GitHub

eCapture Project Description

What is the project about?

eCapture is a tool that captures SSL/TLS plaintext traffic without requiring a CA certificate. It leverages eBPF technology for efficient and non-intrusive packet inspection.

What problem does it solve?

It solves the problem of needing to intercept and inspect encrypted SSL/TLS traffic for debugging, security analysis, or network monitoring purposes, without the complexities and potential security risks of traditional methods that rely on CA certificates (man-in-the-middle).

What are the features of the project?

  • SSL/TLS Plaintext Capture: Captures plaintext from various SSL/TLS libraries (openssl, libressl, boringssl, gnutls, nspr/nss).
  • Go TLS Support: Captures plaintext from applications using Go's built-in TLS library.
  • Bash/Zsh Audit: Records bash and zsh commands for host security auditing.
  • MySQL/PostgreSQL Query Audit: Captures SQL queries executed against MySQL (5.6, 5.7, 8.0) and MariaDB, and PostgreSQL (10+) databases.
  • Multiple Output Modes:
    • Text Mode: Outputs captured data directly to the console or a file.
    • Pcap/PcapNG Mode: Saves captured data in pcap or pcapng format, compatible with tools like Wireshark.
    • Keylog Mode: Records TLS handshake keys to a file, allowing decryption with tools like Wireshark.
  • Docker Support.

What are the technologies used in the project?

  • eBPF (Extended Berkeley Packet Filter): The core technology used for packet capture and analysis within the Linux kernel.
  • Go: The primary programming language used to build the tool.
  • C/C++: Used for interacting with eBPF and system libraries.
  • Libbpf.
  • Docker.

What are the benefits of the project?

  • No CA Certificate Required: Eliminates the need for CA certificates, simplifying setup and avoiding potential security vulnerabilities.
  • High Performance: eBPF provides efficient, kernel-level packet processing.
  • Low Overhead: Minimal impact on the performance of the target applications.
  • Security Auditing: Enables monitoring of bash commands and database queries for security purposes.
  • Debugging: Facilitates troubleshooting of encrypted network communication.
  • Versatile: Supports a wide range of SSL/TLS libraries and applications.
  • Multiple output formats: Supports output in a variety of formats.

What are the use cases of the project?

  • Network Troubleshooting: Diagnosing issues with encrypted network traffic.
  • Security Monitoring: Detecting suspicious activity or data exfiltration.
  • Application Debugging: Inspecting the plaintext of encrypted communication for development and testing.
  • Database Auditing: Monitoring database queries for security or performance analysis.
  • Host Security Auditing: Tracking user commands on a system.
  • Protocol Analysis: Studying the behavior of encrypted protocols.
ecapture screenshot