Try removing `ssl_sessionkey_udp_ip`, I don't have that set on mine. Changing it to 127.0.0.1 might also work, but that's only a guess.
Keep in mind this part is open source, if you want to check it out: https://github.com/voipmonitor/sniffer Only the GUI is licensed, but isn't required if you want to use the database and pcaps directly. On Thu, Mar 7, 2024 at 7:56 PM Joel Serrano <j...@textplus.com> wrote: > > Damm that was a rabbit hole... > > So the key pointers were found thanks to reading two very helpful links [1] > [2]. > > The TL;DR is that I use setcap to add capabilities to Kamailio to allow to > listen on ports <1024 without root. Once you add capabilities, any LD_* env > var gets stripped out and is not accessible to the process for security > reasons. The solution is to have the sslkeylogger.so lib in a system LD path > with setuid bit added (chmod +s), and load it without any "/" in the name. > > So basically doing this (pseudo commands): > > mv keylogger.so /system/ld/path/keylogger.so > chmod u+s /system/ld/path/keylogger.so > > And then have the /etc/default/kamailio.d/voipmonitor file as: > > SSLKEYLOG_UDP='127.0.0.1:1234' > LD_PRELOAD="sslkeylog.so libssl.so.1.1" > > Restart and boom, sslkeylogger is loaded: > > root@csbc03:~# fgrep ssl /proc/2633948/maps > 7f97ffb92000-7f97ffbaf000 r--p 00000000 08:06 266231 > /usr/lib/x86_64-linux-gnu/libssl.so.1.1 > 7f97ffbaf000-7f97ffbfd000 r-xp 0001d000 08:06 266231 > /usr/lib/x86_64-linux-gnu/libssl.so.1.1 > 7f97ffbfd000-7f97ffc17000 r--p 0006b000 08:06 266231 > /usr/lib/x86_64-linux-gnu/libssl.so.1.1 > 7f97ffc17000-7f97ffc18000 ---p 00085000 08:06 266231 > /usr/lib/x86_64-linux-gnu/libssl.so.1.1 > 7f97ffc18000-7f97ffc21000 r--p 00085000 08:06 266231 > /usr/lib/x86_64-linux-gnu/libssl.so.1.1 > 7f97ffc21000-7f97ffc25000 rw-p 0008e000 08:06 266231 > /usr/lib/x86_64-linux-gnu/libssl.so.1.1 > 7f9800173000-7f9800174000 r--p 00000000 08:06 262170 > /usr/lib/x86_64-linux-gnu/sslkeylog.so > 7f9800174000-7f9800175000 r-xp 00001000 08:06 262170 > /usr/lib/x86_64-linux-gnu/sslkeylog.so > 7f9800175000-7f9800176000 r--p 00002000 08:06 262170 > /usr/lib/x86_64-linux-gnu/sslkeylog.so > 7f9800176000-7f9800177000 r--p 00002000 08:06 262170 > /usr/lib/x86_64-linux-gnu/sslkeylog.so > 7f9800177000-7f9800178000 rw-p 00003000 08:06 262170 > /usr/lib/x86_64-linux-gnu/sslkeylog.so > root@csbc03:~# > > I have one last question for you Calvin, > > Can you share the settings you have on your local and remote > voipmonitor-sniffers to allow Kamailio to send keys to 127.0.0.1:1234, and > then have the voipmonitor-client forward that to voipmonitor-server for > processing? > > These are mine: > > -CLIENT- > > [general] > id_sensor = 23 > query_cache = yes > server_destination = XXX > server_destination_port = XXX > server_password = XXX > packetbuffer_sender = yes > packetbuffer_enable = yes > packetbuffer_total_maxheap = 512 #in MB > packetbuffer_compress = yes > packetbuffer_file_totalmaxsize = 2000 #MB. Default is disabled. > packetbuffer_file_path = /var/spool/voipmonitor/packetbuffer > interface = eno1,lo > sipport = 5060 > sipport = 5061 > sipport = 5062 > > NOTES: 5060 is regular UDP, 5061 and 5062 are both TLS ports. > > -SERVER- (only the ssl_* settings) > > ssl = yes > ssl_ipport = A.B.C.D : 5061 > ssl_ipport = A.B.C.E : 5061 > ssl_ipport = A.B.C.F : 5061 > ssl_ipport = A.B.C.G : 5061 > ssl_ipport = A.B.C.D : 5062 > ssl_ipport = A.B.C.E : 5062 > ssl_ipport = A.B.C.F : 5062 > ssl_ipport = A.B.C.G : 5062 > ssl_store_sessions_expiration_hours = 48 > ssl_sessionkey_udp = yes > ssl_sessionkey_udp_port = 1234 > ssl_sessionkey_udp_ip = 192.168.1.0/24 > ssl_sessionkey_udp_maxwait_ms = 10000 > ssl_store_sessions = persistent > ssl_ignore_error_invalid_mac = yes > > NOTES: All the A.B.C.X are Kamailio instances Public IPs. > > I know I'm missing something to get the combo > Kamailio->Local-Sniffer->Remote-Sniffer to work, any hints there? > > Thanks, > Joel. > > > [1] > https://stackoverflow.com/questions/18058426/does-using-linux-capabilities-disable-ld-preload > [2] > https://unix.stackexchange.com/questions/757484/ld-preload-does-not-work-and-ld-debug-shows-nothing > > > On Thu, Mar 7, 2024 at 4:33 PM Calvin E. <calv...@gmail.com> wrote: >> >> Does your sslkeylog.so work on that same host with the openssl test? I >> noticed you're using ansible, so I'm curious if you're compiling on >> some other host that could have different versions of the openssl-dev >> stuff. Other things could be file or path permissions, or maybe a >> security tool blocking it (would auditd do that?). >> >> At this point I'd reach out to their support. >> >> On Tue, Mar 5, 2024 at 10:24 PM Joel Serrano <j...@textplus.com> wrote: >> > >> > Hi Calvin, >> > >> > Thanks for the tip on capturing on LO interface, I'm sure you just saved >> > me some headaches ;) >> > >> > Interestingly when I check the environ I do see the env vars being set, >> > but in the maps I don't see the keylogger: >> > >> > root@csbc03:~# cat /proc/2216899/environ >> > LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPIDFILE=/run/kamailio/kamailio.pidHOME=/run/kamailioLOGNAME=kamailioUSER=kamailioINVOCATION_ID=fb5d2818a5434319ab2381262737dcffJOURNAL_STREAM=8:1642042024RUNTIME_DIRECTORY=/run/kamailioCFGFILE=/etc/kamailio/csbc.cfgSHM_MEMORY=512PKG_MEMORY=32SSLKEYLOG_UDP=10.2.1.19:1234LD_PRELOAD=/opt/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so >> > >> > /usr/lib/x86_64-linux-gnu/libssl.so.1.1RUN_KAMAILIO=yesGROUP=kamailioDUMP_CORE=yes >> > root@csbc03:~# >> > >> > root@csbc03:~# fgrep ssl /proc/2216899/maps >> > 7f1ceef99000-7f1ceefb6000 r--p 00000000 08:06 266231 >> > /usr/lib/x86_64-linux-gnu/libssl.so.1.1 >> > 7f1ceefb6000-7f1cef004000 r-xp 0001d000 08:06 266231 >> > /usr/lib/x86_64-linux-gnu/libssl.so.1.1 >> > 7f1cef004000-7f1cef01e000 r--p 0006b000 08:06 266231 >> > /usr/lib/x86_64-linux-gnu/libssl.so.1.1 >> > 7f1cef01e000-7f1cef01f000 ---p 00085000 08:06 266231 >> > /usr/lib/x86_64-linux-gnu/libssl.so.1.1 >> > 7f1cef01f000-7f1cef028000 r--p 00085000 08:06 266231 >> > /usr/lib/x86_64-linux-gnu/libssl.so.1.1 >> > 7f1cef028000-7f1cef02c000 rw-p 0008e000 08:06 266231 >> > /usr/lib/x86_64-linux-gnu/libssl.so.1.1 >> > root@csbc03:~# >> > >> > This is on a debian 10 box. I have another box for testing on debian12, I >> > set the exact same config as you and I still don't see the keylogger being >> > loaded: >> > >> > root@csbc01:~# lsb_release -a >> > No LSB modules are available. >> > Distributor ID: Debian >> > Description: Debian GNU/Linux 12 (bookworm) >> > Release: 12 >> > Codename: bookworm >> > root@csbc01:~# >> > >> > root@csbc01:~# cat /etc/default/kamailio.d/voipmonitor >> > # ANSIBLE_MANAGED_FILE - Do NOT edit this file as it is auto-generated by >> > Ansible. >> > SSLKEYLOG_UDP='127.0.0.1:1234' >> > LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so >> > /usr/lib/x86_64-linux-gnu/libssl.so.3" >> > root@csbc01:~# >> > >> > root@csbc01:~# file >> > /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so >> > /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so: ELF >> > 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, >> > BuildID[sha1]=f1a884cad7648cc38a579b1d00a9ad523297b78c, with debug_info, >> > not stripped >> > root@csbc01:~# >> > >> > root@csbc01:~# file /usr/lib/x86_64-linux-gnu/libssl.so.3 >> > /usr/lib/x86_64-linux-gnu/libssl.so.3: ELF 64-bit LSB shared object, >> > x86-64, version 1 (SYSV), dynamically linked, >> > BuildID[sha1]=dd6b0615fc5d03f9c698d6d0c9d2da1b1e8f2d24, stripped >> > root@csbc01:~# >> > >> > root@csbc01:~# cat /proc/181454/environ >> > LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPIDFILE=/run/kamailio/kamailio.pidHOME=/run/kamailioLOGNAME=kamailioUSER=kamailioINVOCATION_ID=059a5e15f1bb4e2bae17c0b5ec9c731eJOURNAL_STREAM=8:2661302RUNTIME_DIRECTORY=/run/kamailioSYSTEMD_EXEC_PID=181394CFGFILE=/etc/kamailio/csbc.cfgSHM_MEMORY=512PKG_MEMORY=32RUN_KAMAILIO=yesGROUP=kamailioDUMP_CORE=yesSSLKEYLOG_UDP=127.0.0.1:1234LD_PRELOAD=/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so >> > /usr/lib/x86_64-linux-gnu/libssl.so.3 >> > root@csbc01:~# >> > >> > root@csbc01:~# fgrep ssl /proc/181454/maps >> > 7f0c537b6000-7f0c537d5000 r--p 00000000 08:01 3674382 >> > /usr/lib/x86_64-linux-gnu/libssl.so.3 >> > 7f0c537d5000-7f0c53833000 r-xp 0001f000 08:01 3674382 >> > /usr/lib/x86_64-linux-gnu/libssl.so.3 >> > 7f0c53833000-7f0c53852000 r--p 0007d000 08:01 3674382 >> > /usr/lib/x86_64-linux-gnu/libssl.so.3 >> > 7f0c53852000-7f0c5385c000 r--p 0009c000 08:01 3674382 >> > /usr/lib/x86_64-linux-gnu/libssl.so.3 >> > 7f0c5385c000-7f0c53860000 rw-p 000a6000 08:01 3674382 >> > /usr/lib/x86_64-linux-gnu/libssl.so.3 >> > root@csbc01:~# >> > >> > Any other ideas of what I can be missing? >> > >> > On Tue, Mar 5, 2024 at 2:30 PM Calvin E. <calv...@gmail.com> wrote: >> >> >> >> Make sure you are preloading the correct OpenSSL library. On my Debian >> >> 12 box it is libssl.so.3 not libssl.so.1.1. You can confirm which is >> >> loaded by checking the "maps" of a running proc: >> >> >> >> $ sudo fgrep ssl /proc/2951676/maps >> >> 7f26647a4000-7f26647c3000 r--p 00000000 08:01 131274 >> >> /usr/lib/x86_64-linux-gnu/libssl.so.3 >> >> 7f26647c3000-7f2664821000 r-xp 0001f000 08:01 131274 >> >> /usr/lib/x86_64-linux-gnu/libssl.so.3 >> >> 7f2664821000-7f2664840000 r--p 0007d000 08:01 131274 >> >> /usr/lib/x86_64-linux-gnu/libssl.so.3 >> >> 7f2664840000-7f266484a000 r--p 0009c000 08:01 131274 >> >> /usr/lib/x86_64-linux-gnu/libssl.so.3 >> >> 7f266484a000-7f266484e000 rw-p 000a6000 08:01 131274 >> >> /usr/lib/x86_64-linux-gnu/libssl.so.3 >> >> 7f266484e000-7f266484f000 r--p 00000000 08:01 154916 >> >> /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so >> >> 7f266484f000-7f2664850000 r-xp 00001000 08:01 154916 >> >> /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so >> >> 7f2664850000-7f2664851000 r--p 00002000 08:01 154916 >> >> /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so >> >> 7f2664851000-7f2664852000 r--p 00002000 08:01 154916 >> >> /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so >> >> 7f2664852000-7f2664853000 rw-p 00003000 08:01 154916 >> >> /usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so >> >> >> >> My systemd /lib/systemd/system/kamailio.service has a line >> >> "EnvironmentFile=-/etc/default/kamailio.d/*" so I dropped a file >> >> there: >> >> >> >> $ cat /etc/default/kamailio.d/voipmonitor >> >> SSLKEYLOG_UDP='127.0.0.1:1234' >> >> LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so >> >> /usr/lib/x86_64-linux-gnu/libssl.so.3" >> >> >> >> In my environment we're using "packetbuffer_sender = yes" to copy all >> >> packets to a central processor. I'm sending the keys to localhost so >> >> they can get picked up by the sniffer instead of sending them >> >> separately to the central processor. For this to work, the sniffer >> >> also must capture the "lo" interface. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-le...@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
