1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of sslsniff.py 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard Worker 4*387f9dfdSAndroid Build Coastguard WorkerThis tool traces the write/send and read/recv functions of OpenSSL, 5*387f9dfdSAndroid Build Coastguard WorkerGnuTLS and NSS. Data passed to this functions is printed as plain 6*387f9dfdSAndroid Build Coastguard Workertext. Useful, for example, to sniff HTTP before encrypted with SSL. 7*387f9dfdSAndroid Build Coastguard Worker 8*387f9dfdSAndroid Build Coastguard Worker 9*387f9dfdSAndroid Build Coastguard WorkerOutput of tool executing in other shell "curl https://example.com" 10*387f9dfdSAndroid Build Coastguard Worker 11*387f9dfdSAndroid Build Coastguard Worker% sudo python sslsniff.py 12*387f9dfdSAndroid Build Coastguard WorkerFUNC TIME(s) COMM PID LEN 13*387f9dfdSAndroid Build Coastguard WorkerWRITE/SEND 0.000000000 curl 12915 75 14*387f9dfdSAndroid Build Coastguard Worker----- DATA ----- 15*387f9dfdSAndroid Build Coastguard WorkerGET / HTTP/1.1 16*387f9dfdSAndroid Build Coastguard WorkerHost: example.com 17*387f9dfdSAndroid Build Coastguard WorkerUser-Agent: curl/7.50.1 18*387f9dfdSAndroid Build Coastguard WorkerAccept: */* 19*387f9dfdSAndroid Build Coastguard Worker 20*387f9dfdSAndroid Build Coastguard Worker 21*387f9dfdSAndroid Build Coastguard Worker----- END DATA ----- 22*387f9dfdSAndroid Build Coastguard Worker 23*387f9dfdSAndroid Build Coastguard WorkerREAD/RECV 0.127144585 curl 12915 333 24*387f9dfdSAndroid Build Coastguard Worker----- DATA ----- 25*387f9dfdSAndroid Build Coastguard WorkerHTTP/1.1 200 OK 26*387f9dfdSAndroid Build Coastguard WorkerCache-Control: max-age=604800 27*387f9dfdSAndroid Build Coastguard WorkerContent-Type: text/html 28*387f9dfdSAndroid Build Coastguard WorkerDate: Tue, 16 Aug 2016 15:42:12 GMT 29*387f9dfdSAndroid Build Coastguard WorkerEtag: "359670651+gzip+ident" 30*387f9dfdSAndroid Build Coastguard WorkerExpires: Tue, 23 Aug 2016 15:42:12 GMT 31*387f9dfdSAndroid Build Coastguard WorkerLast-Modified: Fri, 09 Aug 2013 23:54:35 GMT 32*387f9dfdSAndroid Build Coastguard WorkerServer: ECS (iad/18CB) 33*387f9dfdSAndroid Build Coastguard WorkerVary: Accept-Encoding 34*387f9dfdSAndroid Build Coastguard WorkerX-Cache: HIT 35*387f9dfdSAndroid Build Coastguard Workerx-ec-custom-error: 1 36*387f9dfdSAndroid Build Coastguard WorkerContent-Length: 1270 37*387f9dfdSAndroid Build Coastguard Worker 38*387f9dfdSAndroid Build Coastguard Worker 39*387f9dfdSAndroid Build Coastguard Worker----- END DATA ----- 40*387f9dfdSAndroid Build Coastguard Worker 41*387f9dfdSAndroid Build Coastguard WorkerREAD/RECV 0.129967972 curl 12915 1270 42*387f9dfdSAndroid Build Coastguard Worker----- DATA ----- 43*387f9dfdSAndroid Build Coastguard Worker<!doctype html> 44*387f9dfdSAndroid Build Coastguard Worker<html> 45*387f9dfdSAndroid Build Coastguard Worker<head> 46*387f9dfdSAndroid Build Coastguard Worker <title>Example Domain</title> 47*387f9dfdSAndroid Build Coastguard Worker 48*387f9dfdSAndroid Build Coastguard Worker <meta charset="utf-8" /> 49*387f9dfdSAndroid Build Coastguard Worker <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> 50*387f9dfdSAndroid Build Coastguard Worker <meta name="viewport" content="width=device-width, initial-scale=1" /> 51*387f9dfdSAndroid Build Coastguard Worker <style type="text/css"> 52*387f9dfdSAndroid Build Coastguard Worker body { 53*387f9dfdSAndroid Build Coastguard Worker background-color: #f0f0f2; 54*387f9dfdSAndroid Build Coastguard Worker margin: 0; 55*387f9dfdSAndroid Build Coastguard Worker padding: 0; 56*387f9dfdSAndroid Build Coastguard Worker font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; 57*387f9dfdSAndroid Build Coastguard Worker 58*387f9dfdSAndroid Build Coastguard Worker } 59*387f9dfdSAndroid Build Coastguard Worker div { 60*387f9dfdSAndroid Build Coastguard Worker w 61*387f9dfdSAndroid Build Coastguard Worker----- END DATA (TRUNCATED, 798 bytes lost) ----- 62*387f9dfdSAndroid Build Coastguard Worker 63*387f9dfdSAndroid Build Coastguard WorkerUsing the --hexdump option you will get the exact same output, only the lines 64*387f9dfdSAndroid Build Coastguard Workerbetween DATA and END DATA will differ. Those will be replaced with a 16 byte 65*387f9dfdSAndroid Build Coastguard Worker(32 characters) wide hex-dump, an example of a block of output from sslsniff 66*387f9dfdSAndroid Build Coastguard Workercalled with that option is 67*387f9dfdSAndroid Build Coastguard Worker 68*387f9dfdSAndroid Build Coastguard WorkerREAD/RECV 7.405609173 curl 201942 1256 69*387f9dfdSAndroid Build Coastguard Worker----- DATA ----- 70*387f9dfdSAndroid Build Coastguard Worker3c21646f63747970652068746d6c3e0a 71*387f9dfdSAndroid Build Coastguard Worker3c68746d6c3e0a3c686561643e0a2020 72*387f9dfdSAndroid Build Coastguard Worker20203c7469746c653e4578616d706c65 73*387f9dfdSAndroid Build Coastguard Worker20446f6d61696e3c2f7469746c653e0a 74*387f9dfdSAndroid Build Coastguard Worker0a202020203c6d657461206368617273 75*387f9dfdSAndroid Build Coastguard Worker65743d227574662d3822202f3e0a2020 76*387f9dfdSAndroid Build Coastguard Worker20203c6d65746120687474702d657175 77*387f9dfdSAndroid Build Coastguard Worker69763d22436f6e74656e742d74797065 78*387f9dfdSAndroid Build Coastguard Worker2220636f6e74656e743d22746578742f 79*387f9dfdSAndroid Build Coastguard Worker68746d6c3b20636861727365743d7574 80*387f9dfdSAndroid Build Coastguard Worker662d3822202f3e0a202020203c6d6574 81*387f9dfdSAndroid Build Coastguard Worker61206e616d653d2276696577706f7274 82*387f9dfdSAndroid Build Coastguard Worker2220636f6e74656e743d227769647468 83*387f9dfdSAndroid Build Coastguard Worker3d6465766963652d77696474682c2069 84*387f9dfdSAndroid Build Coastguard Worker6e697469616c2d7363616c653d312220 85*387f9dfdSAndroid Build Coastguard Worker2f3e0a202020203c7374796c65207479 86*387f9dfdSAndroid Build Coastguard Worker70653d22746578742f637373223e0a20 87*387f9dfdSAndroid Build Coastguard Worker202020626f6479207b0a202020202020 88*387f9dfdSAndroid Build Coastguard Worker20206261636b67726f756e642d636f6c 89*387f9dfdSAndroid Build Coastguard Worker6f723a20236630663066323b0a202020 90*387f9dfdSAndroid Build Coastguard Worker20202020206d617267696e3a20303b0a 91*387f9dfdSAndroid Build Coastguard Worker202020202020202070616464696e673a 92*387f9dfdSAndroid Build Coastguard Worker20303b0a2020202020202020666f6e74 93*387f9dfdSAndroid Build Coastguard Worker2d66616d696c793a202d6170706c652d 94*387f9dfdSAndroid Build Coastguard Worker73797374656d2c2073797374656d2d75 95*387f9dfdSAndroid Build Coastguard Worker692c20426c696e6b4d61635379737465 96*387f9dfdSAndroid Build Coastguard Worker6d466f6e742c20225365676f65205549 97*387f9dfdSAndroid Build Coastguard Worker222c20224f70656e2053616e73222c20 98*387f9dfdSAndroid Build Coastguard Worker2248656c766574696361204e65756522 99*387f9dfdSAndroid Build Coastguard Worker----- END DATA (TRUNCATED, 792 bytes lost) ----- 100*387f9dfdSAndroid Build Coastguard Worker 101*387f9dfdSAndroid Build Coastguard WorkerThis is useful to sniff binary protocols where the UTF-8 decode might insert a 102*387f9dfdSAndroid Build Coastguard Workerlot of characters that are not printable or even Unicode replacement 103*387f9dfdSAndroid Build Coastguard Workercharacters. 104*387f9dfdSAndroid Build Coastguard Worker 105*387f9dfdSAndroid Build Coastguard Worker 106*387f9dfdSAndroid Build Coastguard WorkerUse -l or --latency option to show function latency, and show handshake latency 107*387f9dfdSAndroid Build Coastguard Workerby using both -l and --handshake. This is useful for SSL/TLS performance 108*387f9dfdSAndroid Build Coastguard Workeranalysis. Tracing output of "echo | openssl s_client -connect example.com:443": 109*387f9dfdSAndroid Build Coastguard Worker 110*387f9dfdSAndroid Build Coastguard Worker# ./sslsniff.py -l --handshake 111*387f9dfdSAndroid Build Coastguard WorkerFUNC TIME(s) COMM PID LEN LAT(ms) 112*387f9dfdSAndroid Build Coastguard WorkerWRITE/SEND 0.000000000 openssl 10377 1 0.005 113*387f9dfdSAndroid Build Coastguard Worker----- DATA ----- 114*387f9dfdSAndroid Build Coastguard Worker 115*387f9dfdSAndroid Build Coastguard Worker 116*387f9dfdSAndroid Build Coastguard Worker----- END DATA ----- 117*387f9dfdSAndroid Build Coastguard Worker 118*387f9dfdSAndroid Build Coastguard WorkerTrace localhost server instead of example.com. It takes 0.7ms for server 119*387f9dfdSAndroid Build Coastguard Workerhandshake before secure connection is ready for initial SSL_read or SSL_write. 120*387f9dfdSAndroid Build Coastguard Worker 121*387f9dfdSAndroid Build Coastguard Worker# ./sslsniff.py -l --handshake 122*387f9dfdSAndroid Build Coastguard WorkerFUNC TIME(s) COMM PID LEN LAT(ms) 123*387f9dfdSAndroid Build Coastguard WorkerHANDSHAKE 0.000000000 nginx 7081 1 0.699 124*387f9dfdSAndroid Build Coastguard WorkerWRITE/SEND 0.000132180 openssl 14800 1 0.010 125*387f9dfdSAndroid Build Coastguard Worker----- DATA ----- 126*387f9dfdSAndroid Build Coastguard Worker 127*387f9dfdSAndroid Build Coastguard Worker 128*387f9dfdSAndroid Build Coastguard Worker----- END DATA ----- 129*387f9dfdSAndroid Build Coastguard Worker 130*387f9dfdSAndroid Build Coastguard WorkerREAD/RECV 0.000136583 nginx 7081 1 0.004 131*387f9dfdSAndroid Build Coastguard Worker----- DATA ----- 132*387f9dfdSAndroid Build Coastguard Worker 133*387f9dfdSAndroid Build Coastguard Worker 134*387f9dfdSAndroid Build Coastguard Worker----- END DATA ----- 135*387f9dfdSAndroid Build Coastguard Worker 136*387f9dfdSAndroid Build Coastguard WorkerTracing output of "echo | gnutls-cli -p 443 example.com": 137*387f9dfdSAndroid Build Coastguard Worker 138*387f9dfdSAndroid Build Coastguard Worker# ./sslsniff.py -l --handshake 139*387f9dfdSAndroid Build Coastguard WorkerFUNC TIME(s) COMM PID LEN LAT(ms) 140*387f9dfdSAndroid Build Coastguard WorkerWRITE/SEND 0.000000000 gnutls-cli 43554 1 0.012 141*387f9dfdSAndroid Build Coastguard Worker----- DATA ----- 142*387f9dfdSAndroid Build Coastguard Worker 143*387f9dfdSAndroid Build Coastguard Worker 144*387f9dfdSAndroid Build Coastguard Worker----- END DATA ----- 145*387f9dfdSAndroid Build Coastguard Worker 146*387f9dfdSAndroid Build Coastguard WorkerTracing output of "echo | gnutls-cli -p 443 --insecure localhost": 147*387f9dfdSAndroid Build Coastguard Worker 148*387f9dfdSAndroid Build Coastguard Worker# ./sslsniff.py -l --handshake 149*387f9dfdSAndroid Build Coastguard WorkerFUNC TIME(s) COMM PID LEN LAT(ms) 150*387f9dfdSAndroid Build Coastguard WorkerHANDSHAKE 0.000000000 nginx 7081 1 0.710 151*387f9dfdSAndroid Build Coastguard WorkerWRITE/SEND 0.000045126 gnutls-cli 43752 1 0.014 152*387f9dfdSAndroid Build Coastguard Worker----- DATA ----- 153*387f9dfdSAndroid Build Coastguard Worker 154*387f9dfdSAndroid Build Coastguard Worker 155*387f9dfdSAndroid Build Coastguard Worker----- END DATA ----- 156*387f9dfdSAndroid Build Coastguard Worker 157*387f9dfdSAndroid Build Coastguard WorkerREAD/RECV 0.000049464 nginx 7081 1 0.004 158*387f9dfdSAndroid Build Coastguard Worker----- DATA ----- 159*387f9dfdSAndroid Build Coastguard Worker 160*387f9dfdSAndroid Build Coastguard Worker 161*387f9dfdSAndroid Build Coastguard Worker----- END DATA ----- 162*387f9dfdSAndroid Build Coastguard Worker 163*387f9dfdSAndroid Build Coastguard WorkerTracing few extra libraries (useful for docker containers and other isolated 164*387f9dfdSAndroid Build Coastguard Workerapps) 165*387f9dfdSAndroid Build Coastguard Worker 166*387f9dfdSAndroid Build Coastguard Worker# ./sslsniff.py --extra-lib openssl:/var/lib/docker/overlay2/l/S4EMHE/lib/libssl.so.1.1 167*387f9dfdSAndroid Build Coastguard Worker 168*387f9dfdSAndroid Build Coastguard Worker 169*387f9dfdSAndroid Build Coastguard Worker 170*387f9dfdSAndroid Build Coastguard WorkerUSAGE message: 171*387f9dfdSAndroid Build Coastguard Worker 172*387f9dfdSAndroid Build Coastguard Workerusage: sslsniff.py [-h] [-p PID] [-u UID] [-x] [-c COMM] [-o] [-g] [-n] [-d] 173*387f9dfdSAndroid Build Coastguard Worker [--hexdump] [--max-buffer-size MAX_BUFFER_SIZE] [-l] 174*387f9dfdSAndroid Build Coastguard Worker [--handshake] [--extra-lib EXTRA_LIB] 175*387f9dfdSAndroid Build Coastguard Worker 176*387f9dfdSAndroid Build Coastguard WorkerSniff SSL data 177*387f9dfdSAndroid Build Coastguard Worker 178*387f9dfdSAndroid Build Coastguard Workeroptional arguments: 179*387f9dfdSAndroid Build Coastguard Worker -h, --help show this help message and exit 180*387f9dfdSAndroid Build Coastguard Worker -p PID, --pid PID sniff this PID only. 181*387f9dfdSAndroid Build Coastguard Worker -u UID, --uid UID sniff this UID only. 182*387f9dfdSAndroid Build Coastguard Worker -x, --extra show extra fields (UID, TID) 183*387f9dfdSAndroid Build Coastguard Worker -c COMM, --comm COMM sniff only commands matching string. 184*387f9dfdSAndroid Build Coastguard Worker -o, --no-openssl do not show OpenSSL calls. 185*387f9dfdSAndroid Build Coastguard Worker -g, --no-gnutls do not show GnuTLS calls. 186*387f9dfdSAndroid Build Coastguard Worker -n, --no-nss do not show NSS calls. 187*387f9dfdSAndroid Build Coastguard Worker -d, --debug debug mode. 188*387f9dfdSAndroid Build Coastguard Worker --hexdump show data as hexdump instead of trying to decode it as 189*387f9dfdSAndroid Build Coastguard Worker UTF-8 190*387f9dfdSAndroid Build Coastguard Worker --max-buffer-size MAX_BUFFER_SIZE 191*387f9dfdSAndroid Build Coastguard Worker Size of captured buffer 192*387f9dfdSAndroid Build Coastguard Worker -l, --latency show function latency 193*387f9dfdSAndroid Build Coastguard Worker --handshake show SSL handshake latency, enabled only if latency 194*387f9dfdSAndroid Build Coastguard Worker option is on. 195*387f9dfdSAndroid Build Coastguard Worker --extra-lib EXTRA_LIB 196*387f9dfdSAndroid Build Coastguard Worker Intercept calls from extra library 197*387f9dfdSAndroid Build Coastguard Worker (format: lib_type:lib_path) 198*387f9dfdSAndroid Build Coastguard Worker 199*387f9dfdSAndroid Build Coastguard Worker 200*387f9dfdSAndroid Build Coastguard Worker 201*387f9dfdSAndroid Build Coastguard Workerexamples: 202*387f9dfdSAndroid Build Coastguard Worker ./sslsniff # sniff OpenSSL and GnuTLS functions 203*387f9dfdSAndroid Build Coastguard Worker ./sslsniff -p 181 # sniff PID 181 only 204*387f9dfdSAndroid Build Coastguard Worker ./sslsniff -u 1000 # sniff only UID 1000 205*387f9dfdSAndroid Build Coastguard Worker ./sslsniff -c curl # sniff curl command only 206*387f9dfdSAndroid Build Coastguard Worker ./sslsniff --no-openssl # don't show OpenSSL calls 207*387f9dfdSAndroid Build Coastguard Worker ./sslsniff --no-gnutls # don't show GnuTLS calls 208*387f9dfdSAndroid Build Coastguard Worker ./sslsniff --no-nss # don't show NSS calls 209*387f9dfdSAndroid Build Coastguard Worker ./sslsniff --hexdump # show data as hex instead of trying to decode it as UTF-8 210*387f9dfdSAndroid Build Coastguard Worker ./sslsniff -x # show process UID and TID 211*387f9dfdSAndroid Build Coastguard Worker ./sslsniff -l # show function latency 212*387f9dfdSAndroid Build Coastguard Worker ./sslsniff -l --handshake # show SSL handshake latency 213*387f9dfdSAndroid Build Coastguard Worker ./sslsniff --extra-lib openssl:/path/libssl.so.1.1 # sniff extra library 214