ecapture v0.4 releases: capture SSL/TLS text content without CA cert

ecapture

capture SSL/TLS text content without CA cert by eBPF. eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules.

uprobe HOOK

openssl hook

eCapture hookSSL_write \ SSL_read function of shared library /lib/x86_64-linux-gnu/libssl.so.1.1. get text context, and send message to userspace by eBPM map.

Probes: []*manager.Probe{
    {
        Section:          "uprobe/SSL_write",
        EbpfFuncName:     "probe_entry_SSL_write",
        AttachToFuncName: "SSL_write",
        //UprobeOffset:     0x386B0,
        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
    },
    {
        Section:          "uretprobe/SSL_write",
        EbpfFuncName:     "probe_ret_SSL_write",
        AttachToFuncName: "SSL_write",
        //UprobeOffset:     0x386B0,
        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
    },
    {
        Section:          "uprobe/SSL_read",
        EbpfFuncName:     "probe_entry_SSL_read",
        AttachToFuncName: "SSL_read",
        //UprobeOffset:     0x38380,
        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
    },
    {
        Section:          "uretprobe/SSL_read",
        EbpfFuncName:     "probe_ret_SSL_read",
        AttachToFuncName: "SSL_read",
        //UprobeOffset:     0x38380,
        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
    },
    /**/
},

bash readline.so hook

hook /bin/bash readline symbol name.

Changelog v0.4

Note

Support Wireshark to open directly. Do not need to setting up Master Secrets files.

Capture raw packet by Traffic Control eBPF filter. Added Master Secrets information into pcapng
with Decryption Secrets Block (DSB).

Warning

change loggerFile flag as -l from -w , because -w is reserved for Wireshark, and keep same as -w
for tcpdump. use ecapture -h for help.
change master secrets filename from ecapture_masterkey_[pid].log to ecapture_masterkey.log.

What’s Changed

• new feature: capture TLS 1.3 master secret by @cfc4n in #143
• user : echo String() or StringHex() by CLI argument. by @cfc4n in #149
• cli/cmd : clean up all probe while process exit. (#150) by @cfc4n in #151
• save as Pcapng files #145 by @cfc4n in #148
• user : Support writing pcapng files with Decryption Secrets Block (DSB). by @cfc4n in #153

🚀 Features

• new feature: capture TLS 1.3 master secret
  • PR: #143
• save as Pcapng files #145
  • PR: #148
• user : Support writing pcapng files with Decryption Secrets Block (DSB).
  • PR: #153

🐛 Fixes

• user : echo String() or StringHex() by CLI argument.
  • PR: #149
• cli/cmd : clean up all probe while process exit. (#150)
  • PR: #151

How to compile

Linux Kernel: >= 4.18.

Tools

• golang 1.16
• gcc 10.3.0
• clang 12.0.0
• cmake 3.18.4
• clang backend: llvm 12.0.0
• pahole >= v1.13
• kernel config:CONFIG_DEBUG_INFO_BTF=y

Install

git clone git@github.com:ehids/ecapture.git
cd ecapture
make
bin/ecapture

bash readline.so hook

hook /bin/bash readline symbol name.

Use

Copyright (C) 2022 cfc4n