Hi Calvin,
Thanks for the tip on capturing on LO interface, I'm sure you just saved me
some headaches ;)
Interestingly when I check the environ I do see the env vars being set, but
in the maps I don't see the keylogger:
root@csbc03:~# cat /proc/2216899/environ
LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPIDFILE=/run/kamailio/kamailio.pidHOME=/run/kamailioLOGNAME=kamailioUSER=kamailioINVOCATION_ID=fb5d2818a5434319ab2381262737dcffJOURNAL_STREAM=8:1642042024RUNTIME_DIRECTORY=/run/kamailioCFGFILE=/etc/kamailio/csbc.cfgSHM_MEMORY=512PKG_MEMORY=32SSLKEYLOG_UDP=10.2.1.19:1234LD_PRELOAD=/opt/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
/usr/lib/x86_64-linux-gnu/libssl.so.1.1RUN_KAMAILIO=yesGROUP=kamailioDUMP_CORE=yes
root@csbc03:~#
root@csbc03:~# fgrep ssl /proc/2216899/maps
7f1ceef99000-7f1ceefb6000 r--p 00000000 08:06 266231
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f1ceefb6000-7f1cef004000 r-xp 0001d000 08:06 266231
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f1cef004000-7f1cef01e000 r--p 0006b000 08:06 266231
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f1cef01e000-7f1cef01f000 ---p 00085000 08:06 266231
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f1cef01f000-7f1cef028000 r--p 00085000 08:06 266231
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
7f1cef028000-7f1cef02c000 rw-p 0008e000 08:06 266231
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
root@csbc03:~#
This is on a debian 10 box. I have another box for testing on debian12, I
set the exact same config as you and I still don't see the keylogger being
loaded:
root@csbc01:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
root@csbc01:~#
root@csbc01:~# cat /etc/default/kamailio.d/voipmonitor
# ANSIBLE_MANAGED_FILE - Do NOT edit this file as it is auto-generated by
Ansible.
SSLKEYLOG_UDP='127.0.0.1:1234'
LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
/usr/lib/x86_64-linux-gnu/libssl.so.3"
root@csbc01:~#
root@csbc01:~# file
/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so: ELF 64-bit
LSB shared object, x86-64, version 1 (SYSV), dynamically linked,
BuildID[sha1]=f1a884cad7648cc38a579b1d00a9ad523297b78c, with debug_info,
not stripped
root@csbc01:~#
root@csbc01:~# file /usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libssl.so.3: ELF 64-bit LSB shared object,
x86-64, version 1 (SYSV), dynamically linked,
BuildID[sha1]=dd6b0615fc5d03f9c698d6d0c9d2da1b1e8f2d24, stripped
root@csbc01:~#
root@csbc01:~# cat /proc/181454/environ
LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPIDFILE=/run/kamailio/kamailio.pidHOME=/run/kamailioLOGNAME=kamailioUSER=kamailioINVOCATION_ID=059a5e15f1bb4e2bae17c0b5ec9c731eJOURNAL_STREAM=8:2661302RUNTIME_DIRECTORY=/run/kamailioSYSTEMD_EXEC_PID=181394CFGFILE=/etc/kamailio/csbc.cfgSHM_MEMORY=512PKG_MEMORY=32RUN_KAMAILIO=yesGROUP=kamailioDUMP_CORE=yesSSLKEYLOG_UDP=127.0.0.1:1234LD_PRELOAD=/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
/usr/lib/x86_64-linux-gnu/libssl.so.3
root@csbc01:~#
root@csbc01:~# fgrep ssl /proc/181454/maps
7f0c537b6000-7f0c537d5000 r--p 00000000 08:01 3674382
/usr/lib/x86_64-linux-gnu/libssl.so.3
7f0c537d5000-7f0c53833000 r-xp 0001f000 08:01 3674382
/usr/lib/x86_64-linux-gnu/libssl.so.3
7f0c53833000-7f0c53852000 r--p 0007d000 08:01 3674382
/usr/lib/x86_64-linux-gnu/libssl.so.3
7f0c53852000-7f0c5385c000 r--p 0009c000 08:01 3674382
/usr/lib/x86_64-linux-gnu/libssl.so.3
7f0c5385c000-7f0c53860000 rw-p 000a6000 08:01 3674382
/usr/lib/x86_64-linux-gnu/libssl.so.3
root@csbc01:~#
Any other ideas of what I can be missing?
On Tue, Mar 5, 2024 at 2:30 PM Calvin E. <calvine(a)gmail.com> wrote:
Make sure you are preloading the correct OpenSSL
library. On my Debian
12 box it is libssl.so.3 not libssl.so.1.1. You can confirm which is
loaded by checking the "maps" of a running proc:
$ sudo fgrep ssl /proc/2951676/maps
7f26647a4000-7f26647c3000 r--p 00000000 08:01 131274
/usr/lib/x86_64-linux-gnu/libssl.so.3
7f26647c3000-7f2664821000 r-xp 0001f000 08:01 131274
/usr/lib/x86_64-linux-gnu/libssl.so.3
7f2664821000-7f2664840000 r--p 0007d000 08:01 131274
/usr/lib/x86_64-linux-gnu/libssl.so.3
7f2664840000-7f266484a000 r--p 0009c000 08:01 131274
/usr/lib/x86_64-linux-gnu/libssl.so.3
7f266484a000-7f266484e000 rw-p 000a6000 08:01 131274
/usr/lib/x86_64-linux-gnu/libssl.so.3
7f266484e000-7f266484f000 r--p 00000000 08:01 154916
/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
7f266484f000-7f2664850000 r-xp 00001000 08:01 154916
/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
7f2664850000-7f2664851000 r--p 00002000 08:01 154916
/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
7f2664851000-7f2664852000 r--p 00002000 08:01 154916
/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
7f2664852000-7f2664853000 rw-p 00003000 08:01 154916
/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
My systemd /lib/systemd/system/kamailio.service has a line
"EnvironmentFile=-/etc/default/kamailio.d/*" so I dropped a file
there:
$ cat /etc/default/kamailio.d/voipmonitor
SSLKEYLOG_UDP='127.0.0.1:1234'
LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
/usr/lib/x86_64-linux-gnu/libssl.so.3"
In my environment we're using "packetbuffer_sender = yes" to copy all
packets to a central processor. I'm sending the keys to localhost so
they can get picked up by the sniffer instead of sending them
separately to the central processor. For this to work, the sniffer
also must capture the "lo" interface.