friTap
The goal of this project is to help researchers to analyze traffic encapsulated in SSL or TLS. For details have a view into the OSDFCon webinar slides or in this blog post.
This project was inspired by SSL_Logger and currently supports all major operating systems (Linux, Windows, Android). More platforms and libraries will be added in future releases.
Installation
Installation is simply a matter of pip3 install fritap. This will give you the friTap command. You can update an existing friTap installation with pip3 install --upgrade friTap.
Alternatively just clone the repository and run the friTap.py file or download the friTap standlone version from the release page.
Usage
On Linux/Windows/MacOS we can easily attach to a process by entering its name or its PID:
$ sudo fritap --pcap mycapture.pcap thunderbirdFor mobile applications we just have to add the -m parameter to indicate that we are now attaching (or spawning) an Android or iOS app:
$ fritap -m --pcap mycapture.pcap com.example.appFurther ensure that the frida-server is running on the Android/iOS device.
Remember when working with the pip installation you have to invoke the friTap command with sudo a little bit different. Either as module:
$ sudo -E python3 -m friTap.friTap --pcap mycapture.pcap thunderbirdor directly invoking the script:
$ which friTap
/home/daniel/.local/bin/friTap
$ sudo -E /home/daniel/.local/bin/friTapMore examples on using friTap can be found in the USAGE.md. A detailed introduction using friTap on Android is under EXAMPLE.md as well.
Problems
The absence of traffic or incomplete traffic capture in the resulting pcap file (-p
Default Socket Information
There might be instances where friTap fails to retrieve socket information. In such scenarios, running friTap with default socket information (--enable_default_fd) could resolve the issue. This approach utilizes default socket information (127.0.0.1:1234 to 127.0.0.1:2345) for all traffic when the file descriptor (FD) cannot be used to obtain socket details:
fritap -m --enable_default_fd -p plaintext.pcap com.example.appHandling Subprocess Traffic
Traffic originating from a subprocess could be another contributing factor. To capture this traffic, friTap can leverage Frida's spawn gating feature, which intercepts newly spawned processes using the --enable_spawn_gating parameter:
fritap -m -p log.pcap --enable_spawn_gating com.example.appLibrary Support exist only for Key Extraction
In cases where the target library solely supports key extraction (cf. the table below), you can utilize the -k <key.log> parameter alongside full packet capture:
fritap -m -p log.pcap --full_capture -k keys.log com.example.appSeeking Further Assistance
If these approaches do not address your issue, please create a detailed issue report to aid in troubleshooting. To facilitate a more effective diagnosis, include the following information in your report:
- The operating system and its version
- The specific application encountering the issue or a comparable application that exhibits similar problems
- The output from executing friTap with the specified parameters, augmented with friTap's debug output:
fritap -do -v com.example.app
Supported SSL/TLS implementations and corresponding logging capabilities
| Library | Linux | Windows | MacOSX | Android | iOS |
|---------------------------|---------------|---------------|----------|----------|--------------|
| OpenSSL | Full | R/W-Hook only | TBI | Full | TBI |
| BoringSSL | Full | R/W-Hook only | KeyEo | Full | KeyEo |
| NSS | Full | R/W-Hook only | TBI | TBA | TBI |
| GnuTLS | R/W-Hook only | R/W-Hook only | TBI | Full | TBI |
| WolfSSL | R/W-Hook only | R/W-Hook only | TBI | Full | TBI |
| MbedTLS | R/W-Hook only | R/W-Hook only | TBI | Full | TBI |
| Bouncycastle/Spongycastle | TBA | TBA | TBA | Full | TBA |
| Conscrypt | TBA | TBA | TBA | Full | TBA |R/W-Hook only = Logging data sent and received by process
KeyEo = Only the keying material can be extracted
Full = Logging data send and received by process + Logging keys used for secure connection
TBA = To be answered
TBI = To be implemented
LibNO = This library is not supported for this plattform
We verified the Windows implementations only for Windows 10
Dependencies
- frida
>= python3.7- click (
python3 -m pip install click) - hexdump (
python3 -m pip install hexdump) - scapy (
python3 -m pip install scapy) - watchdog (
python3 -m pip install watchdog) - importlib.resources (
python3 -m pip install importlib-resources) - for hooking on Android ensure that the
adb-command is in your PATH
Planned features
- [ ] add the capability to alter the decrypted payload
- integration with https://github.com/mitmproxy/mitmproxy
- integration with http://portswigger.net/burp/
- [ ] add wine support
- [ ] add Flutter support
- [ ] add further libraries (have a look at this Wikipedia entry):
- Botan (BSD license, Jack Lloyd)
- LibreSSL (OpenBSD)
- Cryptlib (Peter Gutmann)
- S2n (Amazon)
- JSSE (Java Secure Socket Extension, Oracle)
- MatrixSSL
- ...
- [ ] Working with static linked libraries
- [ ] Add feature to prototype TLS-Read/Write/SSLKEY functions
- [ ] improve iOS/MacOS support (currently under development)
- [x]
provide friTap as PyPI package
Contribute
Contributions are always welcome. Just fork it and open a pull request! More details can be found in the CONTRIBUTION.md.
Changelog
See the wiki for release notes.
Support
If you have any suggestions, or bug reports, please create an issue in the Issue Tracker.
In case you have any questions or other problems, feel free to send an email to: