-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathTLSv1_3_captures.py
154 lines (116 loc) · 5.54 KB
/
TLSv1_3_captures.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
'''
### This script will: ###
1. Enable the database key on BIG-IP to inject tls session keys into packet captures
2. Run tcpdump with the --f5 ssl:v flags to capture traffic WITH session keys
3. Disable the tls session keys database key
4. Download tcpdump capture from BIG-IP
5. Delete tcpdump capture on BIG-IP
6. Extract session keys from tcpdump capture
7. Create a decrypted tcpdump capture from the encrypted capture + session keys file
'''
import os
import subprocess
from datetime import datetime
from time import sleep
from bigrest.bigip import BIGIP
from bigrest.common.exceptions import RESTAPIError
TCPDUMP_BASH_STRING = """timeout -s SIGKILL CAP_SECS tcpdump -s0 -nni 0.0:nnnp --f5 ssl:v VIRTUAL_IP -w /shared/images/autocap_DATESTRING.pcap"""
def get_credentials():
return os.getenv('F5_HOST'), os.getenv('F5_USER'), os.getenv('F5_PASS')
def instantiate_bigip(duration):
host, user, pw = get_credentials()
br = BIGIP(host, user, pw, request_token=True, session_verify=False, timeout=duration+5)
br.modify(f"/mgmt/shared/authz/tokens/{br.session.headers._store.get('x-f5-auth-token')[1]}", {'timeout': '300'})
return br
def download_file(bigip, file_name, msg):
bigip.download('/mgmt/cm/autodeploy/software-image-downloads/', file_name)
if os.sys.platform == 'win32':
os.rename(file_name, f'{file_name}')
else:
os.rename(file_name, f'{file_name}')
print(f'{msg}')
def prompt_user(msg: str) -> str:
return str(input(f'\t{msg}'))
def toggle_sslprovider(bigip, state):
data = {'value': state}
bigip.modify('/mgmt/tm/sys/db/tcpdump.sslprovider', data)
print(f'\tDatabase key tcpdump.sslprovider has been {state}d...continuing.')
def run_tcpdump(bigip, duration, virtual_name, filters):
datestring = datetime.now().strftime('%Y%m%d-%H%M%S')
vip = bigip.load(f'/mgmt/tm/ltm/virtual/{virtual_name}')
virtual_ip = vip.properties.get('destination').split('/')[-1].split(':')[0]
dump_string = TCPDUMP_BASH_STRING.replace('CAP_SECS', duration)
if filters == '':
dump_string = dump_string.replace('VIRTUAL_IP', f'host {virtual_ip}')
else:
dump_string = dump_string.replace('VIRTUAL_IP', f'host {virtual_ip} {filters} ')
print(dump_string)
dump_string = dump_string.replace('DATESTRING', datestring)
try:
print(f'\tStarting tcpdump...please reproduce your issue now.')
data = {'command': 'run', 'utilCmdArgs': f'-c "{dump_string}"'}
bigip.command('/mgmt/tm/util/bash', data)
except RESTAPIError:
pass
sleep(5)
print(f'\ttcpdump complete...continuing.')
return f'autocap_{datestring}.pcap'
def delete_file(bigip, file_name, msg):
data = {'command': 'run', 'utilCmdArgs': f'/shared/images/{file_name}'}
bigip.command('/mgmt/tm/util/unix-rm', data)
print(f'{msg}')
def user_responses():
vip_name = prompt_user('Virtual name: ')
duration = prompt_user('Duration in seconds for capture: ')
filters = prompt_user('Capture filters in addition to vip [ex. "and (port 80 or port 443)" ]: ')
return vip_name, duration, filters
def download_files(bigip, tcpdump_file):
print(f'\tDownloading capture and key files from BIG-IP.')
download_file(bigip, tcpdump_file, f'\t\t{tcpdump_file} downloaded.')
print(f'\tAll files downloaded...continuing.')
def delete_files(bigip, tcpdump_file):
print(f'\tCleaning up capture and key files on BIG-IP.')
delete_file(bigip, tcpdump_file, f'\t\t{tcpdump_file} deleted.')
print('\tAll files cleaned up on BIG-IP...continuing.')
def extract_keys(tcpdump_file):
tshark_process = subprocess.run(["tshark",
"-r", f"{tcpdump_file}",
"-Y", "f5ethtrailer.tls.keylog",
"-Tfields",
"-e", "f5ethtrailer.tls.keylog"],
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
keyfile = open('session_keys.pms', 'w')
subprocess.run(["sed",
"s/,/\\n/g"],
input=tshark_process.stdout,
stdout=keyfile,
stderr=subprocess.STDOUT)
keyfile.close()
print('\tExtracted keys file: session_keys.pms...continuing.')
def decrypt_capture(tcpdump_file):
print(f'\tDecrypting capture {tcpdump_file} with session keys in session_keys.pms.')
subprocess.run(['editcap',
'--inject-secrets',
f'tls,session_keys.pms',
f'{tcpdump_file}',
f'decrypted_{tcpdump_file}'],
stdout=subprocess.DEVNULL,
stderr=subprocess.STDOUT)
print(f'\tDecrypted file: decrypted_{tcpdump_file}...continuing.')
if __name__ == '__main__':
print('\n\n\t#################################################')
print('\t### BIG-IP tcpdump capture collection utility ###')
print('\t#################################################\n')
vip_name, duration, filters = user_responses()
print('\n\t-------------------------------------------------\n')
br = instantiate_bigip(int(duration))
toggle_sslprovider(br, 'enable')
tcpdump_file = run_tcpdump(br, duration, vip_name, filters)
toggle_sslprovider(br, 'disable')
download_files(br, tcpdump_file)
delete_files(br, tcpdump_file)
extract_keys(tcpdump_file)
decrypt_capture(tcpdump_file)
print('\t\n-------------------------------------------------\n')
print('Process complete...now go analyze some packets!')