Dumping SSL/TLS master secrets
jgajek opened this issue · 3 comments
jgajek commented
Any interest in porting this feature over from the new Cuckoo 2.0 monitor? Based on a cursory review of the code, only two additional APIs in ncrypt.dll would need to be hooked: PRF and Ssl3GenerateKeyMaterial.
spender-sandbox commented
That's the simple part -- the part that will take more work is having a selective logger within lsass which can become a full cuckoomon if lsass is otherwise injected into during an analysis. Also need to merge in the rest of the infrastructure.
-Brad
jgajek commented
To simplify things, how about just having a checkbox on the Submit page to enable injection of the full cuckoomon into lsass.exe?
zashraf1337 commented
which feature in cuckoo 2.0 are you referring to? Thanks