# ssl_logger **Repository Path**: aligaga/ssl_logger ## Basic Information - **Project Name**: ssl_logger - **Description**: No description available - **Primary Language**: Unknown - **License**: Apache-2.0 - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 2 - **Created**: 2022-02-21 - **Last Updated**: 2022-02-21 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # ssl_logger Decrypts and logs a process's SSL traffic. The functionality offered by *ssl_logger* is intended to mimic [Echo Mirage](http://resources.infosecinstitute.com/echo-mirage-walkthrough/)'s SSL logging functionality on Linux and macOS. ## Basic Usage `python ssl_logger.py [-pcap ] [-verbose] ` Arguments: -pcap Name of PCAP file to write -verbose Show verbose output Process whose SSL calls to log Examples: ssl_logger.py -pcap ssl.pcap openssl ssl_logger.py -verbose 31337 ssl_logger.py -pcap log.pcap -verbose wget ## Full Example ``` geffner@ubuntu:~$ # Make a local pipe for input to our openssl client geffner@ubuntu:~$ mkfifo pipe geffner@ubuntu:~$ # Create our openssl client, which will receive input from our pipe geffner@ubuntu:~$ openssl s_client -ign_eof -connect example.org:443 > /dev/null 2> /dev/null < pipe & [1] 98954 geffner@ubuntu:~$ # Begin writing the request to our pipe geffner@ubuntu:~$ printf "GET / HTTP/1.0\nHost:example.org\n" > pipe geffner@ubuntu:~$ # Begin logging the SSL traffic for our openssl client process geffner@ubuntu:~$ python ssl_logger.py -verbose 98954 & [2] 98962 Press Ctrl+C to stop logging. geffner@ubuntu:~$ # Write the final line-feed to our pipe to complete the HTTP request geffner@ubuntu:~$ printf "\n" > pipe SSL Session: 1820201001719DF42ECCA1D289C3D32E0AA0454B50E8AF00E8A65B0108F209A8 [SSL_write] 100.97.20.44:45836 --> 93.184.216.34:443 00000000: 0A . SSL Session: 1820201001719DF42ECCA1D289C3D32E0AA0454B50E8AF00E8A65B0108F209A8 [SSL_read] 93.184.216.34:443 --> 100.97.20.44:45836 00000000: 48 54 54 50 2F 31 2E 30 20 32 30 30 20 4F 4B 0D HTTP/1.0 200 OK. 00000010: 0A 41 63 63 65 70 74 2D 52 61 6E 67 65 73 3A 20 .Accept-Ranges: 00000020: 62 79 74 65 73 0D 0A 43 61 63 68 65 2D 43 6F 6E bytes..Cache-Con 00000030: 74 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D 36 30 trol: max-age=60 00000040: 34 38 30 30 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 4800..Content-Ty 00000050: 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 0D 0A 44 pe: text/html..D 00000060: 61 74 65 3A 20 54 68 75 2C 20 32 32 20 4A 75 6E ate: Thu, 22 Jun 00000070: 20 32 30 31 37 20 31 35 3A 31 36 3A 35 32 20 47 2017 15:16:52 G 00000080: 4D 54 0D 0A 45 74 61 67 3A 20 22 33 35 39 36 37 MT..Etag: "35967 00000090: 30 36 35 31 22 0D 0A 45 78 70 69 72 65 73 3A 20 0651"..Expires: 000000A0: 54 68 75 2C 20 32 39 20 4A 75 6E 20 32 30 31 37 Thu, 29 Jun 2017 000000B0: 20 31 35 3A 31 36 3A 35 32 20 47 4D 54 0D 0A 4C 15:16:52 GMT..L 000000C0: 61 73 74 2D 4D 6F 64 69 66 69 65 64 3A 20 46 72 ast-Modified: Fr 000000D0: 69 2C 20 30 39 20 41 75 67 20 32 30 31 33 20 32 i, 09 Aug 2013 2 000000E0: 33 3A 35 34 3A 33 35 20 47 4D 54 0D 0A 53 65 72 3:54:35 GMT..Ser 000000F0: 76 65 72 3A 20 45 43 53 20 28 72 68 76 2F 38 31 ver: ECS (rhv/81 00000100: 38 46 29 0D 0A 56 61 72 79 3A 20 41 63 63 65 70 8F)..Vary: Accep 00000110: 74 2D 45 6E 63 6F 64 69 6E 67 0D 0A 58 2D 43 61 t-Encoding..X-Ca 00000120: 63 68 65 3A 20 48 49 54 0D 0A 43 6F 6E 74 65 6E che: HIT..Conten 00000130: 74 2D 4C 65 6E 67 74 68 3A 20 31 32 37 30 0D 0A t-Length: 1270.. 00000140: 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 Connection: clos 00000150: 65 0D 0A 0D 0A e.... SSL Session: 1820201001719DF42ECCA1D289C3D32E0AA0454B50E8AF00E8A65B0108F209A8 [SSL_read] 93.184.216.34:443 --> 100.97.20.44:45836 00000000: 3C 21 64 6F 63 74 79 70 65 20 68 74 6D 6C 3E 0A . 00000010: 3C 68 74 6D 6C 3E 0A 3C 68 65 61 64 3E 0A 20 20 .. 00000020: 20 20 3C 74 69 74 6C 65 3E 45 78 61 6D 70 6C 65 Example 00000030: 20 44 6F 6D 61 69 6E 3C 2F 74 69 74 6C 65 3E 0A Domain. 00000040: 0A 20 20 20 20 3C 6D 65 74 61 20 63 68 61 72 73 . . 00000060: 20 20 3C 6D 65 74 61 20 68 74 74 70 2D 65 71 75 . . ...< 000003B0: 62 6F 64 79 3E 0A 3C 64 69 76 3E 0A 20 20 20 20 body>.

. 000003C0: 3C 68 31 3E 45 78 61 6D 70 6C 65 20 44 6F 6D 61

Example Doma 000003D0: 69 6E 3C 2F 68 31 3E 0A 20 20 20 20 3C 70 3E 54 in

.

T 000003E0: 68 69 73 20 64 6F 6D 61 69 6E 20 69 73 20 65 73 his domain is es 000003F0: 74 61 62 6C 69 73 68 65 64 20 74 6F 20 62 65 20 tablished to be SSL Session: 1820201001719DF42ECCA1D289C3D32E0AA0454B50E8AF00E8A65B0108F209A8 [SSL_read] 93.184.216.34:443 --> 100.97.20.44:45836 00000000: 75 73 65 64 20 66 6F 72 20 69 6C 6C 75 73 74 72 used for illustr 00000010: 61 74 69 76 65 20 65 78 61 6D 70 6C 65 73 20 69 ative examples i 00000020: 6E 20 64 6F 63 75 6D 65 6E 74 73 2E 20 59 6F 75 n documents. You 00000030: 20 6D 61 79 20 75 73 65 20 74 68 69 73 0A 20 20 may use this. 00000040: 20 20 64 6F 6D 61 69 6E 20 69 6E 20 65 78 61 6D domain in exam 00000050: 70 6C 65 73 20 77 69 74 68 6F 75 74 20 70 72 69 ples without pri 00000060: 6F 72 20 63 6F 6F 72 64 69 6E 61 74 69 6F 6E 20 or coordination 00000070: 6F 72 20 61 73 6B 69 6E 67 20 66 6F 72 20 70 65 or asking for pe 00000080: 72 6D 69 73 73 69 6F 6E 2E 3C 2F 70 3E 0A 20 20 rmission.

. 00000090: 20 20 3C 70 3E 3C 61 20 68 72 65 66 3D 22 68 74

More informat 000000D0: 69 6F 6E 2E 2E 2E 3C 2F 61 3E 3C 2F 70 3E 0A 3C ion...

.< 000000E0: 2F 64 69 76 3E 0A 3C 2F 62 6F 64 79 3E 0A 3C 2F /div>... ``` ## Dependencies This program uses the [frida](https://www.frida.re/) framework to perform code injection. Frida can be installed as follows: `sudo pip install frida` ## TODO - Add support for processes that communicate via SSL without using [libssl](https://wiki.openssl.org/index.php/Libssl_API). - Allow user to run *ssl_logger* before starting the process to be logged. ## Disclaimer This is not an official Google product.