Skip to content

Commit

Permalink
Upload new file: 一个无需 CA 证书,就能实现 SSL_TLS 加密明文捕获的工具,超硬核!Star 13K!.md v…
Browse files Browse the repository at this point in the history 
…ia simpread
  • Loading branch information
@MrWQ
MrWQ committed Oct 25, 2024
1 parent 2c4282a commit 41ec856
Showing 1 changed file with 351 additions and 0 deletions.
351 changes: 351 additions & 0 deletions tools/一个无需 CA 证书,就能实现 SSL_TLS 加密明文捕获的工具,超硬核!Star 13K!.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,351 @@
> 本文由 [简悦 SimpRead](http://ksria.com/simpread/) 转码, 原文地址 [mp.weixin.qq.com](https://mp.weixin.qq.com/s/pDuGGrE_6NubiBGQAYfB2Q)
** 点击上方蓝字 关注我 **



正如我们在《[一个浏览器指纹识别库,强的有点让人害怕!Star 21K+!](http://mp.weixin.qq.com/s?__biz=MzkzMTY1NTAzMA==&mid=2247488379&idx=1&sn=eb83eb31e75dc079fda511c7808aaf74&chksm=c266ef62f5116674a91c31cf2c2a842e557a56b890159fdc6c2081068ab2390a620d879d4e03&scene=21#wechat_redirect)》一文开头所说。很多事物都存在正反、相对的两面,比如 “美”“丑”,“好” 坏“。但是也正是因为有了 “丑”,才衬托出了“美”,所以在信息安全领域也正因为存在着“不安全”,所以才会“安全” 的发展。同数据加解密一样,正是因为有了加密,才会想到需要解密。

SSL/TLS 加密是互联网上最常用的数据保护手段之一,它通过在客户端和服务器之间建立一个加密通道来确保数据传输的安全性。SSL/TLS 协议的安全性在于其使用非对称加密来交换会话密钥,然后使用对称加密算法进行数据传输。

但是,今天给大家介绍的不是如何采用 SSL/TLS 进行加密的方法,而是介绍的是一种无需 CA 证书,就能实现 SSL/TLS 加密的明文捕获的工具 - eCapture

**_重要说明:任何未经授权的尝试解密 SSL/TLS 流量都是非法的,并可能构成犯罪行为。本文主要为安全人员了解这些攻击方法,有助于他们自己评估和加强 SSL/TLS 实现的安全性!_**

**01**

****

 eCapture 介绍 



**eCapture 的中文名字为旁观者,即「当局者迷,旁观者清」,与其本身功能旁路、观察 契合,一个基于 eBPF(Uprobe/Traffic Control)技术的用户态数据捕获工具,它能够在不需要 CA 证书的情况下捕获 HTTPS 和 TLS 通信的明文数据,适用于运维监控、故障排查、安全审计等多种场景。**
================================================================================================================================================================

![](https://mmbiz.qpic.cn/mmbiz_png/kgXibFxsv0e3eZ5PflN7bxbwdZ3KE43JtLWgGhgicSpyzibWGJia6HE1atShRK8l4UuibjDATNsjzzBKZFEeAGtT1Rw/640?wx_fmt=png&from=appmsg)

****🏠  项目信息****

```
#github地址
https://github.com/gojue/ecapture
#项目地址
https://ecapture.cc/
```

![](https://mmbiz.qpic.cn/mmbiz_png/kgXibFxsv0e3eZ5PflN7bxbwdZ3KE43Jto2g8t96IFKMkmg1KBSmfCf8HwkmJQr5guhXoDeicFLLPoufDXe1XP5Q/640?wx_fmt=png&from=appmsg)

🚀**功能特性**
----------

* 无需 CA 证书:能够捕获 HTTPS/TLS 通信数据的明文,而无需安装或信任任何 CA 证书。**Wireshark、tcpdump 等工具只能抓到加密后的流量,无法捕获 TLS 的明文(需要解密才行)。eCapture 只需要 root 权限,即可捕获明文的 HTTPS 通信包明文。**

* 用户态捕获:主要在用户态进行数据捕获,减少了对系统内核的依赖。

* 内核态支持:内核态代码使用 C 语言编写,利用 eBPF 技术进行高效的数据捕获。

* 多种审计功能:支持 TLS/SSL 明文数据捕获、bash 命令审计和数据库(如 MySQL/MariaDB)审计。

* 无依赖部署:编译后的程序无需其他依赖即可运行,简化了部署过程。

* eBPF 加载机制:利用 eBPF 技术进行数据包的捕获和处理。

* HOOK 机制:使用 eBPF uprobe 相关函数进行用户态函数的 HOOK。

* 多语言支持:支持对不同编程语言实现的加密库进行 HOOK,如 OpenSSL、GnuTLS、NSS/NSPR。

* 动态链接库支持:能够自动查找或手动指定动态链接库中的函数进行 HOOK。

* 过滤和选择性捕获:允许用户根据需要选择性地捕获特定进程或类型的网络通信。


**🛠 系统架构**
-----------

![图片](https://mmbiz.qpic.cn/mmbiz_png/kgXibFxsv0e3eZ5PflN7bxbwdZ3KE43JtYLDIbwiaQw61CoQL7ibWll7QibnrKic3FbwP7AoFbOg6miaNzFaXibYoAy2A/640?wx_fmt=png&from=appmsg)

![图片](https://mmbiz.qpic.cn/mmbiz_png/kgXibFxsv0e3eZ5PflN7bxbwdZ3KE43JtcbSNuHiaX1OXw2INa4Xc1OvmrXFia3yoH60jwicu3icibZoum5Qo9NQxlZQ/640?wx_fmt=png&from=appmsg)

**02**

****

 eCapture 安装 

* 可执行二进制包安装
---------


支持 Linux/Android 的 x86_64/aarch64 CPU 架构。
-----------------------------------------

_Linux/Android ARM64-aarch64 CPU 架构,内核版本 >= 5.5_

_Linux/Android X86_64 CPU 架构,内核版本 >= 4.18_

```
#下载 release 的二进制包,可直接使用
https://github.com/gojue/ecapture/releases
```

![图片](https://mmbiz.qpic.cn/mmbiz_png/kgXibFxsv0e3eZ5PflN7bxbwdZ3KE43Jtz8bVLqSheGCs6M08icx4CNOEdamXlLBc4oIfOR1gSw73FRdQAJGaIXw/640?wx_fmt=png&from=appmsg)

* Docker 安装
---------


```
# 拉取镜像
docker pull gojue/ecapture:latest
# 运行
docker run --rm --privileged=true --net=host -v ${宿主机文件路径}:${容器内路径} gojue/ecapture ARGS
```

**03**

****

 eCapture 使用 

**一、运行:**

```
./ecapture
```

**二、参数说明:**

```
# ./ecapture -h
NAME:
eCapture - Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64.
USAGE:
eCapture [flags]
VERSION:
linux_amd64:v0.8.6:6.5.0-1025-azure
COMMANDS:
bash capture bash command
gnutls capture gnutls text content without CA cert for gnutls libraries.
gotls Capturing plaintext communication from Golang programs encrypted with TLS/HTTPS.
help Help about any command
mysqld capture sql queries from mysqld 5.6/5.7/8.0 .
nss capture nss/nspr encrypted text content without CA cert for nss/nspr libraries.
postgres capture sql queries from postgres 10+.
tls Used to capture TLS/SSL text content without the need for a CA certificate. (Supports OpenSSL 1.0.x/1.1.x/3.x or newer).
DESCRIPTION:
eCapture(旁观者) is a tool that can capture plaintext packets
such as HTTPS and TLS without installing a CA certificate.
It can also capture bash commands, which is suitable for
security auditing scenarios, such as database auditing of mysqld, etc (disabled on Android).
Support Linux(Android) X86_64 4.18/aarch64 5.5 or newer.
Repository: https://github.com/gojue/ecapture
HomePage: https://ecapture.cc
Usage:
ecapture tls -h
ecapture bash -h
Docker usage:
docker pull gojue/ecapture:latest
docker run --rm --privileged=true --net=host -v ${HOST_PATH}:${CONTAINER_PATH} gojue/ecapture -h
OPTIONS:
-b, --btf=0 enable BTF mode.(0:auto; 1:core; 2:non-core)
-d, --debug[=false] enable debug logging
--eventaddr="" the server address that receives the captured event. --eventaddr tcp://127.0.0.1:8090, default: same as logaddr
-h, --help[=false] help for eCapture
--hex[=false] print byte strings as hex encoded strings
--listen="localhost:28256" listen on this address for http server, default: 127.0.0.1:28256
-l, --logaddr="" send logs to this server. -l /tmp/ecapture.log or -l tcp://127.0.0.1:8080
--mapsize=1024 eBPF map size per CPU,for events buffer. default:1024 * PAGESIZE. (KB)
-p, --pid=0 if pid is 0 then we target all pids
-u, --uid=0 if uid is 0 then we target all users
-v, --version[=false] version for eCapture
```

**三、模块介绍**
----------

eCapture 有 8 个模块,分别支持 openssl/gnutls/nspr/boringssl/gotls 等类库的 TLS/SSL 加密类库的明文捕获、Bash、Mysql、PostGres 软件审计。

* bash 捕获 bash 命令行的输入输出

* gnutls 捕获基于 gnutls 类库加密通讯的明文内容

* gotls 捕获使用 Golang 语言编写的,基于内置 crypt 类库实现 TLS/HTTPS 加密通讯的明文内容

* mysqld 捕获 Mysqld 的 SQL 查询,适用于数据库审计场景,支持 Mysqld 5.6/5.7/8.0 等

* nss 捕获基于 nss 类库加密通讯的明文内容

* postgres 支持 postgres 10 + 的数据库审计,捕获查询语句

* tls 捕获基于 Openssl/Boringssl 的加密通讯的明文内容,支持 Openssl 1.0.x/1.1.x/3.x 以及更新版本,支持 BoringSSL 所有发行版本


**四、捕获基于 Openssl 动态链接库加密的网络通讯:**

```
sudo ecapture tls
2024-09-15T11:50:28Z INF App
2024-09-15T11:50:28Z INF HomePage=https://ecapture.cc
2024-09-15T11:50:28Z INF Repository=https://github.com/gojue/ecapture
2024-09-15T11:50:28Z INF Author="CFC4N <[email protected]>"
2024-09-15T11:50:28Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-09-15T11:50:28Z INF Version=linux_arm64:0.8.6-20240915-d87ae48:5.15.0-113-generic
2024-09-15T11:50:28Z INF Listen=localhost:28256
2024-09-15T11:50:28Z INF eCapture running logs logger=
2024-09-15T11:50:28Z INF the file handler that receives the captured event eventCollector=
2024-09-15T11:50:28Z WRN ========== module starting. ==========
2024-09-15T11:50:28Z INF listen=localhost:28256
2024-09-15T11:50:28Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-09-15T11:50:28Z INF Kernel Info=5.15.152 Pid=233458
2024-09-15T11:50:28Z INF BTF bytecode mode: CORE. btfMode=0
2024-09-15T11:50:28Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-09-15T11:50:28Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-15T11:50:28Z INF Module.Run()
2024-09-15T11:50:28Z WRN OpenSSL/BoringSSL version not found from shared library file, used default version OpenSSL Version=linux_default_3_0
2024-09-15T11:50:28Z INF Hook masterKey function ElfType=2 Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"] binrayPath=/usr/lib/aarch64-linux-gnu/libssl.so.3
2024-09-15T11:50:28Z INF target all process.
2024-09-15T11:50:28Z INF target all users.
2024-09-15T11:50:28Z INF setupManagers eBPFProgramType=Text
2024-09-15T11:50:28Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_3_0_0_kern_core.o
2024-09-15T11:50:28Z INF perfEventReader created mapSize(MB)=4
2024-09-15T11:50:28Z INF perfEventReader created mapSize(MB)=4
2024-09-15T11:50:28Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-15T11:50:31Z ??? UUID:233479_233479_curl_5_1_39.156.66.10:443, Name:HTTPRequest, Type:1, Length:73
GET / HTTP/1.1
Host: baidu.com
Accept: */*
User-Agent: curl/7.81.0
2024-09-15T11:50:32Z ??? UUID:233479_233479_curl_5_0_39.156.66.10:443, Name:HTTPResponse, Type:3, Length:357
HTTP/1.1 302 Moved Temporarily
Content-Length: 161
Connection: keep-alive
Content-Type: text/html
Date: Sun, 15 Sep 2024 11:50:30 GMT
Location: http://www.baidu.com/
Server: bfe/1.0.8.18
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>bfe/1.0.8.18</center>
</body>
</html>
```



===

**五、eCapture in container 环境里抓包**
=================================

* 查看 docker 容器列表,找到你关注的容器


```
docker ps | grep -w nocodb
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8b2b37040f2b nocodb/nocodb:latest "/usr/bin/dumb-init …" 4 seconds ago Up 3 seconds 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp noco
```

确认 docker ID

```
docker inspect 8b2b37040f2b | grep '"MergedDir"'
                "MergedDir": "/var/lib/docker/overlay2/af05fcdaf8e4b931e0cfbe8a7937e5ed953d4208d71bf14c335a7aeb222ed397/merged",
```

查找 libssl

```
find /var/lib/docker/overlay2/af05fcdaf8e4b931e0cfbe8a7937e5ed953d4208d71bf14c335a7aeb222ed397/merged -name "libssl*"
/var/lib/docker/overlay2/af05fcdaf8e4b931e0cfbe8a7937e5ed953d4208d71bf14c335a7aeb222ed397/merged/usr/lib/libssl.so.3
/var/lib/docker/overlay2/af05fcdaf8e4b931e0cfbe8a7937e5ed953d4208d71bf14c335a7aeb222ed397/merged/lib/libssl.so.3
```

使用 eCapture 捕获上文我们结束都 NocoDB 系统的登录信息([一个能在多种数据库上创建智能表格的系统,Airtable 的开源替代,Star 49K!](https://mp.weixin.qq.com/s?__biz=MzkzMTY1NTAzMA==&mid=2247489684&idx=1&sn=b4c5d920595060a4be4c97eea35ef606&scene=21#wechat_redirect)

```
ecapture tls --libssl="/var/lib/docker/overlay2/af05fcdaf8e4b931e0cfbe8a7937e5ed953d4208d71bf14c335a7aeb222ed397/merged/lib/libssl.so.3" --hex
2024-09-26T08:50:38Z INF App
2024-09-26T08:50:38Z INF HomePage=https://ecapture.cc
2024-09-26T08:50:38Z INF Repository=https://github.com/gojue/ecapture
2024-09-26T08:50:38Z INF Author="CFC4N <[email protected]>"
2024-09-26T08:50:38Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-09-26T08:50:38Z INF Version=linux_amd64:v0.8.6:6.5.0-1025-azure
2024-09-26T08:50:38Z INF Listen=localhost:28256
2024-09-26T08:50:38Z INF eCapture running logs logger=
2024-09-26T08:50:38Z INF the file handler that receives the captured event eventCollector=
2024-09-26T08:50:38Z WRN ========== module starting. ==========
2024-09-26T08:50:38Z INF Kernel Info=5.15.163 Pid=13536
2024-09-26T08:50:38Z INF listen=localhost:28256
2024-09-26T08:50:38Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-09-26T08:50:38Z INF BTF bytecode mode: CORE. btfMode=0
2024-09-26T08:50:38Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-09-26T08:50:38Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-26T08:50:38Z INF Module.Run()
2024-09-26T08:50:38Z WRN OpenSSL/BoringSSL version not found from shared library file, used default version OpenSSL Version=linux_default_3_0
2024-09-26T08:50:38Z INF Hook masterKey function ElfType=2 Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"] binrayPath=/var/lib/docker/overlay2/af05fcdaf8e4b931e0cfbe8a7937e5ed953d4208d71bf14c335a7aeb222ed397/merged/lib/libssl.so.3
2024-09-26T08:50:38Z INF target all process.
2024-09-26T08:50:38Z INF target all users.
2024-09-26T08:50:38Z INF setupManagers eBPFProgramType=Text
2024-09-26T08:50:38Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_3_0_0_kern_core.o
2024-09-26T08:50:39Z INF perfEventReader created mapSize(MB)=4
2024-09-26T08:50:39Z INF perfEventReader created mapSize(MB)=4
2024-09-26T08:50:39Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
```

页面上输入 NocoDB 登录账号密码:

![图片](https://mmbiz.qpic.cn/mmbiz_png/kgXibFxsv0e3eZ5PflN7bxbwdZ3KE43JtWvFyiaLWxtUQJn5ic3mabYpd4gWjwCpH2Zrx1DK8gAiagBrAK4SVa0rGw/640?wx_fmt=png&from=appmsg)

后台结果输出

![图片](https://mmbiz.qpic.cn/mmbiz_png/kgXibFxsv0e3eZ5PflN7bxbwdZ3KE43Jtq7r1yUkeHuFMBsrfoMHnyQfQyFXexVHm7GgZtjAkblJvyZVCg0fvVw/640?wx_fmt=png&from=appmsg)



eCapture 还支持其他模块,如 bash、mysql、nss、postgres 等,可以通过 ecapture -h 查看详细帮助文档。



**04**

****

 最后 



综上所述,eCapture 是一个基于 eBPF 技术的先进网络数据捕获工具,能够无需 CA 证书即可捕获 HTTPS 和 TLS 通信的明文内容,非常适合于网络监控、安全审计和故障排查等场景。

然而,需要注意的是,未经授权使用 eCapture 捕获敏感通信可能违反隐私和法律规定,因此在任何情况下使用 eCapture,都应确保遵守法律法规,并仅在获得合法授权的情况下进行。


**喜欢,记得 “点赞、在看”**![图片](https://mmbiz.qpic.cn/sz_mmbiz_gif/4hgdCZdc8jUczamtqCrTy0y1qxtj2D4su6J9PETsVrjWFibSzm7JzZEXeaJeovtAiaIWVQiclhQuENTqFwTzwUH8w/640?wx_fmt=gif&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1) 哈!

* * *

**往期文章推荐:**

* [一个能在多种数据库上创建智能表格的系统,Airtable 的开源替代,Star 49K!](https://mp.weixin.qq.com/s?__biz=MzkzMTY1NTAzMA==&mid=2247489684&idx=1&sn=b4c5d920595060a4be4c97eea35ef606&scene=21#wechat_redirect)

* [一套轻量、安全的问卷调研系统,开箱即用,让调研更轻松,Star 2.2K!](https://mp.weixin.qq.com/s?__biz=MzkzMTY1NTAzMA==&mid=2247489668&idx=1&sn=e7c34f3384ff857da74f6d919b0d4048&scene=21#wechat_redirect)

* [一条命令能够将网页内容转换成适合任何大模型处理的格式,AI 时代的检索增强,Star 6.6K!](https://mp.weixin.qq.com/s?__biz=MzkzMTY1NTAzMA==&mid=2247489495&idx=1&sn=e165aaec022a69020cb79b60be4b9d5b&scene=21#wechat_redirect)

* [一个使用日常设备(手机、电脑、平板等)就能组建自己 AI 集群的开源项目,帅呆了!Star 10K!](https://mp.weixin.qq.com/s?__biz=MzkzMTY1NTAzMA==&mid=2247489494&idx=1&sn=b6a1a4037823cb0e39b7eea1e64562df&scene=21#wechat_redirect)

* [一个轻量级可视化监控工具,虽轻但高效!Star 12.5K+!](https://mp.weixin.qq.com/s?__biz=MzkzMTY1NTAzMA==&mid=2247489452&idx=1&sn=7bd89126cc8363fa605c763bb308152e&scene=21#wechat_redirect)

0 comments on commit 41ec856

Please sign in to comment.