|
 |
f282d1 |
From 8b17dc3472a9c11139d0058bbf8b42eae66022b8 Mon Sep 17 00:00:00 2001
|
|
|
f282d1 |
From: jeromemarchand <38073585+jeromemarchand@users.noreply.github.com>
|
|
|
f282d1 |
Date: Sat, 4 Aug 2018 07:09:36 +0200
|
|
|
f282d1 |
Subject: [PATCH] sslsniff: add NSS support (#1908)
|
|
|
f282d1 |
|
|
|
f282d1 |
* sslsniff: add NSS support
|
|
|
f282d1 |
|
|
|
f282d1 |
* sslsniff: update documentation
|
|
|
f282d1 |
---
|
|
|
f282d1 |
man/man8/sslsniff.8 | 18 +++++++++---------
|
|
|
f282d1 |
tools/sslsniff.py | 21 +++++++++++++++++++--
|
|
|
f282d1 |
tools/sslsniff_example.txt | 16 +++++++++-------
|
|
|
f282d1 |
3 files changed, 37 insertions(+), 18 deletions(-)
|
|
|
f282d1 |
|
|
|
f282d1 |
diff --git a/man/man8/sslsniff.8 b/man/man8/sslsniff.8
|
|
|
f282d1 |
index e20e28a..72836e2 100644
|
|
|
f282d1 |
--- a/man/man8/sslsniff.8
|
|
|
f282d1 |
+++ b/man/man8/sslsniff.8
|
|
|
f282d1 |
@@ -1,12 +1,12 @@
|
|
|
f282d1 |
.TH sslsniff 8 "2016-08-16" "USER COMMANDS"
|
|
|
f282d1 |
.SH NAME
|
|
|
f282d1 |
-sslsniff \- Print data passed to OpenSSL. Uses Linux eBPF/bcc.
|
|
|
f282d1 |
+sslsniff \- Print data passed to OpenSSL, GnuTLS or NSS. Uses Linux eBPF/bcc.
|
|
|
f282d1 |
.SH SYNOPSIS
|
|
|
f282d1 |
-.B sslsniff
|
|
|
f282d1 |
+.B sslsniff [-h] [-p PID] [-c COMM] [-o] [-g] [-n] [-d]
|
|
|
f282d1 |
.SH DESCRIPTION
|
|
|
f282d1 |
-sslsniff prints data sent to SSL_write and SSL_read OpenSSL functions, allowing
|
|
|
f282d1 |
-us to read plain text content before encryption (when writing) and after
|
|
|
f282d1 |
-decryption (when reading).
|
|
|
f282d1 |
+sslsniff prints data sent to write/send and read/recv functions of
|
|
|
f282d1 |
+OpenSSL, GnuTLS and NSS, allowing us to read plain text content before
|
|
|
f282d1 |
+encryption (when writing) and after decryption (when reading).
|
|
|
f282d1 |
|
|
|
f282d1 |
This works reading the second parameter of both functions (*buf).
|
|
|
f282d1 |
|
|
|
f282d1 |
@@ -15,13 +15,13 @@ Since this uses BPF, only the root user can use this tool.
|
|
|
f282d1 |
CONFIG_BPF and bcc.
|
|
|
f282d1 |
.SH EXAMPLES
|
|
|
f282d1 |
.TP
|
|
|
f282d1 |
-Print all calls to SSL_write and SSL_read system-wide:
|
|
|
f282d1 |
+Print all calls to SSL write/send and read/recv system-wide:
|
|
|
f282d1 |
#
|
|
|
f282d1 |
.B sslsniff
|
|
|
f282d1 |
.SH FIELDS
|
|
|
f282d1 |
.TP
|
|
|
f282d1 |
FUNC
|
|
|
f282d1 |
-Which function is being called (SSL_write or SSL_read)
|
|
|
f282d1 |
+Which function is being called (write/send or read/recv)
|
|
|
f282d1 |
.TP
|
|
|
f282d1 |
TIME
|
|
|
f282d1 |
Time of the command, in seconds.
|
|
|
f282d1 |
@@ -30,10 +30,10 @@ COMM
|
|
|
f282d1 |
Entered command.
|
|
|
f282d1 |
.TP
|
|
|
f282d1 |
PID
|
|
|
f282d1 |
-Process ID calling OpenSSL.
|
|
|
f282d1 |
+Process ID calling SSL.
|
|
|
f282d1 |
.TP
|
|
|
f282d1 |
LEN
|
|
|
f282d1 |
-Bytes written or read by OpenSSL functions.
|
|
|
f282d1 |
+Bytes written or read by SSL functions.
|
|
|
f282d1 |
.SH SOURCE
|
|
|
f282d1 |
This is from bcc.
|
|
|
f282d1 |
.IP
|
|
|
f282d1 |
diff --git a/tools/sslsniff.py b/tools/sslsniff.py
|
|
|
f282d1 |
index 174577b..2e74fba 100755
|
|
|
f282d1 |
--- a/tools/sslsniff.py
|
|
|
f282d1 |
+++ b/tools/sslsniff.py
|
|
|
f282d1 |
@@ -1,7 +1,7 @@
|
|
|
f282d1 |
#!/usr/bin/python
|
|
|
f282d1 |
#
|
|
|
f282d1 |
-# sslsniff Captures data on read/recv or write/send functions of OpenSSL and
|
|
|
f282d1 |
-# GnuTLS
|
|
|
f282d1 |
+# sslsniff Captures data on read/recv or write/send functions of OpenSSL,
|
|
|
f282d1 |
+# GnuTLS and NSS
|
|
|
f282d1 |
# For Linux, uses BCC, eBPF.
|
|
|
f282d1 |
#
|
|
|
f282d1 |
# USAGE: sslsniff.py [-h] [-p PID] [-c COMM] [-o] [-g] [-d]
|
|
|
f282d1 |
@@ -25,6 +25,7 @@ import argparse
|
|
|
f282d1 |
./sslsniff -c curl # sniff curl command only
|
|
|
f282d1 |
./sslsniff --no-openssl # don't show OpenSSL calls
|
|
|
f282d1 |
./sslsniff --no-gnutls # don't show GnuTLS calls
|
|
|
f282d1 |
+ ./sslsniff --no-nss # don't show NSS calls
|
|
|
f282d1 |
"""
|
|
|
f282d1 |
parser = argparse.ArgumentParser(
|
|
|
f282d1 |
description="Sniff SSL data",
|
|
|
f282d1 |
@@ -37,6 +38,8 @@ parser.add_argument("-o", "--no-openssl", action="store_false", dest="openssl",
|
|
|
f282d1 |
help="do not show OpenSSL calls.")
|
|
|
f282d1 |
parser.add_argument("-g", "--no-gnutls", action="store_false", dest="gnutls",
|
|
|
f282d1 |
help="do not show GnuTLS calls.")
|
|
|
f282d1 |
+parser.add_argument("-n", "--no-nss", action="store_false", dest="nss",
|
|
|
f282d1 |
+ help="do not show NSS calls.")
|
|
|
f282d1 |
parser.add_argument('-d', '--debug', dest='debug', action='count', default=0,
|
|
|
f282d1 |
help='debug mode.')
|
|
|
f282d1 |
parser.add_argument("--ebpf", action="store_true",
|
|
|
f282d1 |
@@ -149,6 +152,20 @@ b = BPF(text=prog)
|
|
|
f282d1 |
b.attach_uretprobe(name="gnutls", sym="gnutls_record_recv",
|
|
|
f282d1 |
fn_name="probe_SSL_read_exit", pid=args.pid or -1)
|
|
|
f282d1 |
|
|
|
f282d1 |
+if args.nss:
|
|
|
f282d1 |
+ b.attach_uprobe(name="nspr4", sym="PR_Write", fn_name="probe_SSL_write",
|
|
|
f282d1 |
+ pid=args.pid or -1)
|
|
|
f282d1 |
+ b.attach_uprobe(name="nspr4", sym="PR_Send", fn_name="probe_SSL_write",
|
|
|
f282d1 |
+ pid=args.pid or -1)
|
|
|
f282d1 |
+ b.attach_uprobe(name="nspr4", sym="PR_Read", fn_name="probe_SSL_read_enter",
|
|
|
f282d1 |
+ pid=args.pid or -1)
|
|
|
f282d1 |
+ b.attach_uretprobe(name="nspr4", sym="PR_Read",
|
|
|
f282d1 |
+ fn_name="probe_SSL_read_exit", pid=args.pid or -1)
|
|
|
f282d1 |
+ b.attach_uprobe(name="nspr4", sym="PR_Recv", fn_name="probe_SSL_read_enter",
|
|
|
f282d1 |
+ pid=args.pid or -1)
|
|
|
f282d1 |
+ b.attach_uretprobe(name="nspr4", sym="PR_Recv",
|
|
|
f282d1 |
+ fn_name="probe_SSL_read_exit", pid=args.pid or -1)
|
|
|
f282d1 |
+
|
|
|
f282d1 |
# define output data structure in Python
|
|
|
f282d1 |
TASK_COMM_LEN = 16 # linux/sched.h
|
|
|
f282d1 |
MAX_BUF_SIZE = 464 # Limited by the BPF stack
|
|
|
f282d1 |
diff --git a/tools/sslsniff_example.txt b/tools/sslsniff_example.txt
|
|
|
f282d1 |
index c16b572..8c51722 100644
|
|
|
f282d1 |
--- a/tools/sslsniff_example.txt
|
|
|
f282d1 |
+++ b/tools/sslsniff_example.txt
|
|
|
f282d1 |
@@ -1,16 +1,16 @@
|
|
|
f282d1 |
Demonstrations of sslsniff.py
|
|
|
f282d1 |
|
|
|
f282d1 |
|
|
|
f282d1 |
-This tool traces the OpenSSL functions SSL_READ and SSL_WRITE.
|
|
|
f282d1 |
-Data passed to this functions is printed as plain text.
|
|
|
f282d1 |
-Useful, for example, to sniff HTTP before encrypted with SSL.
|
|
|
f282d1 |
+This tool traces the write/send and read/recv functions of OpenSSL,
|
|
|
f282d1 |
+GnuTLS and NSS. Data passed to this functions is printed as plain
|
|
|
f282d1 |
+text. Useful, for example, to sniff HTTP before encrypted with SSL.
|
|
|
f282d1 |
|
|
|
f282d1 |
|
|
|
f282d1 |
Output of tool executing in other shell "curl https://example.com"
|
|
|
f282d1 |
|
|
|
f282d1 |
% sudo python sslsniff.py
|
|
|
f282d1 |
FUNC TIME(s) COMM PID LEN
|
|
|
f282d1 |
-SSL_WRITE 0.000000000 curl 12915 75
|
|
|
f282d1 |
+WRITE/SEND 0.000000000 curl 12915 75
|
|
|
f282d1 |
----- DATA -----
|
|
|
f282d1 |
GET / HTTP/1.1
|
|
|
f282d1 |
Host: example.com
|
|
|
f282d1 |
@@ -20,7 +20,7 @@ Accept: */*
|
|
|
f282d1 |
|
|
|
f282d1 |
----- END DATA -----
|
|
|
f282d1 |
|
|
|
f282d1 |
-SSL_READ 0.127144585 curl 12915 333
|
|
|
f282d1 |
+READ/RECV 0.127144585 curl 12915 333
|
|
|
f282d1 |
----- DATA -----
|
|
|
f282d1 |
HTTP/1.1 200 OK
|
|
|
f282d1 |
Cache-Control: max-age=604800
|
|
|
f282d1 |
@@ -38,7 +38,7 @@ Content-Length: 1270
|
|
|
f282d1 |
|
|
|
f282d1 |
----- END DATA -----
|
|
|
f282d1 |
|
|
|
f282d1 |
-SSL_READ 0.129967972 curl 12915 1270
|
|
|
f282d1 |
+READ/RECV 0.129967972 curl 12915 1270
|
|
|
f282d1 |
----- DATA -----
|
|
|
f282d1 |
|
|
|
f282d1 |
<html>
|
|
|
f282d1 |
@@ -65,7 +65,7 @@ SSL_READ 0.129967972 curl 12915 1270
|
|
|
f282d1 |
|
|
|
f282d1 |
USAGE message:
|
|
|
f282d1 |
|
|
|
f282d1 |
-usage: sslsniff.py [-h] [-p PID] [-c COMM] [-o] [-g] [-d]
|
|
|
f282d1 |
+usage: sslsniff.py [-h] [-p PID] [-c COMM] [-o] [-g] [-n] [-d]
|
|
|
f282d1 |
|
|
|
f282d1 |
Sniff SSL data
|
|
|
f282d1 |
|
|
|
f282d1 |
@@ -75,6 +75,7 @@ Sniff SSL data
|
|
|
f282d1 |
-c COMM, --comm COMM sniff only commands matching string.
|
|
|
f282d1 |
-o, --no-openssl do not show OpenSSL calls.
|
|
|
f282d1 |
-g, --no-gnutls do not show GnuTLS calls.
|
|
|
f282d1 |
+ -n, --no-nss do not show NSS calls.
|
|
|
f282d1 |
-d, --debug debug mode.
|
|
|
f282d1 |
|
|
|
f282d1 |
examples:
|
|
|
f282d1 |
@@ -83,3 +84,4 @@ Sniff SSL data
|
|
|
f282d1 |
./sslsniff -c curl # sniff curl command only
|
|
|
f282d1 |
./sslsniff --no-openssl # don't show OpenSSL calls
|
|
|
f282d1 |
./sslsniff --no-gnutls # don't show GnuTLS calls
|
|
|
f282d1 |
+ ./sslsniff --no-nss # don't show NSS calls
|
|
|
f282d1 |
--
|
|
|
f282d1 |
2.17.1
|
|
|
f282d1 |
|