peetch v0.2 releases: bypass TLS protocol protections
peetch is a collection of tools aimed at experimenting with different aspects of eBPF to bypass TLS protocol protections.
Currently, peetch includes two subcommands. The first called dump aims to sniff network traffic by associating information about the source process with each packet. The second called tls allows to identify processes using OpenSSL to extract cryptographic keys.
Combined, these two commands make it possible to decrypt TLS exchanges recorded in the PCAPng format.
- proxy added
git clone https://github.com/quarkslab/peetch.git
docker build -t quarkslab/peetch .
Commands Walk Through
The following examples assume that you used the following command to enter the Docker image and launch examples within it:
docker run –privileged –network host –mount type=bind,source=/sys,target=/sys –mount type=bind,source=/proc,target=/proc –rm -it quarkslab/peetch
This sub-command gives you the ability to sniff packets using an eBPF TC classifier and to retrieve the corresponding PID and process names with:
Note that for demonstration purposes, the dump will only capture IPv4-based TCP segments.
For convenience, the captured packets can be stored to PCAPng along with process information using –write:
peetch dump –write peetch.pcapng
This PCAPng can easily be manipulated with Wireshark or Scapy:
>>> l = rdpcap(“peetch.pcapng”)
<Ether dst=00:1c:42:00:00:18 src=00:1c:42:54:f3:34 type=IPv4 |<IP version=4 ihl=5 tos=0x0 len=60 id=11088 flags=DF frag=0 ttl=64 proto=tcp chksum=0x4bb1 src=10.211.55.10 dst=22.214.171.124 |<TCP sport=53054 dport=https seq=631406526 ack=0 dataofs=10 reserved=0 flags=S window=64240 chksum=0xc3e9 urgptr=0 options=[(‘MSS’, 1460), (‘SAckOK’, b”), (‘Timestamp’, (1272423534, 0)), (‘NOP’, None), (‘WScale’, 7)] |<Padding load=’\x00\x00′ |>>>>
This sub-command aims at identifying a process that uses OpenSSl and makes it is to dump several things like plaintext and secrets.
By default, peetch tls will only display one line per process, the –directions argument makes it possible to display the messages of the exchange:
peetch tls –directions
<- curl (1291078) 126.96.36.199/443 TLS1.2 ECDHE-RSA-AES128-GCM-SHA256
> curl (1291078) 188.8.131.52/443 TLS1.-1 ECDHE-RSA-AES128-GCM-SHA256
Displaying OpenSSL buffer content is achieved with –content.
The –secrets arguments will display TLS Master Secrets extracted from memory. The following example leverages –write to write master secrets to discuss to simplify decrypting TLS messages with Scapy:
By design, peetch only supports OpenSSL and TLS 1.2. The default offsets for OpenSSL structures assume that you are using the 1.1.1f-1ubuntu2.13 on arm64. However, they can easily be changed using command line arguments.
Copyright (C) 2022 quarkslab