Add option for TLS key logging to implant when in debug mode

BishopFox · Sep 14, 2022 · 68d624f · 68d624f
1 parent acc4e39
commit 68d624f
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 2 deletions.
diff --git a/implant/sliver/cryptography/tlskeys.go b/implant/sliver/cryptography/tlskeys.go
@@ -0,0 +1,42 @@
+package cryptography
+
+/*
+	Sliver Implant Framework
+	Copyright (C) 2019  Bishop Fox
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	You should have received a copy of the GNU General Public License
+	along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
+import (
+	"os"
+)
+
+var (
+	// TLSKeyLogger - File descriptor for logging TLS keys
+	TLSKeyLogger = newKeyLogger()
+)
+
+func newKeyLogger() *os.File {
+	// {{if .Config.Debug}}
+	keyFilePath, present := os.LookupEnv("SSLKEYLOGFILE")
+	if present {
+		keyFile, err := os.OpenFile(keyFilePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
+		if err != nil {
+			return nil
+		}
+		return keyFile
+	}
+	// {{end}}
+	return nil
+}
diff --git a/implant/sliver/transports/httpclient/gohttp.go b/implant/sliver/transports/httpclient/gohttp.go
@@ -28,6 +28,7 @@ import (
 
 	// {{if .Config.Debug}}
 	"log"
+	"github.com/bishopfox/sliver/implant/sliver/cryptography"
 	// {{end}}
 
 	"github.com/bishopfox/sliver/implant/sliver/proxy"
@@ -36,12 +37,20 @@ import (
 // GoHTTPDriver - Pure Go HTTP driver
 func GoHTTPDriver(origin string, secure bool, opts *HTTPOptions) (HTTPDriver, error) {
 	var transport *http.Transport
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: true, // We don't care about the HTTP(S) layer certs
+	}
+	// {{if .Config.Debug}}
+	if cryptography.TLSKeyLogger != nil {
+		tlsConfig.KeyLogWriter = cryptography.TLSKeyLogger
+	}
+	// {{end}}
 	if !secure {
 		transport = &http.Transport{
 			IdleConnTimeout:     time.Millisecond,
 			Dial:                proxy.Direct.Dial,
 			TLSHandshakeTimeout: opts.TlsTimeout,
-			TLSClientConfig:     &tls.Config{InsecureSkipVerify: true}, // We don't care about the HTTP(S) layer certs
+			TLSClientConfig:     tlsConfig,
 		}
 	} else {
 		transport = &http.Transport{
@@ -50,7 +59,7 @@ func GoHTTPDriver(origin string, secure bool, opts *HTTPOptions) (HTTPDriver, er
 				Timeout: opts.NetTimeout,
 			}).Dial,
 			TLSHandshakeTimeout: opts.TlsTimeout,
-			TLSClientConfig:     &tls.Config{InsecureSkipVerify: true}, // We don't care about the HTTP(S) layer certs
+			TLSClientConfig:     tlsConfig,
 		}
 	}
 	client := &http.Client{

diff --git a/implant/sliver/transports/mtls/mtls.go b/implant/sliver/transports/mtls/mtls.go
@@ -167,6 +167,11 @@ func getTLSConfig() *tls.Config {
 			return cryptography.RootOnlyVerifyCertificate(caCertPEM, rawCerts, verifiedChains)
 		},
 	}
+	// {{if .Config.Debug}}
+	if cryptography.TLSKeyLogger != nil {
+		tlsConfig.KeyLogWriter = cryptography.TLSKeyLogger
+	}
+	// {{end}}
 
 	return tlsConfig
 }