Unable to view decrypted TLS

[sujitawake]

Describe the bug
I am trying to play around with this tool in Kali (64-bit). I followed the instructions as mentioned in the README but I am not seeing the decrypted TLS contents. Am I missing something?

To explain the test scenario I have captured a screencast which can be seen below.

Screencast

Hosted on Google (view in 1080p) as GitHub upload failed: https://drive.google.com/file/d/1U_tWiD5eZRefuZEFzW5d8JuvD9KBgrub/view?usp=sharing

To Reproduce

1. #ecapture tls -m text -l debug_ecapture.log
2. \curl -v -L https://youtube.com
3. Not seeing the decrypted contents neither in stdout nor in the logfile (debug_ecapture.log)

Kali Linux:

• OS: Kali (64bit)
• Kernel Info: Linux kali 5.16.0-kali7-cloud-amd64 #1 SMP PREEMPT Debian 5.16.18-1kali1 (2022-04-01) x86_64 GNU/Linux
• eCapture Version: eCapture version: linux_amd64:v0.9.3:6.5.0-1025-azure
• Debug log output debug_ecapture.log:

{"level":"info","AppName":"eCapture(旁观者)","time":"2025-02-02T12:53:09+05:30"}
{"level":"info","HomePage":"https://ecapture.cc","time":"2025-02-02T12:53:09+05:30"}
{"level":"info","Repository":"https://github.com/gojue/ecapture","time":"2025-02-02T12:53:09+05:30"}
{"level":"info","Author":"CFC4N <[email protected]>","time":"2025-02-02T12:53:09+05:30"}
{"level":"info","Description":"Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64.","time":"2025-02-02T12:53:09+05:30"}
{"level":"info","Version":"linux_amd64:v0.9.3:6.5.0-1025-azure","time":"2025-02-02T12:53:09+05:30"}
{"level":"info","Listen":"localhost:28256","time":"2025-02-02T12:53:09+05:30"}
{"level":"info","logger":"debug_ecapture.log","time":"2025-02-02T12:53:09+05:30","message":"eCapture running logs"}
{"level":"info","eventCollector":"","time":"2025-02-02T12:53:09+05:30","message":"the file handler that receives the captured event"}
{"level":"info","listen":"localhost:28256","time":"2025-02-02T12:53:09+05:30"}
{"level":"info","time":"2025-02-02T12:53:09+05:30","message":"https server starting...You can upgrade the configuration file via the HTTP interface."}
{"level":"info","Pid":2804410,"Kernel Info":"5.16.0","time":"2025-02-02T12:53:09+05:30"}
{"level":"info","btfMode":0,"time":"2025-02-02T12:53:09+05:30","message":"BTF bytecode mode: CORE."}
{"level":"info","keylogger":"","eBPFProgramType":"Text","time":"2025-02-02T12:53:09+05:30","message":"master key keylogger has been set."}
{"level":"info","moduleName":"EBPFProbeOPENSSL","isReload":false,"time":"2025-02-02T12:53:09+05:30","message":"module initialization."}
{"level":"info","time":"2025-02-02T12:53:09+05:30","message":"Module.Run()"}
{"level":"warn","error":"OpenSSL/BoringSSL version not found","soPath":"/usr/lib/x86_64-linux-gnu/libssl.so.3","time":"2025-02-02T12:53:09+05:30","message":"OpenSSL/BoringSSL version not found."}
{"level":"warn","time":"2025-02-02T12:53:09+05:30","message":"Try to detect libcrypto.so.3. If you have doubts, See https://github.com/gojue/ecapture/discussions/675 for more information."}
{"level":"info","soPath":"/usr/lib/x86_64-linux-gnu/libcrypto.so.3","imported":"libcrypto.so.3","time":"2025-02-02T12:53:09+05:30","message":"Try to detect imported libcrypto.so "}
{"level":"info","origin versionKey":"openssl 3.4.0","versionKeyLower":"openssl 3.4.0","time":"2025-02-02T12:53:09+05:30"}
{"level":"info","Android":false,"library version":"openssl 3.4.0","time":"2025-02-02T12:53:09+05:30","message":"OpenSSL/BoringSSL version found"}
{"level":"info","binrayPath":"/usr/lib/x86_64-linux-gnu/libssl.so.3","ElfType":2,"Functions":["SSL_get_wbio","SSL_in_before","SSL_do_handshake"],"time":"2025-02-02T12:53:09+05:30","message":"Hook masterKey function"}
{"level":"info","time":"2025-02-02T12:53:09+05:30","message":"target all process."}
{"level":"info","time":"2025-02-02T12:53:09+05:30","message":"target all users."}
{"level":"info","eBPFProgramType":"Text","time":"2025-02-02T12:53:09+05:30","message":"setupManagers"}
{"level":"info","bpfFileName":"user/bytecode/openssl_3_4_0_kern_core.o","time":"2025-02-02T12:53:09+05:30","message":"BPF bytecode file is matched."}
{"level":"info","mapSize(MB)":4,"time":"2025-02-02T12:53:09+05:30","message":"perfEventReader created"}
{"level":"info","mapSize(MB)":4,"time":"2025-02-02T12:53:09+05:30","message":"perfEventReader created"}
{"level":"info","moduleName":"EBPFProbeOPENSSL","isReload":false,"time":"2025-02-02T12:53:09+05:30","message":"module started successfully."}
{"level":"info","time":"2025-02-02T12:53:55+05:30","message":"module close."}
{"level":"info","time":"2025-02-02T12:53:55+05:30","message":"Module closed,message recived from Context"}
{"level":"info","time":"2025-02-02T12:53:57+05:30","message":"perfEventReader received close signal from context.Done()."}
{"level":"info","time":"2025-02-02T12:53:57+05:30","message":"iModule module close"}
{"level":"info","time":"2025-02-02T12:53:57+05:30","message":"bye bye."}

• grep BPF /boot/config-$(uname -r) output:

CONFIG_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
# BPF subsystem
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
# CONFIG_BPF_JIT_ALWAYS_ON is not set
CONFIG_BPF_JIT_DEFAULT_ON=y
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set
CONFIG_BPF_LSM=y
# end of BPF subsystem
CONFIG_CGROUP_BPF=y
CONFIG_IPV6_SEG6_BPF=y
CONFIG_NETFILTER_XT_MATCH_BPF=m
# CONFIG_BPFILTER is not set
CONFIG_NET_CLS_BPF=m
CONFIG_NET_ACT_BPF=m
CONFIG_BPF_STREAM_PARSER=y
CONFIG_LWTUNNEL_BPF=y
CONFIG_BPF_EVENTS=y
# CONFIG_BPF_KPROBE_OVERRIDE is not set
# CONFIG_TEST_BPF is not set

Any help would be much appreciated!

CC: @dosu

[dosubot]

Hello @sujitawake! I'm here to help you with any bugs, questions, or contributions you have regarding the tool. Let's work together to resolve this issue.

It seems like you're encountering an issue with eCapture not displaying decrypted TLS contents. Here are a few steps and considerations that might help resolve the issue:

1. OpenSSL/BoringSSL Version Detection: The log indicates a warning about the OpenSSL/BoringSSL version not being found initially, but it later detects OpenSSL 3.4.0. Ensure that the version of OpenSSL you are using is supported by eCapture. According to the documentation, eCapture supports OpenSSL versions up to 3.4.0 ^[1].

2. Kernel and BPF Configuration: Your kernel configuration seems to support BPF, which is necessary for eCapture to function. However, ensure that all necessary BPF-related configurations are enabled, especially CONFIG_DEBUG_INFO_BTF=y, which is optional but can be beneficial ^[2].

3. eCapture Version: Make sure you are using the latest version of eCapture, as there might be updates or bug fixes that address your issue.

4. Permissions: Ensure that you are running eCapture with root permissions, as it requires elevated privileges to capture network traffic.

5. Debugging and Logs: Since the debug log does not show decrypted contents, try increasing the verbosity of the logs if possible, or check for any additional error messages that might provide more insight.

6. Capture Mode: You are using the text mode for capturing. Consider trying other modes like pcap or keylog to see if the issue persists across different capture methods ^[3].

If these steps do not resolve the issue, you might want to check the discussion thread mentioned in the logs for additional context or similar issues.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[cfc4n]

The program you execute is curl, eCapture's default HOOK's library is /usr/lib/x86_64-libssl.ssl.so.3, you need to confirm whether the two of them are the same dynamic link library.