使用 eBPF 捕获无需 CA 证书的 SSL/TLS 文本内容

简介

支持Linux/Android内核版本x86_64 4.18及以上，aarch64 5.5及以上。需要ROOT权限。不支持Windows和macOS系统。

• SSL/TLS明文捕获，支持openssl\libressl\boringssl\gnutls\nspr(nss)库。

• GoTLS明文支持go tls库，指的是使用golang语言编写的https/tls程序进行加密通信。

• Bash 审计，捕获 bash 命令以进行主机安全审计。

• Zsh 审计，捕获 zsh 命令进行主机安全审计。

• MySQL查询SQL审计，支持mysqld 5.6\5.7\8.0，以及MariaDB。

捕获 openssl 文本内容

sudo ecapture tls2024-09-15T11:51:31Z INF AppName="eCapture(旁观者)"2024-09-15T11:51:31Z INF HomePage=https://ecapture.cc2024-09-15T11:51:31Z INF Repository=https://github.com/gojue/ecapture2024-09-15T11:51:31Z INF Author="CFC4N <cfc4ncs@gmail.com>"2024-09-15T11:51:31Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."2024-09-15T11:51:31Z INF Version=linux_arm64:0.8.6-20240915-d87ae48:5.15.0-113-generic2024-09-15T11:51:31Z INF Listen=localhost:282562024-09-15T11:51:31Z INF eCapture running logs logger=2024-09-15T11:51:31Z INF the file handler that receives the captured event eventCollector=2024-09-15T11:51:31Z INF listen=localhost:282562024-09-15T11:51:31Z INF https server starting...You can update the configuration file via the HTTP interface.2024-09-15T11:51:31Z WRN ========== module starting. ==========2024-09-15T11:51:31Z INF Kernel Info=5.15.152 Pid=2336982024-09-15T11:51:31Z INF BTF bytecode mode: CORE. btfMode=02024-09-15T11:51:31Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=2024-09-15T11:51:31Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL2024-09-15T11:51:31Z INF Module.Run()2024-09-15T11:51:31Z WRN OpenSSL/BoringSSL version not found from shared library file, used default version OpenSSL Version=linux_default_3_02024-09-15T11:51:31Z INF Hook masterKey function ElfType=2 Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"] binrayPath=/usr/lib/aarch64-linux-gnu/libssl.so.32024-09-15T11:51:31Z INF target all process.2024-09-15T11:51:31Z INF target all users.2024-09-15T11:51:31Z INF setupManagers eBPFProgramType=Text2024-09-15T11:51:31Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_3_0_0_kern_core.o2024-09-15T11:51:32Z INF perfEventReader created mapSize(MB)=42024-09-15T11:51:32Z INF perfEventReader created mapSize(MB)=42024-09-15T11:51:32Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL2024-09-15T11:51:53Z ??? UUID:233851_233851_curl_5_1_172.16.71.1:51837, Name:HTTP2Request, Type:2, Length:304
Frame Type  =>  SETTINGS
Frame Type  =>  WINDOW_UPDATE
Frame Type  =>  HEADERSheader field ":method" = "GET"header field ":path" = "/"header field ":scheme" = "https"header field ":authority" = "google.com"header field "user-agent" = "curl/7.81.0"header field "accept" = "*/*"
Frame Type  =>  SETTINGS
2024-09-15T11:51:53Z ??? UUID:233851_233851_curl_5_0_172.16.71.1:51837, Name:HTTP2Response, Type:4, Length:1160
Frame Type  =>  SETTINGS
Frame Type  =>  WINDOW_UPDATE
Frame Type  =>  SETTINGS
Frame Type  =>  HEADERSheader field ":status" = "301"header field "location" = "https://www.google.com/"header field "content-type" = "text/html; charset=UTF-8"header field "content-security-policy-report-only" = "object-src 'none';base-uri 'self';script-src 'nonce-qvZZ0XreBfeqRnUEV1WoYw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp"header field "date" = "Sun, 15 Sep 2024 11:51:52 GMT"header field "expires" = "Tue, 15 Oct 2024 11:51:52 GMT"header field "cache-control" = "public, max-age=2592000"header field "server" = "gws"header field "content-length" = "220"header field "x-xss-protection" = "0"header field "x-frame-options" = "SAMEORIGIN"header field "alt-svc" = "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000"
Frame Type  =>  PING
Frame Type  =>  DATA<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="https://www.google.com/">here</A>.</BODY></HTML>

eCapture 工具包含 8 个模块，分别支持 OpenSSL、GnuTLS、NSPR、BoringSSL 和 GoTLS 等 TLS/SSL 加密库的明文捕获。此外，它还有助于对 Bash、MySQL 和 PostgreSQL 应用程序进行软件审计。

• bash 捕获 bash 命令

• zsh 捕获 zsh 命令

• gnutls 捕获 gnutls 文本内容，无需 gnutls 库的 CA 证书。

• gotls 捕获使用 TLS/HTTPS 加密的 Golang 程序的纯文本通信。

• mysqld 从 mysqld 5.6/5.7/8.0 捕获 sql 查询。

• nss 捕获 nss/nspr 加密文本内容，无需 nss/nspr 库的 CA 证书。

• postgres 从 postgres 10+ 捕获 sql 查询。

• tls 用于捕获没有 CA 证书的 tls/ssl 文本内容。（支持 openssl 1.0.x/1.1.x/3.0.x 或更新版本）。您可以使用ecapture -h查看子命令列表。

eCapture 搜索/etc/ld.so.conf文件默认，搜索 SO文件的加载目录，并搜索openssl分片库位置。或者您可以使用--libssl 标志来设置分片库路径。

如果目标程序是静态编译的，可以--libssl直接将程序路径设置为flag的值。

OpenSSL模块支持三种捕获模式：

• pcap/pcapng模式以格式存储捕获的纯文本数据pcap-NG。

• keylog/key模式将 TLS 握手密钥保存到文件中。

• text模式直接捕获纯文本数据，输出到指定文件或打印到命令行。

支持1.0/1.1/2.0TCP 上的 TLS 加密 http 和QUICUDP 上的 http3 协议。您可以指定-m pcap或-m pcapng并将其与--pcapfile和参数结合使用。的-i默认值为-

pcapfile。ecapture_openssl.pcapngsudo ecapture tls -m pcap -i eth0 --pcapfile=ecapture.pcapng tcp port 443

该命令将捕获的明文数据包保存为pcapng文件，可以使用来查看Wireshark。

sudo ecapture tls -m pcap -w ecap.pcapng -i ens1602024-09-15T06:54:12Z INF AppName="eCapture(旁观者)"2024-09-15T06:54:12Z INF HomePage=https://ecapture.cc2024-09-15T06:54:12Z INF Repository=https://github.com/gojue/ecapture2024-09-15T06:54:12Z INF Author="CFC4N <cfc4ncs@gmail.com>"2024-09-15T06:54:12Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."2024-09-15T06:54:12Z INF Version=linux_arm64:0.8.6-20240915-d87ae48:5.15.0-113-generic2024-09-15T06:54:12Z INF Listen=localhost:282562024-09-15T06:54:12Z INF eCapture running logs logger=2024-09-15T06:54:12Z INF the file handler that receives the captured event eventCollector=2024-09-15T06:54:12Z WRN ========== module starting. ==========2024-09-15T06:54:12Z INF Kernel Info=5.15.152 Pid=2304402024-09-15T06:54:12Z INF BTF bytecode mode: CORE. btfMode=02024-09-15T06:54:12Z INF listen=localhost:282562024-09-15T06:54:12Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL2024-09-15T06:54:12Z INF Module.Run()2024-09-15T06:54:12Z INF https server starting...You can update the configuration file via the HTTP interface.2024-09-15T06:54:12Z WRN OpenSSL/BoringSSL version not found from shared library file, used default version OpenSSL Version=linux_default_3_02024-09-15T06:54:12Z INF HOOK type:Openssl elf ElfType=2 IFindex=2 IFname=ens160 PcapFilter= binrayPath=/usr/lib/aarch64-linux-gnu/libssl.so.32024-09-15T06:54:12Z INF Hook masterKey function Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"]2024-09-15T06:54:12Z INF target all process.2024-09-15T06:54:12Z INF target all users.2024-09-15T06:54:12Z INF setupManagers eBPFProgramType=PcapNG2024-09-15T06:54:12Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_3_0_0_kern_core.o2024-09-15T06:54:12Z INF packets saved into pcapng file. pcapng path=/home/ecapture/ecap.pcapng2024-09-15T06:54:12Z INF perfEventReader created mapSize(MB)=42024-09-15T06:54:12Z INF perfEventReader created mapSize(MB)=42024-09-15T06:54:12Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL2024-09-15T06:54:14Z INF packets saved into pcapng file. count=42024-09-15T06:54:16Z INF non-TLSv1.3 cipher suite found CLientRandom=f08e8d784962d1693c042f9fe266345507ccfaba58b823904a357f30dbfa1e71 CipherId=02024-09-15T06:54:16Z INF non-TLSv1.3 cipher suite found CLientRandom=f08e8d784962d1693c042f9fe266345507ccfaba58b823904a357f30dbfa1e71 CipherId=02024-09-15T06:54:16Z INF packets saved into pcapng file. count=1832024-09-15T06:54:16Z INF CLIENT_RANDOM save success CLientRandom=f08e8d784962d1693c042f9fe266345507ccfaba58b823904a357f30dbfa1e71 TlsVersion=TLS1_2_VERSION bytes=1762024-09-15T06:54:18Z INF packets saved into pcapng file. count=65^C2024-09-15T06:54:18Z INF module close.2024-09-15T06:54:18Z INF packets saved into pcapng file. count=32024-09-15T06:54:18Z INF packets saved into pcapng file. count=2552024-09-15T06:54:18Z INF Module closed,message recived from Context2024-09-15T06:54:18Z INF iModule module close2024-09-15T06:54:18Z INF bye bye.

您可以指定-m keylog或-m key并将其与参数结合使用--keylogfile，该参数默认为ecapture_masterkey.log。

抓取到的OpenSSL TLSMaster Secret信息保存到--keylogfile。您也可以启用tcpdump抓包功能，然后使用Wireshark打开文件并设置Master Secret路径来查看明文数据包。

sudo ecapture tls -m keylog -keylogfile=openssl_keylog.log

也可以直接使用tshark软件进行实时解密并显示：

tshark -o tls.keylog_file:ecapture_masterkey.log -Y http -T fields -e http.file_data -f "port 443" -i eth0

项目地址

Github：https://github.com/gojue/ecapture

直链地址下载：

https://lp.lmboke.com/ecapture-master.zip

免责声明

本文仅用于技术讨论与学习，利用此文所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，本平台和发布者不为此承担任何责任。