eCapture(旁观者): capture SSL/TLS text content without a CA certificate using eBPF.
Note:
Supports Linux/Android kernel versions x86_64 4.18 and above, aarch64 5.5 and above.
Need ROOT permission.
Does not support Windows and macOS system.
Introduction
- SSL/TLS plaintext capture, support openssl\libressl\boringssl\gnutls\nspr(nss) libraries.
- GoTLS plaintext support go tls library, which refers to encrypted communication in https/tls programs written in the golang language.
- bash audit, capture bash command for Host Security Audit.
- mysql query SQL audit, support mysqld 5.6\5.7\8.0, and mariadDB.
Getting started
Download
ELF binary file
Note
support Linux/Android x86_64/aarch64.
Download ELF zip file release , unzip and use by
command sudo ecapture --help.
Docker image
Note
Linux only.
see Docker Hub for more information.
Capture openssl text content.
Modules
The eCapture tool comprises 8 modules that respectively support plaintext capture for TLS/SSL encryption libraries like OpenSSL, GnuTLS, NSPR, BoringSSL, and GoTLS. Additionally, it facilitates software audits for Bash, MySQL, and PostgreSQL applications.
- bash capture bash command
- gnutls capture gnutls text content without CA cert for gnutls libraries.
- gotls Capturing plaintext communication from Golang programs encrypted with TLS/HTTPS.
- mysqld capture sql queries from mysqld 5.6/5.7/8.0 .
- nss capture nss/nspr encrypted text content without CA cert for nss/nspr libraries.
- postgres capture sql queries from postgres 10+.
- tls use to capture tls/ssl text content without CA cert. (Support openssl 1.0.x/1.1.x/3.0.x or newer).
You can useecapture -hto view the list of subcommands.
OpenSSL Module
eCapture search /etc/ld.so.conf file default, to search load directories of SO file, and search openssl shard
libraries location. or you can use --libssl
flag to set shard library path.
If target program is compile statically, you can set program path as --libssl flag value directly。
The OpenSSL module supports three capture modes:
pcap/pcapngmode stores captured plaintext data inpcap-NGformat.keylog/keymode saves the TLS handshake keys to a file.textmode directly captures plaintext data, either outputting to a specified file or printing to the command line.
Pcap Mode
Supported TLS encrypted http 1.0/1.1/2.0 over TCP, and http3 QUIC protocol over UDP.
You can specify -m pcap or -m pcapng and use it in conjunction with --pcapfile and -i parameters. The default value for --pcapfile is ecapture_openssl.pcapng.
Used Wireshark to open ecap.pcapng file to view the plaintext data packets.
This command saves captured plaintext data packets as a pcapng file, which can be viewed using Wireshark.
Keylog Mode
You can specify -m keylog or -m key and use it in conjunction with the --keylogfile parameter, which defaults to ecapture_masterkey.log.
The captured OpenSSL TLS Master Secret information is saved to --keylogfile. You can also enable tcpdump packet capture and then use Wireshark to open the file and set the Master Secret path to view plaintext data packets.
You can also directly use the tshark software for real-time decryption and display:
Text Mode
sudo ecapture tls -m text will output all plaintext data packets. (Starting from v0.7.0, it no longer captures
SSLKEYLOG information.)
GoTLS Module
Similar to the OpenSSL module.
check your server BTF config:
gotls command
capture tls text context.
Step 1:
Step 2:
more help
Other Modules
such as bash\mysqld\postgres modules, you can use ecapture -h to view the list of subcommands.
Videos
- Youtube video: How to use eCapture v0.1.0
- eCapture:supports capturing plaintext of Golang TLS/HTTPS traffic
Stargazers over time
Contributing
See CONTRIBUTING for details on submitting patches and the contribution workflow.
Compilation
See COMPILATION for details on compiling the eCapture source code.
No reviews found!
No comments found for this product. Be the first to comment!