gojue / ecapture

汉字 | English eCapture(旁观者): capture SSL/TLS text content without a CA certificate using eBPF. > [!IMPORTANT] > Supports Linux/Android kernel versions x86_64 4.18 and above, **aarch64 5.5** and above. > Need ROOT permission. > Does not support Windows and macOS system. ---- • Introduction • Getting started • Download • ELF binary file • Docker image • Capture openssl text content. • Modules • OpenSSL Module • GoTLS Module • Other Modules • Videos • Contributing • Compilation Introduction • SSL/TLS plaintext capture, support openssl\libressl\boringssl\gnutls\nspr(nss) libraries. • GoTLS plaintext support go tls library, which refers to encrypted communication in https/tls programs written in the golang language. • Bash audit, capture bash command for Host Security Audit. • Zsh audit, capture zsh command for Host Security Audit. • MySQL query SQL audit, support mysqld 5.6\5.7\8.0, and MariaDB. Getting started Download ELF binary file > [!TIP] > support Linux/Android x86_64/aarch64. Download ELF zip file release , unzip and use by command . Docker image > [!TIP] > Linux only. see Docker Hub for more information. Capture openssl text content. Modules The eCapture tool comprises 8 modules that respectively support plaintext capture for TLS/SSL encryption libraries like OpenSSL, GnuTLS, NSPR, BoringSSL, and GoTLS. Additionally, it facilitates software audits for Bash, MySQL, and PostgreSQL applications. • bash capture bash command • zsh capture zsh command • gnutls capture gnutls text content without CA cert for gnutls libraries. • gotls Capturing plaintext communication from Golang programs encrypted with TLS/HTTPS. • mysqld capture sql queries from mysqld 5.6/5.7/8.0 . • nss capture nss/nspr encrypted text content without CA cert for nss/nspr libraries. • postgres capture sql queries from postgres 10+. • tls use to capture tls/ssl text content without CA cert. (Support openssl 1.0.x/1.1.x/3.0.x or newer). You can use to view the list of subcommands. OpenSSL Module eCapture search file default, to search load directories of file, and search shard libraries location. or you can use flag to set shard library path. If target program is compile statically, you can set program path as flag value directly。 The OpenSSL module supports three capture modes: • / mode stores captured plaintext data in format. • / mode saves the TLS handshake keys to a file. • mode directly captures plaintext data, either outputting to a specified file or printing to the command line. Pcap Mode Supported TLS encrypted http over TCP, and http3 protocol over UDP. You can specify or and use it in conjunction with and parameters. The default value for is . This command saves captured plaintext data packets as a pcapng file, which can be viewed using . Used to open file to view the plaintext data packets. Keylog Mode You can specify or and use it in conjunction with the parameter, which defaults to . The captured OpenSSL TLS information is saved to . You can also enable packet capture and then use to open the file and set the path to view plaintext data packets. You can also directly use the software for real-time decryption and display: Text Mode will output all plaintext data packets. (Starting from v0.7.0, it no longer captures SSLKEYLOG information.) GoTLS Module Similar to the OpenSSL module. gotls command capture tls text context. Step 1: Step 2: more help Other Modules such as modules, you can use to view the list of subcommands. Videos • Youtube video: How to use eCapture v0.1.0 • eCapture:supports capturing plaintext of Golang TLS/HTTPS traffic eCaptureQ GUI Application eCaptureQ is a cross-platform graphical user interface client for eCapture, visualizing eBPF TLS capture capabilities. Built using the Rust + Tauri + React technology stack, it provides a real-time, responsive interface, enabling easy analysis of encrypted traffic without the need for CA certificates. It simplifies complex eBPF capture techniques, making them easy to use. Supports two modes: • Integrated Mode: Unified Linux/Android execution • Remote Mode: Windows/macOS/Linux client connects to a remote eCapture service Event Forwarding Event Forwarding Projects Video Demonstration https://github.com/user-attachments/assets/c8b7a84d-58eb-4fdb-9843-f775c97bdbfb 🔗 GitHub Repository Protobuf Protocols For details of the Protobuf log schema used by eCapture/eCaptureQ, see: • protobuf/PROTOCOLS.md Stargazers over time Contributing See CONTRIBUTING for details on submitting patches and the contribution workflow. Compilation Custom Compilation You can customize the features you want, such as setting the offset address for to support statically compiled OpenSSL libraries. Refer to the compilation guide for compilation instructions. Configurations Remote Update After eCapture is running, you can dynamically modify the configurations through HTTP interfaces. Refer to the HTTP API Documentation. Event Forwarding eCapture supports multiple event forwarding methods. You can forward events to packet capture software such as Burp Suite. For details, refer to the Event Forwarding API Documentation. Acknowledgements This project is supported by a JetBrains IDE license. We thank JetBrains for their contributions to the open-source community.