapng files with Decryption Secrets Block (DSB).
- PR: #153
🐛 Fixes
- user : echo String() or StringHex() by CLI argument.
- PR: #149
- cli/cmd : clean up all probe while process exit. (#150)
- PR: #151
How to compile
Linux Kernel: >= 4.18.
Tools
- golang 1.16
- gcc 10.3.0
- clang 12.0.0
- cmake 3.18.4
- clang backend: llvm 12.0.0
- pahole >= v1.13
- kernel config:CONFIG_DEBUG_INFO_BTF=y
Install
git clone git@github.com:ehids/ecapture.git
cd ecapture
make
bin/ecapture
bash readline.so hook
hook /bin/bash readline symbol name.
Use
Copyright (C) 2022 cfc4n