ecapture - SSL/TLS Plaintext Capture on Linux and Android using eBPF Technology

eCapture: Innovative SSL/TLS Content Capture

Introduction

eCapture is a powerful tool designed to capture the plaintext content of SSL/TLS communications without needing a Certificate Authority (CA) certificate. Primarily, this tool operates by leveraging the capabilities of eBPF, which is specifically compatible with Linux/Android kernel versions x86_64 starting from 4.18 and aarch64 from 5.5. Note that it requires root permissions and doesn't support Windows or macOS systems.

eCapture supports multiple libraries such as OpenSSL, libressl, boringssl, gnutls, and nspr (nss). In addition to capturing SSL/TLS content, it also supports audits of Go TLS libraries for encrypted communication in applications built with the Go programming language and can capture Bash commands for host security audits. Furthermore, it can conduct MySQL SQL audits supporting mysqld versions 5.6, 5.7, 8.0, and MariaDB.

Getting Started

Download

To begin using eCapture, the ELF binary file can be downloaded by accessing the releases page on GitHub. Upon downloading, users can unzip the contents and execute them with the command sudo ecapture --help to get started.

For those preferring containerized environments, eCapture is also available as a Docker image, suitable solely for Linux. To pull and run the image, execute the following:

# pull docker image
docker pull gojue/ecapture:latest
# run
docker run --rm --privileged=true --net=host -v ${HOST_PATH}:${CONTAINER_PATH} gojue/ecapture ARGS

For more details, visit Docker Hub.

Capture OpenSSL Text Content

Running eCapture to capture TLS content can be initiated using the command:

sudo ecapture tls

This command will output logs detailing the operations, including SSL/TLS handshake and plaintext packets intercepted without needing a CA certificate.

Modules

eCapture boasts a comprehensive array of modules designed for capturing various encrypted communications and data.

OpenSSL Module: This module supports multiple capture modes, including pcap, keylog, and text, allowing users to store data packets, keys, or directly view plaintext data.
GoTLS Module: Facilitates capturing of Go language-based TLS/HTTPS plaintext communication, providing options similar to OpenSSL.
Other Modules:
- Bash: Captures Bash command straightforwardly for security audits.
- MySQL: Facilitates SQL queries capture from MySQL databases.
- PostgreSQL: Supports capture of PostgreSQL query operations.
- Other Encryption Libraries: Supports SSL/TLS plaintext capture for gnutls, nspr/nss, and more.

Videos

To better understand how to use eCapture, YouTube videos and detailed guides are available, outlining both basic and advanced usage scenarios.

Contributing

eCapture welcomes contributions from the community. Interested developers can consult the CONTRIBUTING.md guide for details on the contribution workflow.

Compilation

For those wishing to compile the eCapture tool from source, detailed instructions can be found in the COMPILATION.md document.

eCapture stands as a testament to advanced capturing techniques in a secure, compliant, and highly versatile manner, making it a valuable tool for developers and security professionals seeking to safeguard or audit their systems.