add --version field and improved SSPI for windows

README.md

@@ -3,7 +3,7 @@
 </p>
 
 # friTap
-![version](https://img.shields.io/badge/version-1.0.8-blue) [![PyPi](https://badge.fury.io/py/objection.svg)](https://pypi.org/project/friTap)
+![version](https://img.shields.io/badge/version-1.0.9-blue) [![PyPi](https://badge.fury.io/py/objection.svg)](https://pypi.org/project/friTap)
 
 The goal of this project is to help researchers to analyze traffic encapsulated in SSL or TLS. For details have a view into the [OSDFCon webinar slides](assets/friTapOSDFConwebinar.pdf) or in [this blog post](https://lolcads.github.io/posts/2022/08/fritap/).
 

agent/windows/sspi.ts

@@ -11,7 +11,7 @@ ToDo:
 
 var keylog = (key: string, tlsVersion: TLSVersion) =>{
 
-    devlog(`[*] Exporting TLS 1.${tlsVersion} handshake keying material`);
+    devlog(`Exporting TLS 1.${tlsVersion} handshake keying material`);
 
     var message: { [key: string]: string | number } = {}
     message["contentType"] = "keylog";
@@ -34,7 +34,11 @@ export class SSPI_Windows {
     constructor(public moduleName:String, public socket_library:String){
 
         this.library_method_mapping[`*${moduleName}*`] = ["DecryptMessage", "EncryptMessage"];
-        this.library_method_mapping["*ncrypt*.dll"] = ["SslHashHandshake", "SslGenerateMasterKey", "SslImportMasterKey","SslGenerateSessionKeys","SslExpandExporterMasterKey","SslExpandTrafficKeys"]
+        if(experimental){
+            // ncrypt is used for the TLS keys
+            log(`ncrypt.dll was loaded & will be hooked on Windows!`)
+            this.library_method_mapping["*ncrypt*.dll"] = ["SslHashHandshake", "SslGenerateMasterKey", "SslImportMasterKey","SslGenerateSessionKeys","SslExpandExporterMasterKey","SslExpandTrafficKeys"]
+        }
         this.library_method_mapping[`*${socket_library}*`] = ["getpeername", "getsockname", "ntohs", "ntohl"]
 
         this.addresses = readAddresses(this.library_method_mapping);
@@ -220,7 +224,7 @@ export class SSPI_Windows {
                     if (msg_type == 1 && version == 0x0303){
                         // If we have client random, save it tied to current thread
                         var crandom = buf2hex(buf.add(6).readByteArray(32));
-                        devlog("[*] Got client random from SslHashHandshake: " + crandom);
+                        devlog("Got client random from SslHashHandshake: " + crandom);
                         client_randoms[this.threadId] = crandom;
                     }       
                 },
@@ -239,7 +243,7 @@ export class SSPI_Windows {
                 },
                 onLeave: function (retval) {
                     var master_key = parse_h_master_key(this.phMasterKey.readPointer());
-                    devlog("[*] Got masterkey from SslGenerateMasterKey");
+                    devlog("Got masterkey from SslGenerateMasterKey");
                     keylog("CLIENT_RANDOM " + this.client_random + " " + master_key, TLSVersion.ONE_TWO);
                 }
             });
@@ -269,7 +273,7 @@ export class SSPI_Windows {
                     this.pParameterList = ptr(args[4]);
                     this.client_random = parse_parameter_list(this.pParameterList, 'SslGenerateSessionKeys') || client_randoms[this.threadId] || "???";
                     var master_key = parse_h_master_key(this.hMasterKey);
-                    devlog("[*] Got masterkey from SslGenerateSessionKeys");
+                    devlog("Got masterkey from SslGenerateSessionKeys");
                     keylog("CLIENT_RANDOM " + this.client_random + " " + master_key, TLSVersion.ONE_TWO);
                 },
                 onLeave: function (retval) {
@@ -328,7 +332,6 @@ export class SSPI_Windows {
         this.install_plaintext_read_hook();
         this.install_plaintext_write_hook();
         if(experimental){
-            log(`ncrypt.dll was loaded & will be hooked on Windows!`)
             this.install_tls_keys_hook();
         }
     }

create_legacy_agent/package.json

@@ -1,6 +1,6 @@
 {
     "name": "friTap",
-    "version": "1.0.8.3",
+    "version": "1.0.9.0",
     "description": "Frida agent for logging SSL traffic and extracting SSL keys",
     "private": true,
     "main": "agent/ssl_log.ts",

create_standalone_release/friTap_release_template.py

@@ -13,9 +13,9 @@
 import tempfile
 import json
 import pcap as pcap
-from __init__ import __version__
-from __init__ import __author__
-from __init__ import debug
+__author__ = "Daniel Baier, Francois Egner, Max Ufer"
+__version__ = "1.0.9.0"
+debug = False # are we running in debug mode?
 
 try:
     import hexdump  # pylint: disable=g-import-not-at-top
@@ -214,7 +214,7 @@ def instrument(process):
             print("[!] Open Chrome with chrome://inspect for debugging\n")
             runtime="v8"
 
-        with open(os.path.join(here, '_ssl_log.js'), encoding='utf8', newline='\n') as f:
+        with open(os.path.join(here, frida_agent_script), encoding='utf8', newline='\n') as f:
             script_string = f.read()
 
             if offsets_data is not None:
@@ -375,13 +375,14 @@ def main():
                       help="Provide the environment necessary for spawning as an JSON file. For instance: {\"ENV_VAR_NAME\": \"ENV_VAR_VALUE\" }")
     args.add_argument("-v", "--verbose", required=False, action="store_const",
                       const=True, help="Show verbose output")
+    args.add_argument('--version', action='version',version='friTap v{version}'.format(version=__version__))
     args.add_argument("--enable_spawn_gating", required=False, action="store_const", const=True,
                       help="Catch newly spawned processes. ATTENTION: These could be unrelated to the current process!")
     args.add_argument("exec", metavar="<executable/app name/pid>",
                       help="executable/app whose SSL calls to log")
     args.add_argument("--offsets", required=False, metavar="<offsets.json>",
                       help="Provide custom offsets for all hooked functions inside a JSON file or a json string containing all offsets. For more details see our example json (offsets_example.json)")
-    args.add_argument("--experimental", required=False,
+    args.add_argument("-exp","--experimental", required=False, action="store_const", const=True, default=False,
                       help="Activates all existing experimental feature (see documentation for more information)")
     parsed = parser.parse_args()
 
@@ -395,7 +396,7 @@ def main():
                 parsed.spawn, parsed.keylog, parsed.enable_spawn_gating, parsed.mobile, parsed.live, parsed.environment, parsed.debug, parsed.full_capture, parsed.socket_tracing, parsed.host, parsed.offsets, parsed.debugoutput,parsed.experimental)
 
     except Exception as ar:
-        print("[-] Uknown error:")
+        print("[-] Unknown error:")
         print(ar)
 
     finally:

friTap/__init__.py

@@ -2,5 +2,5 @@
 # -*- coding: utf-8 -*-
 
 __author__ = "Daniel Baier, Francois Egner, Max Ufer"
-__version__ = "1.0.8.3"
+__version__ = "1.0.9.0"
 debug = False # are we running in debug mode?

friTap/friTap.py

@@ -366,6 +366,7 @@ def main():
                       help="Provide the environment necessary for spawning as an JSON file. For instance: {\"ENV_VAR_NAME\": \"ENV_VAR_VALUE\" }")
     args.add_argument("-v", "--verbose", required=False, action="store_const",
                       const=True, help="Show verbose output")
+    args.add_argument('--version', action='version',version='friTap v{version}'.format(version=__version__))
     args.add_argument("--enable_spawn_gating", required=False, action="store_const", const=True,
                       help="Catch newly spawned processes. ATTENTION: These could be unrelated to the current process!")
     args.add_argument("exec", metavar="<executable/app name/pid>",

package.json

@@ -1,6 +1,6 @@
 {
     "name": "friTap",
-    "version": "1.0.8.3",
+    "version": "1.0.9.0",
     "description": "Frida agent for logging SSL traffic as plaintext and extracting SSL keys",
     "private": true,
     "main": "agent/ssl_log.ts",