基于eCapture无需 CA 证书捕获 SSL/TLS 明文

2023-11-27 22:18:09 326

curl

查看curl使用哪个库

root@zzx:~# ldd `which curl` | grep -E "tls|ssl|nspr|nss"
	libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x00007ff14c35c000)
	libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007ff14b99c000)

执行下./ecapture tls 查看库路径是否匹配
在ecapture运行的情况下, 开启另一个窗口执行curl https://ip.me
可以看到明文结果

tls_2023/11/27 16:20:55 PID:9767, Comm:curl, TID:9767, Version:TLS1_3_VERSION, Send 69 bytes to 0.0.0.0, Payload:
GET / HTTP/1.1
Host: ip.me
User-Agent: curl/7.81.0
Accept: */*


tls_2023/11/27 16:20:55 TLS1_3_VERSION: save CLIENT_RANDOM cfb344a4d8cb4dc9a2e428e8d3df4b2685912f3d7d18e80786fbd16fee5078f6 to file success, 1002 bytes
tls_2023/11/27 16:20:55 PID:9767, Comm:curl, TID:9767, Version:TLS1_3_VERSION, Recived 177 bytes from 212.102.35.236:443, Payload:
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Mon, 27 Nov 2023 08:20:55 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 14
Connection: keep-alive

211.17.57.*

firefox

对firefox这类运行时才能看到使用了哪些库的程序

root@zzx:~# pldd 8381 | grep -E "tls|ssl|nspr|nss"
/snap/firefox/3416/usr/lib/firefox/libnspr4.so
/snap/firefox/3416/usr/lib/firefox/libnssutil3.so
/snap/firefox/3416/usr/lib/firefox/libnss3.so
/snap/firefox/3416/usr/lib/firefox/libssl3.so
/snap/firefox/3416/usr/lib/firefox/libnssckbi.so
/lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2

与ecapture默认找到的库是不一致的, 我们以指定库路径的方式启动
root@zzx:~# ./ecapture tls --nspr="/snap/firefox/3416/usr/lib/firefox/libnspr4.so"
浏览器里访问https://forge.speedtest.cn/api/location/geo?ip=38.94.109.27
ecapture输出

{"ip":"38.94.109.27","full_ip":"38.94.109.27","country":"\u7f8e\u56fd","country_code":"US","province":"","city":"","distinct":null,"isp":null,"operator":null,"lon":"-80.1879","lat":"25.7722","net_str":"\u7f8e\u56fd"}

mysql

指定mysqld二进制文件路径启动 ./ecapture mysqld -m="/usr/sbin/mysqld"
启动其他窗口登录mysql 执行show databases;

mysqld_2023/11/27 16:54:58 ECAPTURE :: version :linux_x86_64:0.6.6-20231119-06b63d6:5.15.0-1050-azure
mysqld_2023/11/27 16:54:58 ECAPTURE :: start to run EBPFProbeMysqld module
2023/11/27 16:54:58 ECAPTURE :: pid info :11781
mysqld_2023/11/27 16:54:58 ECAPTURE ::	Module.Run()
mysqld_2023/11/27 16:54:58 EBPFProbeMysqld	BPF bytecode filename:user/bytecode/mysqld_kern.o
mysqld_2023/11/27 16:54:58 EBPFProbeMysqld	Mysql Version:mysqld-8.0, binrayPath:/usr/sbin/mysqld, FunctionName:_Z16dispatch_commandP3THDPK8COM_DATA19enum_server_command ,UprobeOffset:0
mysqld_2023/11/27 16:55:09  PID:11635, Comm:connection, Time:1701075309,  length:(0/0),  return:DISPATCH_COMMAND_SUCCESS, Line:select @@version_comment limit 1
mysqld_2023/11/27 16:55:18  PID:11635, Comm:connection, Time:1701075318,  length:(0/0),  return:DISPATCH_COMMAND_SUCCESS, Line:show database
^Croot@zzx:~# ./ecapture mysqld -m="/usr/sbin/mysqld"
mysqld_2023/11/27 16:55:25 ECAPTURE :: version :linux_x86_64:0.6.6-20231119-06b63d6:5.15.0-1050-azure
mysqld_2023/11/27 16:55:25 ECAPTURE :: start to run EBPFProbeMysqld module
2023/11/27 16:55:25 ECAPTURE :: pid info :11794
mysqld_2023/11/27 16:55:25 ECAPTURE ::	Module.Run()
mysqld_2023/11/27 16:55:25 EBPFProbeMysqld	BPF bytecode filename:user/bytecode/mysqld_kern.o
mysqld_2023/11/27 16:55:25 EBPFProbeMysqld	Mysql Version:mysqld-8.0, binrayPath:/usr/sbin/mysqld, FunctionName:_Z16dispatch_commandP3THDPK8COM_DATA19enum_server_command ,UprobeOffset:0
mysqld_2023/11/27 16:55:28  PID:11635, Comm:connection, Time:1701075328,  length:(0/0),  return:DISPATCH_COMMAND_SUCCESS, Line:show databases

成功打印

也可将日志转发到其他地方, 写个接受tcp链接的小程序

package main

import (
    "fmt"
    "io"
    "net"
)

func handleConnection(conn net.Conn) {
    defer conn.Close()
    buffer := make([]byte, 1024)
    for {
        n, err := conn.Read(buffer)
        if err == io.EOF {
            fmt.Println("Connection closed by client.")
            break
        } else if err != nil {
            fmt.Printf("Error reading from connection: %s\n", err)
            break
        }
        fmt.Printf("Received from %s: %s\n", conn.RemoteAddr(), string(buffer[:n]))
        _, err = conn.Write([]byte("Message received successfully\n"))
        if err != nil {
            fmt.Printf("Error writing to connection: %s\n", err)
            break
        }
    }
}

func main() {
    listener, err := net.Listen("tcp", ":8888")
    if err != nil {
        fmt.Printf("Error starting TCP server: %s\n", err)
        return
    }
    defer listener.Close()
    fmt.Println("TCP server is listening on port 8888")
    for {
        conn, err := listener.Accept()
        if err != nil {
            fmt.Printf("Error accepting connection: %s\n", err)
            continue
        }
        go handleConnection(conn)
    }
}

root@localhost:~/test# go build tcp.go && ./tcp
TCP server is listening on port 8888

./ecapture mysqld -m="/usr/sbin/mysqld" -l tcp://192.168.160.128:8888

Received from 192.168.160.129:49702: mysqld_2023/11/27 17:10:50 ECAPTURE ::	Module.Run()
mysqld_2023/11/27 17:10:50 EBPFProbeMysqld	BPF bytecode filename:user/bytecode/mysqld_kern.o

Received from 192.168.160.129:49702: mysqld_2023/11/27 17:10:50 EBPFProbeMysqld	Mysql Version:mysqld-8.0, binrayPath:/usr/sbin/mysqld, FunctionName:_Z16dispatch_commandP3THDPK8COM_DATA19enum_server_command ,UprobeOffset:0

Received from 192.168.160.129:49702: mysqld_2023/11/27 17:11:02  PID:11635, Comm:connection, Time:1701076262,  length:(0/0),  return:DISPATCH_COMMAND_SUCCESS, Line:show databases

• linux
• eCapture
• eBPF
• ssl