Hello gophers,
I lately created a instrument that makes use of gVisor and linux community namespaces to log the http/https requests and responses made by an arbitrary linux command, with no need root privileges, and with out making world system adjustments that may have an effect on different working processes. The thought is you run httptap -- <command> and also you get a pleasant log of http and https requests made by <command>. You may print the total request our bodies, or generate a HAR dump for visualization later if you’d like. For instance:
httptap -- python -c "import requests; requests.get('https://monasticacademy.org')"
---> GET https://monasticacademy.org/
<--- 308 https://monasticacademy.org/ (15 bytes)
---> GET https://www.monasticacademy.org/
<--- 200 https://www.monasticacademy.org/ (5796 bytes)
On this instance it’s a python interpreter that’s being monitored, however it simply as simply may have been every other linux command. for instance, right here is httptap printing requests made by kubectl:
httptap -- kubectl get all --insecure-skip-tls-verify
---> GET https://somecluster/api/v1/namespaces/default/pods?restrict=500
<--- 200 https://somecluster/api/v1/namespaces/default/pods?restrict=500 (38345 bytes)
---> GET https://somecluster/api/v1/namespaces/default/replicationcontrollers?restrict=500
<--- 200 https://somecluster/api/v1/namespaces/default/replicationcontrollers?restrict=500 (2509 bytes)
...
https://github.com/monasticacademy/httptap
Why does this exist?
There are numerous of instruments on the market for normal community inspection (tcpdump, wireshark), however capturing https site visitors and decrypting it’s inconceivable until I can dump TLS session secrets and techniques from this system I’m attempting to hint, which is often not easy in any respect.
There are some good TLS proxies on the market (mitmproxy, for instance), however to make use of these I’ve to manually set up CA roots into my system, and manually configure a http proxy for this system I’m attempting to run. A whole lot of packages don’t respect HTTP_PROXY/HTTPS_PROXY atmosphere variables, so I’ve to dig by means of the docs for the actual program I’m working. Then afterwards I’ve to start out the proxy server in a single place, run the command in one other place, then run a command to dump the output (or have a look at an internet interface) in one other place. I needed one thing that was scoped to a single linux course of, and had a command line interface analogous to, for instance, strace <command>.
What are some use circumstances?
- My very own private use case that motivated this mission was an try to make use of the Oracle Cloud API, the place a number of the documentation was old-fashioned. I had the oracle CLI doing the factor I needed, however I used to be having issue doing the identical factor programmatically from Go. The APIs had been clearly not meant to be secret or personal so I needed to see the precise API was that the oracle CLI was making.
- On the whole this instrument might be helpful for understanding how issues work, for reverse engineering, for debugging, for penetration testing, for privateness critiques, and so forth.
How does it work?
The instrument really has its personal userspace TCP/IP stack, which it will get from gVisor. The subcommand is run in an remoted community namespace, and all site visitors out and in is intercepted on the IP stage. I then have some Go code to proxy the site visitors out to the web.
To decrypt TLS site visitors I exploit the usual method of producing a customized certificates authority, and telling the command to belief it. To do that I seemed by means of all the main TLS implementations on the market and made an inventory of atmosphere variables that can be utilized to inject a customized CA. This received’t work in case of an unknown TLS implementation or within the case of a binary with pinned CAs.
Can it’s ported to working techniques aside from linux?
Sadly, I don’t assume it will find yourself being ported to mac or home windows in something like its present kind. Httptap makes heavy use of linux community namespace, and until I’ve missed one thing neither mac nor home windows has something much like a community namespace (please appropriate me if I’m incorrect about this!). I’d completely like to port httptap to different working techniques so in case you have any solutions on the way it might be finished then please let me know.
