Weekly Must-ReadsView All
Watch
Popular Topics
Trending NowView All

Peetch – An eBPF Playground

No comments
3 minute read
Total
0
Shares
0
0
0
0
0
0
0
0
0



peetch is a set of instruments geared toward experimenting with completely different elements of eBPF to bypass TLS protocol protections.

Currently, peetch contains two subcommands. The first referred to as dump goals to smell network site visitors by associating details about the supply course of with every packet. The second referred to as tls permits to determine processes utilizing OpenSSL to extract cryptographic keys.

Combined, these two instructions make it potential to decrypt TLS exchanges recorded within the PCAPng format.

Installation

peetch depends on a number of dependencies together with non-merged modifications of bcc and Scapy. A Docker picture will be simply constructed with the intention to simply take a look at peetch utilizing the next command:

docker build -t quarkslab/peetch .

Commands Walk Through

The following examples assume that you just used the next command to enter the Docker picture and launch examples inside it:

docker run --privileged --network host --mount sort=bind,supply=/sys,goal=/sys --mount sort=bind,supply=/proc,goal=/proc --rm -it quarkslab/peetch

dump

This sub-command provides you the power to smell packets utilizing an eBPF TC classifier and to retrieve the corresponding PID and course of names with:

peetch dump
curl/1289291 - Ether / IP / TCP 10.211.55.10:53052 > 208.97.177.124:https S / Padding
curl/1289291 - Ether / IP / TCP 208.97.177.124:https > 10.211.55.10:53052 SA / Padding
curl/1289291 - Ether / IP / TCP 10.211.55.10:53052 > 208.97.177.124:https A / Padding
curl/1289291 - Ether / IP / TCP 10.211.55.10:53052 > 208.97.177.124:https PA / Raw / Padding
curl/1289291 - Ether / IP / TCP 208.97.177.124:https > 10.211.55.10:53052 A / Padding

Note that for demonstration functions, dump will solely seize IPv4 primarily based TCP segments.

For comfort, the captured packets will be retailer to PCAPng together with course of data utilizing --write:

peetch dump --write peetch.pcapng
^C

This PCAPng can simply be manipulated with Wireshark or Scapy:

scapy
>>> l = rdpcap("peetch.pcapng")
>>> l[0]
<Ether  dst=00:1c:42:00:00:18 src=00:1c:42:54:f3:34 sort=IPv4 |<IP  model=4 ihl=5 tos=0x0 len=60 id=11088 flags=DF frag=0 ttl=64 proto=tcp chksum=0x4bb1 src=10.211.55.10 dst=208.97.177.124 |<TCP  sport=53054 dport=https seq=631406526 ack=0 dataofs=10 reserved=0 flags=S window=64240 chksum=0xc3e9 urgptr=0 choices=[('MSS', 1460), ('SAckOK', b''), ('Timestamp', (1272423534, 0)), ('NOP', None), ('WScale', 7)] |<Padding  load='x00x00' |>>>>
>>> l[0].remark
b'curl/1289909'

tls

This sub-command goals at figuring out course of that makes use of OpenSSl and makes it’s to dump a number of issues like plaintext and secrets and techniques.

By default, peetch tls will solely show one line per course of, the --directions argument makes it potential to show the exchanges messages:

peetch tls --directions
<- curl (1291078) 208.97.177.124/443 TLS1.2 ECDHE-RSA-AES128-GCM-SHA256
> curl (1291078) 208.97.177.124/443 TLS1.-1 ECDHE-RSA-AES128-GCM-SHA256

Displaying OpenSSL buffer content material is achieved with --content.

peetch tls --content
<- curl (1290608) 208.97.177.124/443 TLS1.2 ECDHE-RSA-AES128-GCM-SHA256
0000  47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A  GET / HTTP/1.1..
0010  48 6F 73 74 3A 20 77 77 77 2E 70 65 72 64 75 2E  Host: www.perdu.
0020  63 6F 6D 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A  com..User-Agent:
0030  20 63 75 72 6C 2F 37 2E 36 38 2E 30 0D 0A 41 63   curl/7.68.0..Ac
-> curl (1290608) 208.97.177.124/443 TLS1.-1 ECDHE-RSA-AES128-GCM-SHA256
0000  48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0010  0A 44 61 74 65 3A 20 54 68 75 2C 20 31 39 20 4D  .Date: Thu, 19 M
0020  61 79 20 32 30 32 32 20 31 38 3A 31 36 3A 30 31  ay 2022 18:16:01
0030  20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap

The --secrets arguments will show TLS Master Secrets extracted from reminiscence. The following instance leverages --write to put in writing grasp secrets and techniques to debate to simplify decruypting TLS messages with Scapy:

$ (sleep 5; curl https://www.perdu.com/?title=highlypercent20secretpercent20information --tls-max 1.2 -http1.1) &
# peetch tls --write &
curl (1293232) 208.97.177.124/443 TLS1.2 ECDHE-RSA-AES128-GCM-SHA256
# peetch dump --write site visitors.pcapng
^C
# Add the grasp secret to a PCAPng file
$ editcap --inject-secrets tls,1293232-master_secret.log site visitors.pcapng traffic-ms.pcapng
$ scapy
>>> load_layer("tls")
>>> conf.tls_session_enable = True
>>> l = rdpcap("traffic-ms.pcapng")
>>> l[13][TLS].msg
[<TLSApplicationData  data="GET /?name=highly%20secret%20information HTTP/1.1rnHost: www.perdu.comrnUser-Agent: curl/7.68.0rnAccept: */*rnrn" |>]

Limitations

By design, peetch solely helps OpenSSL and TLS 1.2.

Total
0
Shares
Share 0
Share 0
Share 0
Tweet 0
Share 0
Pin it 0
Share 0
Share 0
Leave a Reply

Your email address will not be published. Required fields are marked *


Prev
Twitter confirms zero-day used to show knowledge of 5.4 million accounts

Twitter confirms zero-day used to show knowledge of 5.4 million accounts

Twitter has confirmed a latest knowledge breach was attributable to

Next
The Week in Ransomware – August fifth 2022

The Week in Ransomware – August fifth 2022

For probably the most half, it has been a quiet week on the ransomware entrance,

You May Also Like
Space Station View of Noctilucent Clouds

Subscribe our blog for free!

Processing…
Success! You're on the list.

By clicking submit, you agree to share your email address with the site owner and Mailchimp to receive marketing, updates, and other emails from the site owner. Use the unsubscribe link in those emails to opt out at any time.