Comments (28)
Of course, if the container is authorized with the SYS_ADMIN permission, then it can obtain the communication plaintext of all networks on this host.
So, That is an other topic about eBPF security on runtime.
ref: https://github.com/ehids/ebpf-slide/blob/master/security/us-21-With-Friends-Like-EBPF-Who-Needs-Enemies.pdf
demo: https://www.youtube.com/watch?v=zgsHc8apFGs
posts on chinese: https://www.cnxct.com/evil-use-ebpf-and-how-to-detect-ebpf-rootkit-in-linux/?f=ecapture-github
from ecapture.
tetragon is the learning objective of ehids.
from ecapture.
by the way, I recorded a short video playing with ecapture https://youtu.be/Au1YeB0nz3g
from ecapture.
opened #69
from ecapture.
I could do this:
find the netshoot docker ID
docker ps | grep -w netshoot
b37ffd7a8341 nicolaka/netshoot "/bin/sleep 3600" 50 minutes ago Up 50 minutes k8s_netshoot_netshoot-hostnetwork_default_751666e9-5a23-4da1-952f-379288b47f97_0
docker inspect the ID
docker inspect b37ffd7a8341 | grep '"MergedDir"'
"MergedDir": "/var/lib/docker/overlay2/02c5fe50b9c6a817c47117ebddd8be82cf4095a6ff278f197519b1cedb7c3d75/merged",
find libssl
find /var/lib/docker/overlay2/02c5fe50b9c6a817c47117ebddd8be82cf4095a6ff278f197519b1cedb7c3d75/merged -name "libssl*"
/var/lib/docker/overlay2/02c5fe50b9c6a817c47117ebddd8be82cf4095a6ff278f197519b1cedb7c3d75/merged/lib/libssl.so.1.1
/var/lib/docker/overlay2/02c5fe50b9c6a817c47117ebddd8be82cf4095a6ff278f197519b1cedb7c3d75/merged/usr/lib/libssl.so.1.1
use ecapture with the correct libssl path
ecapture tls --libssl="/var/lib/docker/overlay2/02c5fe50b9c6a817c47117ebddd8be82cf4095a6ff278f197519b1cedb7c3d75/merged/lib/libssl.so.1.1" --hex
2022/05/30 14:02:27 pid info :2825032
2022/05/30 14:02:27 start to run EBPFProbeOPENSSL module
2022/05/30 14:02:27 start to run EBPFProbeGNUTLS module
2022/05/30 14:02:27 HOOK type:2, binrayPath:/var/lib/docker/overlay2/02c5fe50b9c6a817c47117ebddd8be82cf4095a6ff278f197519b1cedb7c3d75/merged/lib/libssl.so.1.1
2022/05/30 14:02:27 libPthread so Path:/lib64/libpthread.so.0
2022/05/30 14:02:27 target all process.
2022/05/30 14:02:27 start to run EBPFProbeNSPR module
2022/05/30 14:02:27 stat /usr/lib/libnspr4.so: no such file or directory
2022/05/30 14:02:27 HOOK type:2, binrayPath:/lib64/libgnutls.so.30
2022/05/30 14:02:27 target all process.
execute the curl from netshoot pod
kubectl exec -it netshoot-hostnetwork -- curl -k -v https://10.1.34.88/
* Trying 10.1.34.88:443...
* Connected to 10.1.34.88 (10.1.34.88) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: C=US; ST=WA; L=Seattle; O=MyCompany; OU=IT; CN=localhost.localdomain; [email protected]
* start date: Oct 1 19:29:04 2020 GMT
* expire date: Sep 29 19:29:04 2030 GMT
* issuer: C=US; ST=WA; L=Seattle; O=MyCompany; OU=IT; CN=localhost.localdomain; [email protected]
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: 10.1.34.88
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: BigIP
* HTTP/1.0 connection set to keep alive
< Connection: Keep-Alive
< Content-Length: 10
<
* Connection #0 to host 10.1.34.88 left intact
IT WORKS
the ecapture output:
2022/05/30 14:03:34 PID:2825502, Comm:curl, TID:2825502, Version:TLS1_2_VERSION, Send 74 bytes to [ADDR_NOT_FOUND], Payload:
GET / HTTP/1.1
Host: 10.1.34.88
User-Agent: curl/7.83.1
Accept: */*
2022/05/30 14:03:34 PID:2825502, Comm:curl, TID:2825502, Version:TLS1_2_VERSION, Recived 88 bytes from [ADDR_NOT_FOUND], Payload:
HTTP/1.0 200 OK
Server: BigIP
Connection: Keep-Alive
Content-Length: 10
IT WORKS
from ecapture.
yes, you are right. eh....Is your problem solved?
from ecapture.
yes it is resolved, thanks for this great project :)
from ecapture.
yes it is resolved, thanks for this great project :)
Thanks the test.
Can we have a sample to use this tool into the container?
from ecapture.
@BurlyLuo That is a good idea. can you send a PR for it? or an article?
from ecapture.
hm, this brings me thoughts about multi tenant cloud environment, that someone could run ecapture as container and gain privilege on the node and sniff other tenant containers TLS connection, is that possible ?
from ecapture.
I wonder if https://github.com/cilium/tetragon is able to detect this scenario, I assume your ehids could detect this too
from ecapture.
I am not familiar with docker, can we create a docker file for ecapture to run ecapture in container/pod ?
from ecapture.
I think It is not necessary. via: #23
from ecapture.
ok, good, just one more question, is it possible to give --libssl
argument multiple libssl path so ecapture could capture multiple TLS connections for multiple processes/commands ? I guess we can run multiple ecapture commands to achieve that, just wonder :)
from ecapture.
1, eCapture can capture all process TLS paintext who use the same libssl.so default. and can use pid
arg to filter.
2, Can run multiple eCapture with every libssl path to achieve that.
3, Of course, an eCapture process can hook multiple ssl/tls SO file, but I don't think this is a necessary requirement.
from ecapture.
ah, right I got 1), I am thinking in k8s pod/container scenario that each pod/container might have their own libssl copy, yes 2) can achieve that.
from ecapture.
Good job. I'll create User Manual WIKI tomorrow with your video, thanks. 😊
from ecapture.
Hi @cfc4n sorry to bother you again, I added the ecapture binary in netshoot pod like vincentmli/netshoot@72633ba so I can run ecapture from netshoot pod in k8s, the netshoot pod yaml file has privilege permission like below
apiVersion: v1
kind: Pod
metadata:
name: netshoot-ecap
spec:
hostPID: true
hostNetwork: true
nodeSelector:
dedicated: master
containers:
- name: netshoot-ecap
image: vli39/netshoot:ecap
command:
- /bin/sleep
- "3600"
volumeMounts:
- mountPath: /mnt
name: host-slash
securityContext:
privileged: true
volumes:
- name: host-slash
hostPath:
path: /
type: ''
you can see I mounted the node root / in netshoot pod /mnt to access the host libssl, but it errors out with "lstat /etc/ld.so.conf: no such file or directory", I wonder why ecapture is trying to check host /etc/ld.so.conf
, ecapture is statically build, I suspect the host libssl requiring host /etc/ld.so.conf
, but I can't mount host /etc
to netshoot pod /etc
, wonder if you have better idea :)
kubectl exec -it netshoot-ecap -- /bin/bash
bash-5.1# ls -l /mnt/lib64/libssl*
lrwxrwxrwx 1 root root 16 Mar 30 2021 /mnt/lib64/libssl.so -> libssl.so.1.1.1g
lrwxrwxrwx 1 root root 16 Mar 30 2021 /mnt/lib64/libssl.so.1.1 -> libssl.so.1.1.1g
-rwxr-xr-x 1 root root 615576 Mar 30 2021 /mnt/lib64/libssl.so.1.1.1g
-rwxr-xr-x 1 root root 394632 Dec 18 2020 /mnt/lib64/libssl3.so
bash-5.1# ecapture tls --libssl="/mnt/lib64/libssl.so.1.1.1g" --hex
2022/06/03 14:51:29 pid info :1391071
2022/06/03 14:51:29 start to run EBPFProbeOPENSSL module
2022/06/03 14:51:29 lstat /etc/ld.so.conf: no such file or directory
2022/06/03 14:51:29 invalid argument
from ecapture.
eh, eCapture will find pthread.so
to capture IP ADDRESS
default , and you can set pthread.so
argument with pthread
falg.
from ecapture.
ecapture is statically built
ldd /usr/local/bin/ecapture
not a dynamic executable
but are you saying eCapture dynamically linked with pthread.so
? how do I specify ecapture with pthread
flag? sorry I am not following you :)
from ecapture.
eh, eCapture will find
pthread.so
to captureIP ADDRESS
default , and you can setpthread.so
argument withpthread
falg.
bash-5.1# ecapture tls --libssl="/mnt/var/lib/docker/overlay2/9ee7c714e2a3435b7cdcc81cc595afa2d9bb42136439bda35677c85bbf7d160c/merged/usr/lib/x86_64-linux-gnu/libssl.so.1.1" --pthread="/mnt/var/lib/docker/overlay2/9ee7c714e2a3435b7cdcc81cc595afa2d9bb42136439bda35677c85bbf7d160c/merged/usr/lib/x86_64-linux-gnu/libpthread.so.0"
2022/06/05 04:36:54 pid info :10668
2022/06/05 04:36:54 start to run EBPFProbeOPENSSL module
2022/06/05 04:36:54 start to run EBPFProbeGNUTLS module
2022/06/05 04:36:54 invalid argument
bash-5.1#
bash-5.1# ecapture tls --libssl="/mnt/var/lib/docker/overlay2/9ee7c714e2a3435b7cdcc81cc595afa2d9bb42136439bda35677c85bbf7d160c/merged/usr/lib/x86_64-linux-gnu/libssl.so.1.1" --pthread="/mnt/var/lib/docker/overlay2/9ee7c714e2a3435b7cdcc81cc595afa2d9bb42136439bda35677c85bbf7d160c/merged/usr/lib/x86_64-linux-gnu/libpthread.so.0" -h
NAME:
tls - alias name:openssl , use to capture tls/ssl text content without CA cert.
USAGE:
ecapture tls [flags]
DESCRIPTION:
use eBPF uprobe to capture process event data, not used libpcap.
Can used to trace, debug, database audit, security event aduit etc.
OPTIONS:
--curl="" curl or wget file path, use to dectet openssl.so path, default:/usr/bin/curl
--firefox="" firefox file path, default: /usr/lib/firefox/firefox.
--gnutls="" libgnutls.so file path, will automatically find it from curl default.
-h, --help[=false] help for tls
--libssl="" libssl.so file path, will automatically find it from curl default.
--nspr="" libnspr44.so file path, will automatically find it from curl default.
--pthread="" libpthread.so file path, use to hook connect to capture socket FD.will automatically find it from curl.
--wget="" wget file path, default: /usr/bin/wget.
GLOBAL OPTIONS:
-d, --debug[=false] enable debug logging
--hex[=false] print byte strings as hex encoded strings
-p, --pid=0 if pid is 0 then we target all pids
bash-5.1#
from ecapture.
ecapture is statically built
ldd /usr/local/bin/ecapture not a dynamic executable
but are you saying eCapture dynamically linked with
pthread.so
? how do I specify ecapture withpthread
flag? sorry I am not following you :)
sure, ecapture is statically built . but eCapture hook connect()
function to capture IP ADDRESS
,sometimes connect
function was define inpthread.so
. so need to search the path.
from ecapture.
sometimes , defined in /lib64/libc.so.6
, you can use ldd
which curl|grep libc.so|awk '{print $3}'|xargs objdump -T |grep connect
to confirm it.
[root@VM-16-13-centos bin]# ldd `which curl`|grep libc.so|awk '{print $3}'|xargs objdump -T |grep connect
0000000000112f90 w DF .text 000000000000009b GLIBC_2.2.5 __connect
0000000000112f90 w DF .text 000000000000009b GLIBC_2.2.5 connect
@BurlyLuo @vincentmli
It will skip directory search if lib path args
was set.
from ecapture.
ah, sorry I missed the output libPthread so Path:/lib64/libpthread.so.0
when run ecapture normally
ecapture tls --libssl=/lib64/libssl.so.1.1.1g
2022/06/05 10:53:59 pid info :3232826
2022/06/05 10:53:59 start to run EBPFProbeOPENSSL module
2022/06/05 10:53:59 start to run EBPFProbeGNUTLS module
2022/06/05 10:53:59 stat /usr/lib/libgnutls.so.30: no such file or directory
2022/06/05 10:53:59 start to run EBPFProbeNSPR module
2022/06/05 10:53:59 stat /usr/lib/libnspr4.so: no such file or directory
2022/06/05 10:53:59 HOOK type:2, binrayPath:/lib64/libssl.so.1.1.1g
2022/06/05 10:53:59 libPthread so Path:/lib64/libpthread.so.0 <====MISSED THIS
2022/06/05 10:53:59 target all process.
but still error when I run ecapture in container with --pthread=/mnt/lib64/libpthread.so.0
, it looks to me when putting ecapture in container, for some reason, ecapture could not find the correct pthread lib even with --pthread
argument, and still try to locate /etc/ld.so.conf
kubectl exec -it netshoot-ecap -- /bin/bash
bash-5.1#
bash-5.1# ls -l /mnt/lib64/libpth*
-rwxr-xr-x 1 root root 320504 Jul 20 2020 /mnt/lib64/libpthread-2.28.so
lrwxrwxrwx 1 root root 27 Jul 20 2020 /mnt/lib64/libpthread.so -> ../../lib64/libpthread.so.0
lrwxrwxrwx 1 root root 18 Jul 20 2020 /mnt/lib64/libpthread.so.0 -> libpthread-2.28.so
bash-5.1# ecapture tls --libssl=/mnt/lib64/libssl.so.1.1.1g --pthread=/mnt/lib64/libpthread.so.0
2022/06/05 15:01:40 pid info :3237812
2022/06/05 15:01:40 start to run EBPFProbeOPENSSL module
2022/06/05 15:01:40 start to run EBPFProbeGNUTLS module
2022/06/05 15:01:40 lstat /etc/ld.so.conf: no such file or directory
2022/06/05 15:01:40 invalid argument
from ecapture.
tried create /etc/ld.so.conf
with mounted host / in container, still can't find connect
I guess
bash-5.1# echo "/mnt/lib64" > /etc/ld.so.conf
bash-5.1# cat /etc/ld.so.conf
/mnt/lib64
bash-5.1# ecapture tls --libssl="/mnt/var/lib/docker/overlay2/16e8490ca25fe4c685825f60ed33d704ebf0a1689b9887c24d0b98b12ae961e2/merged/usr/lib64/libssl.so.1.0.2k" --hex
2022/06/05 15:32:04 pid info :3257576
2022/06/05 15:32:04 start to run EBPFProbeOPENSSL module
2022/06/05 15:32:04 start to run EBPFProbeGNUTLS module
2022/06/05 15:32:04 invalid argument
bash-5.1# ecapture tls --pthread="/mnt/var/lib/docker/overlay2/16e8490ca25fe4c685825f60ed33d704ebf0a1689b9887c24d0b98b12ae961e2/merged/usr/lib64/libpthread.so.0" --libssl="/mnt/var/lib/docker/overlay2/16e8490ca25fe4c685825f60ed33d704ebf0a1689b9887c24d0b98b12ae961e2/merged/usr/lib64/libssl.so.1.0.2k" --hex
2022/06/05 15:29:01 pid info :3255607
2022/06/05 15:29:01 start to run EBPFProbeOPENSSL module
2022/06/05 15:29:01 start to run EBPFProbeGNUTLS module
2022/06/05 15:29:01 invalid argument
from ecapture.
may be it's a bug. can you send a new issue for it?
from ecapture.
sure, will do, appreciate the help!
from ecapture.
close this since question is answered by @cfc4n
from ecapture.
Related Issues (20)
- 执行时报Permission denied HOT 4
- 数据抓不全的问题 HOT 8
- 获取https request response header+ body HOT 5
- BoringSSL is not supported on linux HOT 4
- Keylog capture not working with OpenSSL 1.1.0 HOT 3
- support updated versions of OpenSSL such as 1.1.1u, v, w, etc.
- masterKey被多次写入pcapng文件中 HOT 3
- load bpf failed on kernel 4.18.0
- android version compilation has failed. HOT 1
- gotls shared object not supported HOT 11
- FTL module run failed, skip it. error="couldn't init manager xxx error:program probe_entry_SSL_read HOT 3
- unsupported arch library HOT 2
- ecapture cannot work on linux with boringssl HOT 9
- panic on pixel 6 pro(android13) HOT 1
- tls module couldn't find binPath stat /usr/lib/firefox/libnspr4.so: no such file or directory HOT 6
- the handshake State judgment is not completely accurate on boringssl with the branch main-with-bazel HOT 8
- 使用-l参数时出现WRN failed to create multiLogger error="open : no such file or directory" HOT 1
- master secret length is too long for every connection HOT 2
- can not open /apex/com.android.conscrypt/lib64/libssl.so HOT 6
- DTLS protocol support HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ecapture.