Capture SSL/TLS text content without a CA certificate using eBPF. This tool is compatible with Linux/Android x86_64/aarch64.
Note
Supports Linux/Android kernel versions x86_64 4.18 and above, aarch64 5.5 and above. Does not support Windows and macOS system.
Youtube video: How to use eCapture v0.1.0
Download ELF zip file release , unzip and use by
command ./ecapture --help
.
Note
Need ROOT permission.
eCapture search /etc/ld.so.conf
file default, to search load directories of SO
file, and search openssl
shard
libraries location. or you can use --libssl
flag to set shard library path.
If target program is compile statically, you can set program path as --libssl
flag value directly。
The eCapture tool comprises 8 modules that respectively support plaintext capture for TLS/SSL encryption libraries like OpenSSL, GnuTLS, NSPR, BoringSSL, and GoTLS. Additionally, it facilitates software audits for Bash, MySQL, and PostgreSQL applications.
ecapture -h
to view the list of subcommands.The OpenSSL module supports three capture modes:
pcap
/pcapng
mode stores captured plaintext data in pcap-NG format.keylog
/key
mode saves the TLS handshake keys to a file.text
mode directly captures plaintext data, either outputting to a specified file or printing to the command line.You can specify -m pcap
or -m pcapng
and use it in conjunction with --pcapfile
and -i
parameters. The default value for --pcapfile
is ecapture_openssl.pcapng
.
./ecapture tls -m pcap -i eth0 --pcapfile=ecapture.pcapng tcp port 443
This command saves captured plaintext data packets as a pcapng file, which can be viewed using Wireshark
.
You can specify -m keylog
or -m key
and use it in conjunction with the --keylogfile
parameter, which defaults to ecapture_masterkey.log
.
The captured OpenSSL TLS Master Secret
information is saved to --keylogfile
. You can also enable tcpdump
packet capture and then use Wireshark
to open the file and set the Master Secret
path to view plaintext data packets.
./ecapture tls -m keylog -keylogfile=openssl_keylog.log
You can also directly use the tshark
software for real-time decryption and display:
tshark -o tls.keylog_file:ecapture_masterkey.log -Y http -T fields -e http.file_data -f "port 443" -i eth0
./ecapture tls -m text
will output all plaintext data packets. (Starting from v0.7.0, it no longer captures SSLKEYLOG information.)
Similar to the OpenSSL module.
cfc4n@vm-server:~$# uname -r
4.18.0-305.3.1.el8.x86_64
cfc4n@vm-server:~$# cat /boot/config-`uname -r` | grep CONFIG_DEBUG_INFO_BTF
CONFIG_DEBUG_INFO_BTF=y
capture tls text context.
Step 1:
./ecapture gotls --elfpath=/home/cfc4n/go_https_client --hex
Step 2:
/home/cfc4n/go_https_client
./ecapture gotls -h
capture bash command : ecapture bash
ps -ef | grep foo
Linux Kernel: >= 4.18.
If you are using Ubuntu 20.04 or later versions, you can use a single command to complete the initialization of the compilation environment.
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/gojue/ecapture/master/builder/init_env.sh)"
In addition to the software listed in the 'Toolchain Version' section above, the following software is also required for the compilation environment. Please install it yourself.
Clone the repository code and compile it
Caution: The following make
command will install libpcap into the system
directory if libpcap.a
does not exist under /usr/local/lib
. If you have
installed libpcap in system without libpcap.a
, it maybe break your libpcap's
headers.
git clone --recurse-submodules [email protected]:gojue/ecapture.git
cd ecapture
make
bin/ecapture
eCapture support BTF disabled with command make nocore
to compile at 2022/04/17. It can work normally even on Linux systems that do not support BTF.
make nocore
bin/ecapture --help
To cross-compile binary files for the aarch64 architecture on an amd64 architecture system, you need to install the gcc-aarch64-linux-gnu toolchain. Similarly, to cross-compile binary files for the amd64 architecture on an aarch64 system, you need to install the gcc-x86-64-linux-gnu toolchain.
To build an arm64
artifact on an ubuntu amd64
system, you can set the CROSS_ARCH
environment variable to achieve cross-compilation.
CROSS_ARCH=arm64 make
See CONTRIBUTING for details on submitting patches and the contribution workflow.