Ecapture – Capture SSL/TLS Text Content Without CA Cert By eBPF

April 22, 2022

How eCapture works

  • SSL/TLS text context capture, support opensslgnutlsnspr(nss) libraries.
  • bash audit,

    eCapture User Manual

    Getting started

    use ELF binary file

    Download ELF zip file release , unzip and use by command ./ecapture --help.

    • Linux kernel version >= 4.18
    • Enable BTF BPF Type Format (BTF) (Optional, 2022-04-17)

    check your server BTF configļ¼š

    grep CONFIG_DEBUG_INFO_BTF CONFIG_DEBUG_INFO_BTF=y”>

    cfc4n@vm-server:~$# uname -r
    4.18.0-305.3.1.el8.x86_64
    cfc4n@vm-server:~$# cat /boot/config-`uname -r` | grep CONFIG_DEBUG_INFO_BTF
    CONFIG_DEBUG_INFO_BTF=y

    tls command

    capture tls text context. Step 1:

    ./ecapture tls --hex

    Step 2:

    curl https://github.com

    bash command

    capture bash command.

    ps -ef | grep foo

    What’s eBPF

    eBPF

    uprobe HOOK

    openssl hook

    eCapture hookSSL_write SSL_read function of shared library /lib/x86_64-linux-gnu/libssl.so.1.1. get text context, and send message to user space by eBPM map.

    Probes: []*manager.Probe{
        {
            Section:          "uprobe/SSL_write",
            EbpfFuncName:     "probe_entry_SSL_write",
            AttachToFuncName: "SSL_write",
            //UprobeOffset:     0x386B0,
            BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
        },
        {
            Section:          "uretprobe/SSL_write",
            EbpfFuncName:     "probe_ret_SSL_write",
            AttachToFuncName: "SSL_write",
            //UprobeOffset:     0x386B0,
            BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
        },
        {
            Section:          "uprobe/SSL_read",
            EbpfFuncName:     "probe_entry_SSL_read",
            AttachToFuncName: "SSL_read",
            //UprobeOffset:     0x38380,
            BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
        },
        {
            Section:          "uretprobe/SSL_read",
            EbpfFuncName:     "probe_ret_SSL_read",
            AttachToFuncNa   me: "SSL_read",
            //UprobeOffset:     0x38380,
            BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
        },
        /**/
    },

    bash readline.so hook

    hook /bin/bash readline symbol name.

    How to compile

    Linux Kernel: >= 4.18.

    Tools

    • golang 1.16
    • gcc 10.3.0
    • clang 9.0.0
    • cmake 3.18.4
    • clang backend: llvm 9.0.0
    • pahole >= v1.13
    • kernel config:CONFIG_DEBUG_INFO_BTF=y (Optional, 2022-04-17)

    command

    git clone [email protected]:ehids/ecapture.git
    cd ecapture
    make
    bin/ecapture --help

    compile without BTF

    eCapture support NO BTF with command make nocore to compile on 2022/04/17.

    make nocore
    bin/ecapture --help

    Contributing

    See CONTRIBUTING for details on submitting patches and the contribution workflow.

    Download Ecapture

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source

You may have missed

unlock membership

Fortifying the Backbone: Cybersecurity for Critical Infrastructure

November 15, 2024
news

Bank of England U-Turns on Critical Third Party Vulnerability Disclosure Rules

November 15, 2024
news

Sitting Ducks DNS Attacks Threaten Over 1 Million Global Domains

November 15, 2024
news

API Security Threats: 83% of Companies Experience Security Incidents

November 15, 2024
news

Microsoft Power Pages: Misconfiguration Risks and Data Exposure

November 15, 2024