Hi Calvin,
Thanks for the tip on capturing on LO interface, I'm sure you just saved me some headaches ;)
Interestingly when I check the environ I do see the env vars being set, but in the maps I don't see the keylogger:
root@csbc03:~# cat /proc/2216899/environ LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPIDFILE=/run/kamailio/kamailio.pidHOME=/run/kamailioLOGNAME=kamailioUSER=kamailioINVOCATION_ID=fb5d2818a5434319ab2381262737dcffJOURNAL_STREAM=8:1642042024RUNTIME_DIRECTORY=/run/kamailioCFGFILE=/etc/kamailio/csbc.cfgSHM_MEMORY=512PKG_MEMORY=32SSLKEYLOG_UDP=10.2.1.19:1234LD_PRELOAD=/opt/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so /usr/lib/x86_64-linux-gnu/libssl.so.1.1RUN_KAMAILIO=yesGROUP=kamailioDUMP_CORE=yes root@csbc03:~#
root@csbc03:~# fgrep ssl /proc/2216899/maps 7f1ceef99000-7f1ceefb6000 r--p 00000000 08:06 266231 /usr/lib/x86_64-linux-gnu/libssl.so.1.1 7f1ceefb6000-7f1cef004000 r-xp 0001d000 08:06 266231 /usr/lib/x86_64-linux-gnu/libssl.so.1.1 7f1cef004000-7f1cef01e000 r--p 0006b000 08:06 266231 /usr/lib/x86_64-linux-gnu/libssl.so.1.1 7f1cef01e000-7f1cef01f000 ---p 00085000 08:06 266231 /usr/lib/x86_64-linux-gnu/libssl.so.1.1 7f1cef01f000-7f1cef028000 r--p 00085000 08:06 266231 /usr/lib/x86_64-linux-gnu/libssl.so.1.1 7f1cef028000-7f1cef02c000 rw-p 0008e000 08:06 266231 /usr/lib/x86_64-linux-gnu/libssl.so.1.1 root@csbc03:~#
This is on a debian 10 box. I have another box for testing on debian12, I set the exact same config as you and I still don't see the keylogger being loaded:
root@csbc01:~# lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 12 (bookworm) Release: 12 Codename: bookworm root@csbc01:~#
root@csbc01:~# cat /etc/default/kamailio.d/voipmonitor # ANSIBLE_MANAGED_FILE - Do NOT edit this file as it is auto-generated by Ansible. SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so /usr/lib/x86_64-linux-gnu/libssl.so.3" root@csbc01:~#
root@csbc01:~# file /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=f1a884cad7648cc38a579b1d00a9ad523297b78c, with debug_info, not stripped root@csbc01:~#
root@csbc01:~# file /usr/lib/x86_64-linux-gnu/libssl.so.3 /usr/lib/x86_64-linux-gnu/libssl.so.3: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=dd6b0615fc5d03f9c698d6d0c9d2da1b1e8f2d24, stripped root@csbc01:~#
root@csbc01:~# cat /proc/181454/environ LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPIDFILE=/run/kamailio/kamailio.pidHOME=/run/kamailioLOGNAME=kamailioUSER=kamailioINVOCATION_ID=059a5e15f1bb4e2bae17c0b5ec9c731eJOURNAL_STREAM=8:2661302RUNTIME_DIRECTORY=/run/kamailioSYSTEMD_EXEC_PID=181394CFGFILE=/etc/kamailio/csbc.cfgSHM_MEMORY=512PKG_MEMORY=32RUN_KAMAILIO=yesGROUP=kamailioDUMP_CORE=yesSSLKEYLOG_UDP=127.0.0.1:1234LD_PRELOAD=/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so /usr/lib/x86_64-linux-gnu/libssl.so.3 root@csbc01:~#
root@csbc01:~# fgrep ssl /proc/181454/maps 7f0c537b6000-7f0c537d5000 r--p 00000000 08:01 3674382 /usr/lib/x86_64-linux-gnu/libssl.so.3 7f0c537d5000-7f0c53833000 r-xp 0001f000 08:01 3674382 /usr/lib/x86_64-linux-gnu/libssl.so.3 7f0c53833000-7f0c53852000 r--p 0007d000 08:01 3674382 /usr/lib/x86_64-linux-gnu/libssl.so.3 7f0c53852000-7f0c5385c000 r--p 0009c000 08:01 3674382 /usr/lib/x86_64-linux-gnu/libssl.so.3 7f0c5385c000-7f0c53860000 rw-p 000a6000 08:01 3674382 /usr/lib/x86_64-linux-gnu/libssl.so.3 root@csbc01:~#
Any other ideas of what I can be missing?
On Tue, Mar 5, 2024 at 2:30 PM Calvin E. calvine@gmail.com wrote:
Make sure you are preloading the correct OpenSSL library. On my Debian 12 box it is libssl.so.3 not libssl.so.1.1. You can confirm which is loaded by checking the "maps" of a running proc:
$ sudo fgrep ssl /proc/2951676/maps 7f26647a4000-7f26647c3000 r--p 00000000 08:01 131274 /usr/lib/x86_64-linux-gnu/libssl.so.3 7f26647c3000-7f2664821000 r-xp 0001f000 08:01 131274 /usr/lib/x86_64-linux-gnu/libssl.so.3 7f2664821000-7f2664840000 r--p 0007d000 08:01 131274 /usr/lib/x86_64-linux-gnu/libssl.so.3 7f2664840000-7f266484a000 r--p 0009c000 08:01 131274 /usr/lib/x86_64-linux-gnu/libssl.so.3 7f266484a000-7f266484e000 rw-p 000a6000 08:01 131274 /usr/lib/x86_64-linux-gnu/libssl.so.3 7f266484e000-7f266484f000 r--p 00000000 08:01 154916 /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so 7f266484f000-7f2664850000 r-xp 00001000 08:01 154916 /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so 7f2664850000-7f2664851000 r--p 00002000 08:01 154916 /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so 7f2664851000-7f2664852000 r--p 00002000 08:01 154916 /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so 7f2664852000-7f2664853000 rw-p 00003000 08:01 154916 /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
My systemd /lib/systemd/system/kamailio.service has a line "EnvironmentFile=-/etc/default/kamailio.d/*" so I dropped a file there:
$ cat /etc/default/kamailio.d/voipmonitor SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so /usr/lib/x86_64-linux-gnu/libssl.so.3"
In my environment we're using "packetbuffer_sender = yes" to copy all packets to a central processor. I'm sending the keys to localhost so they can get picked up by the sniffer instead of sending them separately to the central processor. For this to work, the sniffer also must capture the "lo" interface.