Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTPS/TLS decryption not works properly #2411

Open
6 tasks done
tomasz25-dev opened this issue Nov 26, 2024 · 0 comments
Open
6 tasks done

HTTPS/TLS decryption not works properly #2411

tomasz25-dev opened this issue Nov 26, 2024 · 0 comments

Comments

@tomasz25-dev
Copy link

About accounts on capesandbox.com

  • Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

  • I am running the latest version
  • I did read the README!
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed
  • I'm reporting the issue to the correct repository (for multi-repository projects)
  • I have read and checked all configs (with all optional parts)

Expected Behavior

Using tlsdump there are shouldbe visible HTTPS requests.

Current Behavior

What is the current behavior?

Failure Information (for bugs)

I tried to configure SSL decryption with mitmdump, i successfully managed to do it. But there are only HAR file generated, that could be downloaded via api. However the https requests are not visible in web GUI.
2024-11-21_15-10

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

  1. Enable tlsdump feature
  2. There are no https request visible in GUI

Context

I tried to configure SSL decryption with mitmdump, i successfully managed to do it. But there are only HAR file generated, that could be downloaded via api. However the https requests are not visible in web GUI. My another attempt was to use tlsdump module (i found out that mitmdump and tlsdump does not work simultaneously), And now i can only download TLS-Keys
2024-11-21_15-08

I don't know how to enable tls/ssl decryption to achieve visibility in GUI. Am I missing something in my configuration? Below i paste my auxiliary.conf and mitmdump.conf. I

auxiliary.conf
# Requires dependencies of software in vm as by:
# https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
# Windows 7 SP1, .NET at least 4.5, powershell 5 preferly over v4
# KB3109118 - Script block logging back port update for WMF4
# x64 - https://cuckoo.sh/vmcloak/Windows6.1-KB3109118-v4-x64.msu
# x32 - https://cuckoo.sh/vmcloak/Windows6.1-KB3109118-v4-x86.msu
# KB2819745 - WMF 4 (Windows Management Framework version 4) update for Windows 7
# x64 - https://cuckoo.sh/vmcloak/Windows6.1-KB2819745-x64-MultiPkg.msu
# x32 - https://cuckoo.sh/vmcloak/Windows6.1-KB2819745-x86-MultiPkg.msu
# KB3191566 - https://www.microsoft.com/en-us/download/details.aspx?id=54616
# You should create following registry entries
# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" /v * /t REG_SZ /d * /f /reg:64
# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 00000001 /f /reg:64
# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableTranscripting /t REG_DWORD /d 00000001 /f /reg:64
# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v OutputDirectory /t REG_SZ /d C:\PSTranscipts /f /reg:64
# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableInvocationHeader /t REG_DWORD /d 00000001 /f /reg:64

# Modules to be enabled or not inside of the VM
[auxiliary_modules]
amsi = yes
browser = yes
curtain = yes
digisig = yes
disguise = yes
evtx = yes
human_windows = yes
human_linux = no
procmon = yes
recentfiles = yes
screenshots_windows = yes
screenshots_linux = yes
sysmon_windows = no
sysmon_linux = no
tlsdump = yes
usage = yes
file_pickup = yes
permissions = yes
pre_script = no
during_script = no
filecollector = yes
# This is only useful in case you use KVM's dnsmasq. You need to change your range inside of analyzer/windows/modules/auxiliary/disguise.py. Disguise must be enabled
windows_static_route = no
tracee_linux = no
sslkeylogfile = no
# Requires setting up browser extension, check extra/browser_extension
browsermonitor = no

[AzSniffer]
# Enable or disable the use of Azure Network Watcher packet capture feature, disable standard sniffer if this is in use to not create concurrent .pcap files
enabled = no

[sniffer]
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
enabled = yes

# enable remote tcpdump support
remote = no
host = [email protected]

# Specify the path to your local installation of tcpdump. Make sure this
# path is correct.
tcpdump = /usr/bin/tcpdump

# Specify the network interface name on which tcpdump should monitor the
# traffic. Make sure the interface is active.
interface = virbr1

# Specify a Berkeley packet filter to pass to tcpdump.
bpf = not arp

[gateways]
#RTR1 = 192.168.1.254
#RTR2 = 192.168.1.1
#INETSIM = 192.168.1.2

[QemuScreenshots]
# Enable or disable the use of QEMU as screenshot capture [yes/no].
# screenshots_linux and screenshots_windows must be disabled
enabled = no

[Mitmdump]
# Enable or disable the use of mitmdump (mitmproxy) to get dump.har [yes/no].
# This module requires installed mitmproxy see install_mitmproxy 
# (https://github.com/kevoreilly/CAPEv2/blob/master/installer/cape2.sh#L1320)
enabled = no
mitmdump.conf
[cfg]
# bin path to mitmdump
bin = /opt/mitmproxy/mitmdump

# Host ip where mitmdump is listening
host = 192.168.122.1

# Interface where mitmdump is listening
interface = virbr0
Question Answer
Git commit Type $ git log | head -n1 to find out
OS version Ubuntu 16.04, Windows 10, macOS 10.12.3

Failure Logs

In cape-processor logs i find out that tlsdump file is empty, but analysis log tells that tlsdump process has started

2024-11-25 14:47:21,860 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2024-11-25 14:47:44,063 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2024-11-25 14:47:44,063 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 656
2024-11-25 14:47:44,079 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2024-11-25 14:47:44,454 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2024-11-25 14:47:44,485 [root] DEBUG: 656: TLS 1.2 secrets logged to: C:\XXroxY\tlsdump\tlsdump.log
lis 25 15:58:46 cape python3[127583]: editcap: "/opt/CAPEv2/storage/analyses/64/tlsdump/tmpalgcg7bj" is an empty file, ignoring
lis 25 15:59:09 cape python3[126286]: 2024-11-25 15:59:09,267 [Task 64] [lib.cuckoo.common.integrations.capa] ERROR: CAPA ValidationError 5 validation errors for CapeReport
lis 25 15:59:09 cape python3[126286]: behavior.processes.0.file_activities
lis 25 15:59:09 cape python3[126286]:   Extra inputs are not permitted [type=extra_forbidden, input_value={'read_files': [], 'write... [], 'delete_files': []}, input_type=dict]
lis 25 15:59:09 cape python3[126286]:     For further information visit https://errors.pydantic.dev/2.9/v/extra_forbidden
lis 25 15:59:09 cape python3[126286]: behavior.processes.1.file_activities
lis 25 15:59:09 cape python3[126286]:   Extra inputs are not permitted [type=extra_forbidden, input_value={'read_files': [], 'write... [], 'delete_files': []}, input_type=dict]
lis 25 15:59:09 cape python3[126286]:     For further information visit https://errors.pydantic.dev/2.9/v/extra_forbidden
lis 25 15:59:09 cape python3[126286]: behavior.processes.2.file_activities
lis 25 15:59:09 cape python3[126286]:   Extra inputs are not permitted [type=extra_forbidden, input_value={'read_files': [], 'write... [], 'delete_files': []}, input_type=dict]
lis 25 15:59:09 cape python3[126286]:     For further information visit https://errors.pydantic.dev/2.9/v/extra_forbidden
lis 25 15:59:09 cape python3[126286]: behavior.processes.3.file_activities
lis 25 15:59:09 cape python3[126286]:   Extra inputs are not permitted [type=extra_forbidden, input_value={'read_files': [], 'write... [], 'delete_files': []}, input_type=dict]
lis 25 15:59:09 cape python3[126286]:     For further information visit https://errors.pydantic.dev/2.9/v/extra_forbidden
lis 25 15:59:09 cape python3[126286]: procmemory.0
lis 25 15:59:09 cape python3[126286]:   Input should be None [type=none_required, input_value={'path': '/opt/CAPEv2/sto...281305bd90c8ed35441c'}]}, input_type=dict]
lis 25 15:59:09 cape python3[126286]:     For further information visit https://errors.pydantic.dev/2.9/v/none_required
lis 25 15:59:27 cape python3[124488]: 2024-11-25 15:59:27,821 [root] INFO: Reports generation completed for Task #64
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant