How eCapture works

SSL/TLS text context capture, support openssl\gnutls\nspr(nss) libraries.
bash audit, capture bash command for Host Security Audit.
mysql query SQL audit, support mysqld 5.6\5.7\8.0, and mariadDB.

eCapture Architecure

eCapture User Manual

Getting started

use ELF binary file

Download ELF zip file release , unzip and use by command ./ecapture --help.

Linux kernel version >= 4.18
Enable BTF BPF Type Format (BTF) (Optional, 2022-04-17)

check your server BTF config：

grep CONFIG_DEBUG_INFO_BTF CONFIG_DEBUG_INFO_BTF=y">

[email protected]:~$# uname -r4.18.0-305.3.1.el8.x86_64[email protected]:~$# cat /boot/config-`uname -r` | grep CONFIG_DEBUG_INFO_BTFCONFIG_DEBUG_INFO_BTF=y

tls command

capture tls text context. Step 1:

./ecapture tls --hex

Step 2:

curl https://github.com

bash command

capture bash command.

ps -ef | grep foo

What's eBPF

eBPF

uprobe HOOK

openssl hook

eCapture hookSSL_write \ SSL_read function of shared library /lib/x86_64-linux-gnu/libssl.so.1.1. get text context, and send message to user space by eBPM map.

Probes: []*manager.Probe{    {        Section:          "uprobe/SSL_write",        EbpfFuncName:     "probe_entry_SSL_write",        AttachToFuncName: "SSL_write",        //UprobeOffset:     0x386B0,        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",    },    {        Section:          "uretprobe/SSL_write",        EbpfFuncName:     "probe_ret_SSL_write",        AttachToFuncName: "SSL_write",        //UprobeOffset:     0x386B0,        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",    },    {        Section:          "uprobe/SSL_read",        EbpfFuncName:     "probe_entry_SSL_read",        AttachToFuncName: "SSL_read",        //UprobeOffset:     0x38380,        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",    },    {        Section:          "uretprobe/SSL_read",        EbpfFuncName:     "probe_ret_SSL_read",        AttachToFuncNa   me: "SSL_read",        //UprobeOffset:     0x38380,        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",    },    /**/},

bash readline.so hook

hook /bin/bash readline symbol name.

How to compile

Linux Kernel: >= 4.18.

Tools

golang 1.16
gcc 10.3.0
clang 9.0.0
cmake 3.18.4
clang backend: llvm 9.0.0
pahole >= v1.13
kernel config:CONFIG_DEBUG_INFO_BTF=y (Optional, 2022-04-17)

command

git clone [email protected]:ehids/ecapture.gitcd ecapturemakebin/ecapture --help

compile without BTF

eCapture support NO BTF with command make nocore to compile on 2022/04/17.

make nocorebin/ecapture --help

Contributing

See CONTRIBUTING for details on submitting patches and the contribution workflow.

Download Ecapture

Via: www.kitploit.com

Hacking Land - Hack, Crack and Pentest

Ecapture - Capture SSL/TLS Text Content Without CA Cert By eBPF