Unlocking eBPF Technology: Capture Plaintext HTTPS/TLS Packets Without a CA Certificate on Linux/Android

Rise up! Don’t allow yourself to descend into a lowly state. — Emily Brontë, Wuthering Heights. Embrace eBPF technology to elevate your potential.

Packet Capture Over HTTPS/TLS Without a CA Certificate
eBPF Technology Driven, Supporting Linux/Android (x86_64/Aarch64)

github:

https://github.com/gojue/ecapture

Official Documentation:

Observer – Powered by eBPF technology, capture plaintext HTTPS/TLS packets without a CA certificate. | eCapture

What is eCapture Observer?#

eBPF HOOK uprobe captures data from various user-level processes without modifying the original program. It can also export the data to pcap-NG format to be opened with Wireshark. Supports both Linux and Android operating systems, and x86_64, aarch64 CPU architectures.

• Export SSL/HTTPS data functionality captures HTTPS packets without the need to import a CA certificate.
• Command capture for bash, a HIDS solution for monitoring bash commands.
• A database auditing solution for mysql queries, etc.

Why Choose eCapture?#

Tools like Wireshark and tcpdump can only capture encrypted traffic and cannot catch the plaintext of TLS. eCapture requires only root privileges to capture plaintext HTTPS communication packets.

How to Use#

Download#

open https://github.com/gojue/ecapture/releases , and choose your version.

• For Linux and Android ARM64-aarch64 CPU architecture, kernel version >= 5.5 , ecapture-v0.8.0-linux/android-arm64.tar.gz
• For Linux/Android X86_64 CPU architecture, kernel version >= 4.18 , ecapture-v0.8.0-linux/android-amd64.tar.gz

Run#

Language: javascriptCopy

./ecapture 

Parameters#

Language: javascriptCopy

cfc4n@vmserver:~/$ sudo ecapture -hNAME:    ecapture - capture text SSL content without CA cert by ebpf hook.USAGE:    ecapture [flags]VERSION:    linux_arm64:v0.8.0:5.15.0-105-genericCOMMANDS:    bash        capture bash command    gnutls        capture gnutls text content without CA cert for gnutls libraries.    gotls        Capturing plaintext communication from Golang programs encrypted with TLS/HTTPS.    help         Help about any command    mysqld       capture sql queries from mysqld 5.6/5.7/8.0 .    nss          capture nss/nspr encrypted text content without CA cert for nss/nspr libraries.    postgres     capture sql queries from postgres 10+.    tls          use to capture tls/ssl text content without CA cert. (Support openssl 1.0.x/1.1.x/3.0.x or newer).DESCRIPTION:    eCapture(Observer) is a tool that can capture plaintext packets    such as HTTPS and TLS without installing a CA certificate.    It can also capture bash commands, which is suitable for    security auditing scenarios, such as database auditing of mysqld, etc (disabled on Android).    Support Linux(Android)  X86_64 4.18/aarch64 5.5 or newer.    Repository: https://github.com/gojue/ecapture    HomePage: https://ecapture.cc    Usage:      ecapture tls -h      ecapture bash -hOPTIONS:  -b, --btf=0          enable BTF mode.(0:auto; 1:core; 2:non-core)  -d, --debug[=false]  enable debug logging.(coming soon)  -h, --help[=false]   help for ecapture      --hex[=false]    print byte strings as hex encoded strings  -l, --logaddr=""     -l /tmp/ecapture.log or -l tcp://127.0.0.1:8080      --mapsize=1024   eBPF map size per CPU, for events buffer. default:1024 * PAGESIZE. (KB)  -p, --pid=0          if pid is 0 then we target all pids  -u, --uid=0          if uid is 0 then we target all users  -v, --version[=false]  version for ecapture