Capturing Linux SSL/TLS plaintext without a CA certificate using eBPF
The GitHub repository contains eCapture, a tool for capturing SSL/TLS text content without a CA certificate using eBPF. It includes modules for Golang, MySQL, PostgreSQL, and bash commands. Detailed documentation available.
Read original article
The GitHub repository at the provided URL hosts the eCapture project, a tool designed for capturing SSL/TLS text content without a CA certificate using eBPF. This tool includes modules for capturing plaintext communication from Golang programs encrypted with TLS/HTTPS, SQL queries from MySQL and PostgreSQL applications, and bash commands for host security audit. The project offers detailed information on its functionality, user manuals, getting started guides, architecture overview, eBPF details, compilation instructions, and contribution guidelines. For further insights or support regarding the eCapture project, users are encouraged to refer to the GitHub repository for comprehensive information.
Related
Bpftop: Dynamic real-time view of running eBPF programs
The GitHub repository for `bpftop` by Netflix provides real-time monitoring of eBPF programs with statistics like average runtime, events per second, and CPU usage. Visit https://github.com/Netflix/bpftop for more details.
Show HN: a Rust lib to trigger actions based on your screen activity (with LLMs)
The GitHub project "Screen Pipe" uses Large Language Models to convert screen content into actions. Implemented in Rust + WASM, inspired by `adept.ai`, `rewind.ai`, and `Apple Shortcut`. Open source under MIT license.
How eBPF is shaping the future of Linux and platform engineering
eBPF, developed by Daniel Borkmann, revolutionizes Linux by enabling custom programs in the kernel. It enhances networking, security, and observability, bridging monolithic and microkernel architectures for improved performance and flexibility.
Show HN: Xcapture-BPF – like Linux top, but with Xray vision
0x.tools simplifies Linux application performance analysis without requiring upgrades or heavy frameworks. It offers thread monitoring, CPU usage tracking, system call analysis, and kernel wait location identification. The xcapture-bpf tool enhances performance data visualization through eBPF. Installation guides are available for RHEL 8.1 and Ubuntu 24.04.
Inspect TLS encrypted traffic using mitmproxy and Wireshark
The article details inspecting TLS traffic with mitmproxy and Wireshark, highlighting challenges and setup steps. It explains using wireguard-tools for connection and decrypting traffic for real-time validation. The author encourages community engagement.
15 commentshttps://github.com/bpftrace/bpftrace/blob/master/tools/sslsn...
https://github.com/iovisor/bcc/blob/master/tools/sslsniff.py
https://embracethered.com/blog/posts/2021/offensive-bpf-snif...
On Ubuntu for example I can just "sudo apt install bpfcc-tools", then run "sudo sslsniff-bpfcc" and see curl TLS traffic right away.
We use similar approach in Coroot to get fantastic observability insights with zero configuration
I use a localhost-bound TLS forward proxy. Works on both BSD and Linux, kernel config is irrelevant. Allows me to easily redirect and modify traffic.
ECH is still lagging in server adoption. After Cloudflare discontinued their ESNI trial I have avoided sites that require SNI, e.g., ones using Cloudflare. What I have found is that most websites on the internet still do not require it. The sites that use a handful of large, popular CDNs are the exceptions. There are numerous workarounds for those, e.g., archive.org needs no SNI. Allows me to access Cloudflare sites without sending SNI.
As for certificate pinning, I do not use closed source "apps".
If corporations MITM their TLS traffic then individuals should do the same.
If you need k8s support I can also help with that, if you get CAP_SYS_ADMIN you can break out of the container and then back into every other container ;)
Is there any way to account a response of a TLS enabled server to it's public key?
Something like reverse fingerprinting?
Because IMO, what my PC is doing and sending over the network at all times should be inspectable by me, on that computer.
Related
Bpftop: Dynamic real-time view of running eBPF programs
The GitHub repository for `bpftop` by Netflix provides real-time monitoring of eBPF programs with statistics like average runtime, events per second, and CPU usage. Visit https://github.com/Netflix/bpftop for more details.
Show HN: a Rust lib to trigger actions based on your screen activity (with LLMs)
The GitHub project "Screen Pipe" uses Large Language Models to convert screen content into actions. Implemented in Rust + WASM, inspired by `adept.ai`, `rewind.ai`, and `Apple Shortcut`. Open source under MIT license.
How eBPF is shaping the future of Linux and platform engineering
eBPF, developed by Daniel Borkmann, revolutionizes Linux by enabling custom programs in the kernel. It enhances networking, security, and observability, bridging monolithic and microkernel architectures for improved performance and flexibility.
Show HN: Xcapture-BPF – like Linux top, but with Xray vision
0x.tools simplifies Linux application performance analysis without requiring upgrades or heavy frameworks. It offers thread monitoring, CPU usage tracking, system call analysis, and kernel wait location identification. The xcapture-bpf tool enhances performance data visualization through eBPF. Installation guides are available for RHEL 8.1 and Ubuntu 24.04.
Inspect TLS encrypted traffic using mitmproxy and Wireshark
The article details inspecting TLS traffic with mitmproxy and Wireshark, highlighting challenges and setup steps. It explains using wireguard-tools for connection and decrypting traffic for real-time validation. The author encourages community engagement.