You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
I am running the latest version
I did read the README!
I checked the documentation and found no answer
I checked to make sure that this issue has not already been filed
I'm reporting the issue to the correct repository (for multi-repository projects)
I have read and checked all configs (with all optional parts)
Expected Behavior
Using tlsdump there are shouldbe visible HTTPS requests.
Current Behavior
What is the current behavior?
Failure Information (for bugs)
I tried to configure SSL decryption with mitmdump, i successfully managed to do it. But there are only HAR file generated, that could be downloaded via api. However the https requests are not visible in web GUI.
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
Enable tlsdump feature
There are no https request visible in GUI
Context
I tried to configure SSL decryption with mitmdump, i successfully managed to do it. But there are only HAR file generated, that could be downloaded via api. However the https requests are not visible in web GUI. My another attempt was to use tlsdump module (i found out that mitmdump and tlsdump does not work simultaneously), And now i can only download TLS-Keys
I don't know how to enable tls/ssl decryption to achieve visibility in GUI. Am I missing something in my configuration? Below i paste my auxiliary.conf and mitmdump.conf. I
auxiliary.conf
# Requires dependencies of software in vm as by:
# https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
# Windows 7 SP1, .NET at least 4.5, powershell 5 preferly over v4
# KB3109118 - Script block logging back port update for WMF4
# x64 - https://cuckoo.sh/vmcloak/Windows6.1-KB3109118-v4-x64.msu
# x32 - https://cuckoo.sh/vmcloak/Windows6.1-KB3109118-v4-x86.msu
# KB2819745 - WMF 4 (Windows Management Framework version 4) update for Windows 7
# x64 - https://cuckoo.sh/vmcloak/Windows6.1-KB2819745-x64-MultiPkg.msu
# x32 - https://cuckoo.sh/vmcloak/Windows6.1-KB2819745-x86-MultiPkg.msu
# KB3191566 - https://www.microsoft.com/en-us/download/details.aspx?id=54616
# You should create following registry entries
# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" /v * /t REG_SZ /d * /f /reg:64
# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 00000001 /f /reg:64
# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableTranscripting /t REG_DWORD /d 00000001 /f /reg:64
# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v OutputDirectory /t REG_SZ /d C:\PSTranscipts /f /reg:64
# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableInvocationHeader /t REG_DWORD /d 00000001 /f /reg:64
# Modules to be enabled or not inside of the VM
[auxiliary_modules]
amsi = yes
browser = yes
curtain = yes
digisig = yes
disguise = yes
evtx = yes
human_windows = yes
human_linux = no
procmon = yes
recentfiles = yes
screenshots_windows = yes
screenshots_linux = yes
sysmon_windows = no
sysmon_linux = no
tlsdump = yes
usage = yes
file_pickup = yes
permissions = yes
pre_script = no
during_script = no
filecollector = yes
# This is only useful in case you use KVM's dnsmasq. You need to change your range inside of analyzer/windows/modules/auxiliary/disguise.py. Disguise must be enabled
windows_static_route = no
tracee_linux = no
sslkeylogfile = no
# Requires setting up browser extension, check extra/browser_extension
browsermonitor = no
[AzSniffer]
# Enable or disable the use of Azure Network Watcher packet capture feature, disable standard sniffer if this is in use to not create concurrent .pcap files
enabled = no
[sniffer]
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
enabled = yes
# enable remote tcpdump support
remote = no
host = [email protected]
# Specify the path to your local installation of tcpdump. Make sure this
# path is correct.
tcpdump = /usr/bin/tcpdump
# Specify the network interface name on which tcpdump should monitor the
# traffic. Make sure the interface is active.
interface = virbr1
# Specify a Berkeley packet filter to pass to tcpdump.
bpf = not arp
[gateways]
#RTR1 = 192.168.1.254
#RTR2 = 192.168.1.1
#INETSIM = 192.168.1.2
[QemuScreenshots]
# Enable or disable the use of QEMU as screenshot capture [yes/no].
# screenshots_linux and screenshots_windows must be disabled
enabled = no
[Mitmdump]
# Enable or disable the use of mitmdump (mitmproxy) to get dump.har [yes/no].
# This module requires installed mitmproxy see install_mitmproxy
# (https://github.com/kevoreilly/CAPEv2/blob/master/installer/cape2.sh#L1320)
enabled = no
mitmdump.conf
[cfg]
# bin path to mitmdump
bin = /opt/mitmproxy/mitmdump
# Host ip where mitmdump is listening
host = 192.168.122.1
# Interface where mitmdump is listening
interface = virbr0
Question
Answer
Git commit
Type $ git log | head -n1 to find out
OS version
Ubuntu 16.04, Windows 10, macOS 10.12.3
Failure Logs
In cape-processor logs i find out that tlsdump file is empty, but analysis log tells that tlsdump process has started
2024-11-25 14:47:21,860 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2024-11-25 14:47:44,063 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2024-11-25 14:47:44,063 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 656
2024-11-25 14:47:44,079 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2024-11-25 14:47:44,454 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2024-11-25 14:47:44,485 [root] DEBUG: 656: TLS 1.2 secrets logged to: C:\XXroxY\tlsdump\tlsdump.log
lis 25 15:58:46 cape python3[127583]: editcap: "/opt/CAPEv2/storage/analyses/64/tlsdump/tmpalgcg7bj" is an empty file, ignoring
lis 25 15:59:09 cape python3[126286]: 2024-11-25 15:59:09,267 [Task 64] [lib.cuckoo.common.integrations.capa] ERROR: CAPA ValidationError 5 validation errors for CapeReport
lis 25 15:59:09 cape python3[126286]: behavior.processes.0.file_activities
lis 25 15:59:09 cape python3[126286]: Extra inputs are not permitted [type=extra_forbidden, input_value={'read_files': [], 'write... [], 'delete_files': []}, input_type=dict]
lis 25 15:59:09 cape python3[126286]: For further information visit https://errors.pydantic.dev/2.9/v/extra_forbidden
lis 25 15:59:09 cape python3[126286]: behavior.processes.1.file_activities
lis 25 15:59:09 cape python3[126286]: Extra inputs are not permitted [type=extra_forbidden, input_value={'read_files': [], 'write... [], 'delete_files': []}, input_type=dict]
lis 25 15:59:09 cape python3[126286]: For further information visit https://errors.pydantic.dev/2.9/v/extra_forbidden
lis 25 15:59:09 cape python3[126286]: behavior.processes.2.file_activities
lis 25 15:59:09 cape python3[126286]: Extra inputs are not permitted [type=extra_forbidden, input_value={'read_files': [], 'write... [], 'delete_files': []}, input_type=dict]
lis 25 15:59:09 cape python3[126286]: For further information visit https://errors.pydantic.dev/2.9/v/extra_forbidden
lis 25 15:59:09 cape python3[126286]: behavior.processes.3.file_activities
lis 25 15:59:09 cape python3[126286]: Extra inputs are not permitted [type=extra_forbidden, input_value={'read_files': [], 'write... [], 'delete_files': []}, input_type=dict]
lis 25 15:59:09 cape python3[126286]: For further information visit https://errors.pydantic.dev/2.9/v/extra_forbidden
lis 25 15:59:09 cape python3[126286]: procmemory.0
lis 25 15:59:09 cape python3[126286]: Input should be None [type=none_required, input_value={'path': '/opt/CAPEv2/sto...281305bd90c8ed35441c'}]}, input_type=dict]
lis 25 15:59:09 cape python3[126286]: For further information visit https://errors.pydantic.dev/2.9/v/none_required
lis 25 15:59:27 cape python3[124488]: 2024-11-25 15:59:27,821 [root] INFO: Reports generation completed for Task #64
The text was updated successfully, but these errors were encountered:
About accounts on capesandbox.com
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Expected Behavior
Using tlsdump there are shouldbe visible HTTPS requests.
Current Behavior
What is the current behavior?
Failure Information (for bugs)
I tried to configure SSL decryption with mitmdump, i successfully managed to do it. But there are only HAR file generated, that could be downloaded via api. However the https requests are not visible in web GUI.
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
Context
I tried to configure SSL decryption with mitmdump, i successfully managed to do it. But there are only HAR file generated, that could be downloaded via api. However the https requests are not visible in web GUI. My another attempt was to use tlsdump module (i found out that mitmdump and tlsdump does not work simultaneously), And now i can only download TLS-Keys
I don't know how to enable tls/ssl decryption to achieve visibility in GUI. Am I missing something in my configuration? Below i paste my auxiliary.conf and mitmdump.conf. I
$ git log | head -n1
to find outFailure Logs
In cape-processor logs i find out that tlsdump file is empty, but analysis log tells that tlsdump process has started
The text was updated successfully, but these errors were encountered: