This document summarizes a presentation about pentesting custom TLS stacks. It discusses using the scapy-ssl_tls tool to craft and analyze TLS packets in order to evaluate the security of custom TLS implementations. The presentation covers TLS protocol basics, features of scapy-ssl_tls like packet parsing and crypto hooks, and techniques for analyzing areas like supported versions/ciphers, the TLS state machine, Diffie-Hellman parameters, side channels, fragmentation, and more. It aims to provide a way to efficiently reproduce TLS attacks and help test responses to vulnerabilities.
SOSCON 2019.10.17
What are the methods for packet processing on Linux? And how fast are each packet processing methods? In this presentation, we will learn how to handle packets on Linux (User space, socket filter, netfilter, tc), and compare performance with analysis of where each packet processing is done in the network stack (hook point). Also, we will discuss packet processing using XDP, an in-kernel fast-path recently added to the Linux kernel. eXpress Data Path (XDP) is a high-performance programmable network data-path within the Linux kernel. The XDP is located at the lowest level of access through SW in the network stack, the point at which driver receives the packet. By using the eBPF infrastructure at this hook point, the network stack can be expanded without modifying the kernel.
Daniel T. Lee (Hoyeon Lee)
@danieltimlee
Daniel T. Lee currently works as Software Engineer at Kosslab and contributing to Linux kernel BPF project. He has interest in cloud, Linux networking, and tracing technologies, and likes to analyze the kernel's internal using BPF technology.
Quick talk on how to leverage scapy-ssl_tls to perform TLS 1.3 testing. Covers which area of the stack are less vulnerable with TLS 1.3 as opposed to 1.2.
Network analysis Using Wireshark Lesson 11: TCP and UDP AnalysisYoram Orzach
Network analysis Using Wireshark Lesson
By the end of this lesson, the participant will be able to:
▫ Understand UDP and TCP network behavior
▫ Understand TCP connectivity problems
▫ Understand how to use Wireshark for TCP troubleshooting
SOSCON 2019.10.17
What are the methods for packet processing on Linux? And how fast are each packet processing methods? In this presentation, we will learn how to handle packets on Linux (User space, socket filter, netfilter, tc), and compare performance with analysis of where each packet processing is done in the network stack (hook point). Also, we will discuss packet processing using XDP, an in-kernel fast-path recently added to the Linux kernel. eXpress Data Path (XDP) is a high-performance programmable network data-path within the Linux kernel. The XDP is located at the lowest level of access through SW in the network stack, the point at which driver receives the packet. By using the eBPF infrastructure at this hook point, the network stack can be expanded without modifying the kernel.
Daniel T. Lee (Hoyeon Lee)
@danieltimlee
Daniel T. Lee currently works as Software Engineer at Kosslab and contributing to Linux kernel BPF project. He has interest in cloud, Linux networking, and tracing technologies, and likes to analyze the kernel's internal using BPF technology.
Quick talk on how to leverage scapy-ssl_tls to perform TLS 1.3 testing. Covers which area of the stack are less vulnerable with TLS 1.3 as opposed to 1.2.
Network analysis Using Wireshark Lesson 11: TCP and UDP AnalysisYoram Orzach
Network analysis Using Wireshark Lesson
By the end of this lesson, the participant will be able to:
▫ Understand UDP and TCP network behavior
▫ Understand TCP connectivity problems
▫ Understand how to use Wireshark for TCP troubleshooting
Become Wireshark Certified - https://www.udemy.com/wireshark-tutorial/?couponCode=CEWS Understand Wireshark and how this network analyzer tool can help you succeed in your Wireshark job!
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
Modularized ETL Writing with Apache SparkDatabricks
Apache Spark has been an integral part of Stitch Fix’s compute infrastructure. Over the past five years, it has become our de facto standard for most ETL and heavy data processing needs and expanded our capabilities in the Data Warehouse.
Since all our writes to the Data Warehouse are through Apache Spark, we took advantage of that to add more modules that supplement ETL writing. Config driven and purposeful, these modules perform tasks onto a Spark Dataframe meant for a destination Hive table.
These are organized as a sequence of transformations on the Apache Spark dataframe prior to being written to the table.These include a process of journalizing. It is a process which helps maintain a non-duplicated historical record of mutable data associated with different parts of our business.
Data quality, another such module, is enabled on the fly using Apache Spark. Using Apache Spark we calculate metrics and have an adjacent service to help run quality tests for a table on the incoming data.
And finally, we cleanse data based on provided configurations, validate and write data into the warehouse. We have an internal versioning strategy in the Data Warehouse that allows us to know the difference between new and old data for a table.
Having these modules at the time of writing data allows cleaning, validation and testing of data prior to entering the Data Warehouse thus relieving us, programmatically, of most of the data problems. This talk focuses on ETL writing in Stitch Fix and describes these modules that help our Data Scientists on a daily basis.
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
Update on status of connection tracking and stateful NAT addition to the Linux kernel datapath. Followed by a discussion on the topic to collect ideas and come up with next steps.
Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
Spark (Structured) Streaming vs. Kafka StreamsGuido Schmutz
Independent of the source of data, the integration and analysis of event streams gets more important in the world of sensors, social media streams and Internet of Things. Events have to be accepted quickly and reliably, they have to be distributed and analyzed, often with many consumers or systems interested in all or part of the events. In this session we compare two popular Streaming Analytics solutions: Spark Streaming and Kafka Streams.
Spark is fast and general engine for large-scale data processing and has been designed to provide a more efficient alternative to Hadoop MapReduce. Spark Streaming brings Spark's language-integrated API to stream processing, letting you write streaming applications the same way you write batch jobs. It supports both Java and Scala.
Kafka Streams is the stream processing solution which is part of Kafka. It is provided as a Java library and by that can be easily integrated with any Java application.
This presentation shows how you can implement stream processing solutions with each of the two frameworks, discusses how they compare and highlights the differences and similarities.
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
The CASC RSA 2014 Presentation- TECH-T09
New Ideas on CAA, CT, and Public Key Pinning for a Safer Internet
Kirk Hall- Operations Director, Trust ServiceTrend Micro
Rick Andrews- Senior Technical Director for Trust Services Symantec
Wayne Thayer- VP and GM, Security Products GoDaddy
Become Wireshark Certified - https://www.udemy.com/wireshark-tutorial/?couponCode=CEWS Understand Wireshark and how this network analyzer tool can help you succeed in your Wireshark job!
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
Modularized ETL Writing with Apache SparkDatabricks
Apache Spark has been an integral part of Stitch Fix’s compute infrastructure. Over the past five years, it has become our de facto standard for most ETL and heavy data processing needs and expanded our capabilities in the Data Warehouse.
Since all our writes to the Data Warehouse are through Apache Spark, we took advantage of that to add more modules that supplement ETL writing. Config driven and purposeful, these modules perform tasks onto a Spark Dataframe meant for a destination Hive table.
These are organized as a sequence of transformations on the Apache Spark dataframe prior to being written to the table.These include a process of journalizing. It is a process which helps maintain a non-duplicated historical record of mutable data associated with different parts of our business.
Data quality, another such module, is enabled on the fly using Apache Spark. Using Apache Spark we calculate metrics and have an adjacent service to help run quality tests for a table on the incoming data.
And finally, we cleanse data based on provided configurations, validate and write data into the warehouse. We have an internal versioning strategy in the Data Warehouse that allows us to know the difference between new and old data for a table.
Having these modules at the time of writing data allows cleaning, validation and testing of data prior to entering the Data Warehouse thus relieving us, programmatically, of most of the data problems. This talk focuses on ETL writing in Stitch Fix and describes these modules that help our Data Scientists on a daily basis.
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
Update on status of connection tracking and stateful NAT addition to the Linux kernel datapath. Followed by a discussion on the topic to collect ideas and come up with next steps.
Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
Spark (Structured) Streaming vs. Kafka StreamsGuido Schmutz
Independent of the source of data, the integration and analysis of event streams gets more important in the world of sensors, social media streams and Internet of Things. Events have to be accepted quickly and reliably, they have to be distributed and analyzed, often with many consumers or systems interested in all or part of the events. In this session we compare two popular Streaming Analytics solutions: Spark Streaming and Kafka Streams.
Spark is fast and general engine for large-scale data processing and has been designed to provide a more efficient alternative to Hadoop MapReduce. Spark Streaming brings Spark's language-integrated API to stream processing, letting you write streaming applications the same way you write batch jobs. It supports both Java and Scala.
Kafka Streams is the stream processing solution which is part of Kafka. It is provided as a Java library and by that can be easily integrated with any Java application.
This presentation shows how you can implement stream processing solutions with each of the two frameworks, discusses how they compare and highlights the differences and similarities.
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
The CASC RSA 2014 Presentation- TECH-T09
New Ideas on CAA, CT, and Public Key Pinning for a Safer Internet
Kirk Hall- Operations Director, Trust ServiceTrend Micro
Rick Andrews- Senior Technical Director for Trust Services Symantec
Wayne Thayer- VP and GM, Security Products GoDaddy
Slides of the Webinar "SSL, impact and optimisation"
INTRODUCTION
What is SSL?
The purpose of SSL
History of SSL / TLS
Overview of a TLS connection
PART 1
What is the role of an SSL certificate?
Levels of validation
Options for certificates: SAN and Wildcard
The certificate ordering process
Certificate chain
SSL algorithms: encryption & authentication
Examples
PART 2
TLS and IPV4 exhaustion
HAProxy and SNI
TLS impacts
SSL offloading
SEO
Security of the SSL protocol
Secure Communication: Usability and Necessity of SSL/TLSwolfSSL
Network-related applications and devices often use secure communication. Although keeping network communications safe should be a top priority to all developers and engineers, it often gets left behind due to lack of understanding, insufficient funding, or looming deadlines.
Securing a project with SSL shouldn?t have to include a steep learning curve, deep pockets, or an unlimited time frame. By learning a few basics of how things work, where the technology is best used, and what features to look for when trying to choose the right SSL implementation, a developer or engineer can easily, simply, and quickly secure their project - putting both themselves and their employer?s minds at ease.
This presentation will introduce SSL - including why secure communication is important, introductory details about SSL, x509, and the underlying cryptography. It will give an overview of where SSL is used today - including Home Energy, Gaming, Databases, Sensors, VoIP, and more. A description of important items to look for when trying to choose an SSL implementation will give developers and engineers a solid foundation to begin securing their projects with SSL and will enable them to have more informed discussions with potential vendors.
Learn more at www.yassl.com.
Short Presentation (2 Hrs) on SSL and TLS Protocol and its reference standard. Good for intermediate participant or technical who want to understand secure protocol an
Vulnerability-tolerant Transport Layer SecurityMiguel Pardal
More information at: https://github.com/inesc-id/vtTLS/wiki
Vulnerability-tolerant Transport Layer Security (vtTLS) - Work presented at OPODIS 2017 on December 20th 2017
SSL/TLS communication channels play a very important role in Internet security, including cloud computing and server infrastructures. There are often concerns about the strength of the encryption mechanisms used in TLS channels. Vulnerabilities can lead to some of the cipher suites once thought to be secure to become insecure and no longer recommended for use or in urgent need of a software update. However, the deprecation/update process is very slow and weeks or months can go by before most web servers and clients are protected, and some servers and clients may never be updated. In the meantime, the communications are at risk of being intercepted and tampered by attackers.
In this presentation (and in the paper) we propose an alternative to TLS to mitigate the problem of secure communication channels being susceptible to attacks due to unexpected vulnerabilities in its mechanisms. Our solution, called Vulnerability-Tolerant Transport Layer Security (vtTLS), is based on diversity and redundancy of cryptographic mechanisms and certificates to ensure a secure communication even when one or more mechanisms are vulnerable. Our solution relies on a combination of k cipher suites which ensure that even if k − 1 cipher suites are insecure or vulnerable, the remaining cipher suite keeps the communication channel secure. The performance and cost of vtTLS were evaluated and compared with OpenSSL, one of the most widely used implementations of TLS.
The wolfSSL lightweight SSL/TLS library now includes TLS 1.3 support. This slide deck, from a seminar given in Tokyo, Japan, covers the differences in TLS 1.3 and what wolfSSL currently supports.
The design criteria behind TLS/SSL, presented at Cal Poly on 2010/6/3. An updated version of a previous talk, this presentation includes descriptions of the Null-byte certificate attack and the recent session renegotiation attack (both from 2009).
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
This presentation was made at BSides MCR 2014. It tackles the subject of SSL/TLS testing from the viewpoint of a penetration tester. It is a practical guide, broad in scope, focusing on pitfalls and how to check issues manually (as much as possible).
I already have updated material (including SNI and OCSP Stapling) for the next version. Look out for future content @exploresecurity and @NCCGroupInfosec.
11 April 2016 - ION Bangladesh - Jan Zorz set up DNSSEC, DANE, and TLS in his go6lab and then tested the implementations in the top one million Alexa domains. Jan will share his experiences deploying, testing, and evaluating DNSSEC, DANE, and TLS in his own lab and explain the process he used.
Study and Analysis of some Known attacks on Transport Layer SecurityNazmul Hossain Rakib
This paper is focused on study on some practically feasible attacks and threats against TLS based connection. The reader can also get an idea on SSL Strip attack presented here based on an experiment in a testbed environment. There are also some other attacks on TLS protocol such as BEAST, Padding Oracle Attack, STARTTLS command injection attack, Theft of RSA Private Keys, Triple Handshake etc. which are also discussed here descriptively. This study summarizes the common known attacks following RFC 7457 and their existence, appliance and remedies for the TLS activated server.
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
Two years ago enabling your site with SSL was a simple affair, buy a certificate or create your own, install it, then just remember to renew it every couple of years. Then, suddenly security holes are being found in SSL virtually every month , popular browsers stop connecting to your site to protect themselves, and you’re continually being told your users data is at risk. In this session we will discuss how it all went wrong and can go wrong again, then go through each step of requesting, generating and deploying a 4096 SHA-2 certificate to use in a keyfile by Domino, IBM Connections, IBM Sametime and other WebSphere products. If you work with these IBM products and need to secure them with confidence this session will show you how!
Recover A RSA Private key from a TLS session with perfect forward secrecyPriyanka Aash
They always taught us that the only thing that can be pulled out from a SSL/TLS session using strong authentication and latest Perferct Forward Secrecy ciphersuites is the public key of the certificate exchanged during the handshake - an insufficient condition to place a MiTM attack without to generate alarms on the validity of the TLS connection and certificate itself. Anyway, this is not always true. In certain circumstances it is possible to derive the private key of server regardless of the size of the used modulus. Even RSA keys of 4096 bits can be factored at the cost of a few CPU cycles and computational resources. All that needed is the generation of a faulty digital signature from server, an event that can be observed when occurring certain conditions such as CPU overheating, RAM errors or other hardware faults. Because of these premises, devices like firewall, switch, router and other embedded appliances are more exposed than traditional IT servers or clients. During the talk, the author will explain the theory behind the attack, how common the factors are that make it possible and his custom pratical implementation of the technique. At the end, a proof-of-concept, able to work both in passive mode (i.e. only by sniffing the network traffic) and in active mode (namely, by participating directly in the establishment of TLS handshakes), will be released.
(Source: Black Hat USA 2016, Las Vegas)
Joseph Salowey, Tableau Software
Transport Layer Security (TLS) 1.3 is almost here. The protocol that protects most of the Internet secure connections is getting the biggest ever revamp, and is losing a round-trip. We will explore differences between TLS 1.3 and previous versions in detail, focusing on the performance and security improvements of the new protocol as well as some of the challenges we face around securely implementing new features such as 0-RTT resumption.
An overview on how WebRTC was written from the ground up with some specific concepts in mind, specifically to try and address Security, Authentication and Privacy the right way.
The talk first walks over some of the security issues of the older versions of the SSL/TLS protocol. Then It introduces the upcomint TLS 1.3 version, presenting its new features and adoption status.
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing.
Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached.
The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.
Padding oracle attacks are a class of relatively misunderstood attacks. Whilst they are generally well understood on the theoretical side, there practical impact is generally less clear. The talk will take a tour of padding oracle attacks, from discovery to remediation through exploitation.
It will focus mostly on the Bleichenbacher attack on PKCS1 padding, but will take a detour through the better understood PKCS7 attack on CBC mode if time permits.
I will present a tool I have written to exploit Bleichenbacher type attacks.
Buffer overflow exploitation without operating system protections is a well understood subject. But how does one achieve the same results with all protections enabled (N/X, ASLR, …). Hint: re-use what the vulnerable binary offers you.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
Quality defects in TMT Bars, Possible causes and Potential Solutions.PrashantGoswami42
Maintaining high-quality standards in the production of TMT bars is crucial for ensuring structural integrity in construction. Addressing common defects through careful monitoring, standardized processes, and advanced technology can significantly improve the quality of TMT bars. Continuous training and adherence to quality control measures will also play a pivotal role in minimizing these defects.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
Courier management system project report.pdfKamal Acharya
It is now-a-days very important for the people to send or receive articles like imported furniture, electronic items, gifts, business goods and the like. People depend vastly on different transport systems which mostly use the manual way of receiving and delivering the articles. There is no way to track the articles till they are received and there is no way to let the customer know what happened in transit, once he booked some articles. In such a situation, we need a system which completely computerizes the cargo activities including time to time tracking of the articles sent. This need is fulfilled by Courier Management System software which is online software for the cargo management people that enables them to receive the goods from a source and send them to a required destination and track their status from time to time.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Vaccine management system project report documentation..pdfKamal Acharya
The Division of Vaccine and Immunization is facing increasing difficulty monitoring vaccines and other commodities distribution once they have been distributed from the national stores. With the introduction of new vaccines, more challenges have been anticipated with this additions posing serious threat to the already over strained vaccine supply chain system in Kenya.
Event Management System Vb Net Project Report.pdfKamal Acharya
In present era, the scopes of information technology growing with a very fast .We do not see any are untouched from this industry. The scope of information technology has become wider includes: Business and industry. Household Business, Communication, Education, Entertainment, Science, Medicine, Engineering, Distance Learning, Weather Forecasting. Carrier Searching and so on.
My project named “Event Management System” is software that store and maintained all events coordinated in college. It also helpful to print related reports. My project will help to record the events coordinated by faculties with their Name, Event subject, date & details in an efficient & effective ways.
In my system we have to make a system by which a user can record all events coordinated by a particular faculty. In our proposed system some more featured are added which differs it from the existing system such as security.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
2. Who am I?
• Security engineer at Citrix
• Interest in low level topics (crypto, fuzzing,
exploit dev)
• "the views expressed herein are personal and
stated in my individual capacity and in no way
a statement or position of my employer”
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
1
3. Agenda
1. TLS attacks timeline
2. Difficulty in reproducing attacks
3. Quick refresher on TLS
4. Scapy-ssl_tls goals
5. Quick demo of scapy-ssl_tls capabilities
6. Custom TLS stacks, what to look for?
7. Scapy-ssl_tls crypto
8. Demo: detecting Poodle
9. Fuzzing capabilities
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
2
4. Introduction
• TLS is a critical protocol to the internet
• Very few alternatives
• Session layer protocol for other protocols
• Very complex
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
3
5. Introduction
• Protocol under scrutiny
• Growth of the number of attacks
• General lack of tooling
• Attacks are developed ad-hoc:
– Extensions of OpenSSL
– …
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
4
7. Introduction
• Protocol under scrutiny
• Growth of the number of protocol level
attacks
• Numerous implementation bugs
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
6
11. Problems
• Understand the attack properly
• Practical impact (as opposed to theoretical
problem)
• Reproducibility
• Fix (dev + Q&A)
• Fix for good (regression)
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
10
12. Response
• Customers do not always understand the practical impact
• Your response team has to provide a definite answer
• 2 solutions for custom implementations:
– Crypto code review:
• Lack of comparison point
• Hard to get the full picture when deep into a crypto routine
– PoC:
• Lack of tooling
• Big difference between regular lib and security focused lib
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
11
14. Basics
• TLS is session layer (layer 5)
• Performs a handshake then provides crypto
• Transparent to protocol
• High RTT (at least 4 packets, 2 RTT for handshake)
• Offers session resumption
• Can authenticate both client and server
• Provides integrity and confidentiality
• Relies on TCP for packet delivery and ordering
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
13
15. Message format
• Has sub-protocols within the protocol:
1. Handshake (negotiate parameters)
2. Change Cipher Spec (signal a cipher change)
3. Alert (error handling)
4. Application data (move data)
• Each of these sub-protocols are encapsulated in a Record header
which holds:
– Proto version
– Payload length
– Payload type
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
14
16. TLS Record
• In charge of transporting the sub-protocols
• Record is always cleartext
• Payload length is not completely protected in TLS
• Records can be “stacked” inside a packet:
Version
Size
Length
Handshake, Data, …
Record Handshake, Data, … Record Handshake, Data, …
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
15
17. Handshake
• In charge of negotiating:
– Compression
– Crypto parameters
– Initiating crypto material
• In charge of ensuring handshake is free of in
transit tampering (finish message)
• Extensible (through TLS extensions)
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
16
18. Handshake quirks
• Max size: 2**16, can be TLS fragmented
• Some messages can have arbitrary trailing data
(support for unknown extensions)
• Doesn’t need a certificate (anonymous RSA, DH
and ECDH)
• Can have “stacked” handshakes in a record (Java)
Record Handshake Handshake Handshake
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
19
19. Application Data
• Encrypted + authenticated packets
• Cleartext is HMACd then padded => MAC then
encrypt…
Padding is not protected by the MAC
• Stream ciphers:
Record Cleartext HMAC padding
Padding
length
Encrypted
Record Cleartext HMAC
Encrypted
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
21
21. Introduction
• TLS & DTLS attack stack built above scapy
• Stateless (as much as possible)
• Packet crafting and dissecting
• Crypto session handling
• Sniffing (wire, pcap, …)
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
24
22. Why bother?
• TLS stacks are built to be robust
• Enforce input parameters to be valid
• Tear down connection on error
• Not very flexible
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
25
23. Goals
• Easy to install and use
• Simplify discovery and exploitation of TLS vulnerabilities
• Allow full control of any TLS field
• Tries very hard to maintain absolutely no state
• Good documentation and examples
• No checks or enforcements (up to user if desired)
• Sane defaults
• Transparent encryption
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
26
24. Features
• Full support:
– SSLv3, TLS 1.0, TLS 1.1, TLS1.2 and DTLS
– RSA, DHE, ECDHE key exchanges with all available ciphers
– RSA and DSA signature
– All TLS records and extensions
– Transparent decryption of TLS traffic
– Client certs
• Missing:
– AES-GCM and CCM
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
27
25. Installation
• Stable branch (v1.2.2 today):
– pip install scapy-ssl_tls
• Dev branch (latest features + examples):
– git clone https://github.com/tintinweb/scapy-ssl_tls
– Or pip install git+https://github.com/tintinweb/scapy-
ssl_tls@master
• Feature branches:
– Replace @master by @branch
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
28
26. Concepts
• Start scapy
• All classes start with TLS:
– Allows easy autocomplete
• What fields are available in a given TLS record?
– ls(TLSClientHello)
• TLSSocket() is used to wrap the TCP socket
– This is your base element to send/recv traffic
• Build packets scapy style:
– p = TLSRecord()/TLSHandshake()/TLSClientHello()
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
29
33. Recon
• Fingerprint possible fork
• OpenSSL empty plaintext fragment
• JSSE stacked handshake
• Difference in Alert type when tampering with
Finish message
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
36
34. State machine
• Tricky testing: mostly manual work and
knowledge of RFC
• Automated testing: FlexTLS:
– Example: mono FlexApps.exe -s efin --connect
localhost:8443
• Gives a good starting point for manual testing
• Lot of legacy stuff: server-gated cryptography
anyone?
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
37
35. Diffie Hellman
• Check the validity of server (EC)DH params
– Group size
– Primality
– Subgroup confinement attack (e.g: Off curve test (EC))
– Signature algo used
– …
• Send random values (small, non-prime, …)
• Scapy-ssl_tls uses TinyEC for EC calculation
• Allows to perform EC arithmetic
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
38
36. Side channels (RSA)
• Pre Master Secret is decrypted
• TLS mandates PKCS1 v1.5 for padding
• This needs to be constant time, see classic
Bleichenbacher
• Time and Check for response difference on invalid
padding (alert vs tcp reset)
• Can use pybleach pkcs1_test_client.py to
generate faulty padding for your PMS
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
39
37. Side channels (ciphers)
• Padding and MAC checks must be constant
time
• Alert type must be identical
• Time and check response when flipping bytes
in padding and MAC
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
40
38. Proper byte checking
• Some implementation only verify a few bytes
of padding, MAC and verify_data (finish hash)
• All bytes must be checked for obvious reasons
• Send application data packets with flipped
padding, MAC and verify_data
• Make sure you always get an alert
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
41
39. DDoS
• DTLS is UDP
• Returns a certificate chain on first packet
• DTLS hello => 64 bytes
• DTLS response => can be several kB
• Protection is built into the protocol, but is a MAY =>
HelloVerifyRequest
• Make sure to check cookie is returned upon multiple
spoofed requests
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
42
40. Fragmentation
• Any packet above 2**14 (16384) bytes must be fragmented
• But any fragment size can be chosen
• Few stacks support TLS re-assembly
• Can be used to bypass devices which parse TLS, but fail-
open
• Server can be requested to fragment using the Maximum
Fragment Length Negotiation extension
• DTLS allows to specify the fragment offset in the handshake
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
43
42. tls_to_raw
• Scapy-ssl_tls exposes tls_to_raw()
• Calculates all crypto material for the packet
• Exposes some hooks:
– At compression time
– Pre and post encryption
• Allows to act on pre-calculated padding and MACs
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
45
to_raw(pkt, tls_ctx, include_record=True, compress_hook=None, pre_encrypt_hook=None,
encrypt_hook=None)
43. Crypto container
• All crypto material stored in a
CryptoContainer:
– IV, mac, padding, padding length
• Passed to and returned by crypto hooks:
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
46
def modify_padding(crypto_container):
padding = crypto_container.padding
byte_flip = chr(ord(padding[index]) ^ 0xff)
crypto_container.padding = "%s%s%s" % (padding[:index], byte_flip, padding[index + 1:])
return crypto_container
tls_to_raw(TLSPlaintext(data=data), tls_socket.tls_ctx, pre_encrypt_hook=modify_padding)
44. Usage
• Very useful to modify crypto state
• Without keeping track of PRF, ciphers, MACs,…
• Allows to easily reproduce attacks on crypto
material
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
47
49. Strengths
• Scapy-ssl_tls can speed up PoC development
• PoC can be re-used as part of testing QA and
regression
• Valuable to reproduce findings & develop
mitigations
• Help in learning & experimenting with TLS
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
52
50. Thanks
• Thanks to tintinweb who started the project
• Bugs: https://github.com/tintinweb/scapy-
ssl_tls/
• Contact:
– Github: alexmgr
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
53
53. Fuzzing
• Provides basic fuzzing through scapy
• Tries to be smart by preserving semantically necessary
fields
• Use fuzz() function on any element
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
56
fuzz(TLSRecord()/TLSHandshake(type=TLSHandshakeType.SUPPLEMENTAL_DATA)/TLSAlert()).show2()
###[ TLS Record ]###
content_type= handshake <= preserved
version= 0x7391 <= fuzzed
length= 0x6 <= preserved
###[ TLS Handshake ]###
type= supplemental_data <= overriden
length= 0x2 <= preserved
###[ Raw ]###
load= '(r’ <= fuzzed
54. Fuzzing
• Only good for basic fuzzing
• Simple to plug in your own fuzzer
• Just generate data, scapy-ssl_tls takes care of
the rest
• Good targets: TLS extensions, certificates, …
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
57
55. Examples
• The example section contains some useful base tools:
– RSA session sniffer: given a cert, can decrypt wire traffic
(like Wireshark)
– Security scanner: a rudimentary TLS scanner (versions,
ciphers, SCSV, …)
– Downgrade test
– …
• Just baselines to write your own tools
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
58
Editor's Notes
I’m quite slow, so to fully understand something, I need to repro and play with it
Customer don’t always understand the practical impact. No kidding, sometimes as a security engineer it takes you a few hours/days
But your response team has to provide a statement quickly
Both approaches require you to understand the issue in depth. But it’s harder to make a mistake with a PoC. It’s also easier to perform code review with a PoC
PoC provides reproducibility, which provides Q&A and regression for free
CCS encrypts one byte under the current cipher state. Next packet will be encrypted with the new cipher
All attacks on 1 handshake or 4 app data
No attacks on record layer
Compression is not a good idea. See CRIME
Crypto parameters:
- Kex (what is used to exchange the PMS)? ECDH, DH, RSA, …
- Sig (what is used to sign the Kex)?
- Cipher used (stream, CBC)
- HMAC hash algo to generate the MAC
Notice that signature method for Kex is not specified. Hardcoded as MD5+SHA in the spec. Configured through TLS extension in TLS 1.2
tLS finish message is the first encrypted message and carries the hash of previous messages. Assures that both client and server agree about messages exchanged.
ALPN tells the server which upper layer protocol is negotiated (http2, speedy, …)
SNI tells which hostname the TLS connection is destined to. Allows the server to return the right cert when TLS sites are co-hosted
PRF is a mixing function which uses MD5+SHA1 until TLS 1.2
TLS 1.2 uses SHA256
Fragment size is 2**14, so a handshake payload can be fragmented across several records
This is an interesting edge case, especially for DTLS where one can specify both the fragment sequence and offset. Exposes interesting attacks, very similar to IP fragmentation
Arbitrary trailing data, Sloth used pre-images in md5 TLS 1.2 to MITM TLS connections (+ known weak DH params)
Stacked handshakes can be used to fingerprint TLS stacks to some extent
Source of problems that we know of, poodle, poodle2…
Explicit IVs are the cause of the delay in migration to TLS 1.1 I think
Force to reset the state of the cipher
Writing an offensive stack is very different.
All recommendations you normally provide to devs should be ignored. Do not validate length, format, signatures, … All validation is up to you, scapy-ssl_tls only reports data
cd /Users/amoneger/projects/contrib/scapy-ssl_tls
tests/integration/openssl_tls_server.sh tls1_2
Enter TLS and press tab to autocomplete
Craft a TLSRecord with a TLSHandshake. Do a show(), do a ls()
Modify length field of the record
Talk about tls_context and the various crypto parameters
import socket
version = TLSVersion.TLS_1_2
ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA]
host = ("localhost", 8443)
app_payload = "GET / HTTP/1.1\r\nHOST: example.com\r\n\r\n"
socket_ = socket.socket()
socket_.connect(host)
tls_socket = TLSSocket(socket_, client=True)
# Handshake
tls_do_handshake(tls_socket, version, ciphers)
# Application data
tls_socket.sendall(to_raw(TLSPlaintext(data=app_payload), tls_socket.tls_ctx))
response = tls_socket.recvall()
response.show()
print(tls_socket.tls_ctx)
For ciphers, check SCSV for downgrade prevention
Custom stacks seem to generally be forks of OSS projects at one stage.
It is interesting to try and fingerprint where it comes from, to then try and look for known implementation vulnerabilities on the stack
You can probably pinpoint to the version with some research
FlexTLS is based on miTLS which is A Verified Reference Implementation of TLS
It implements a number of know attacks against the TLS state machine.
Source code was only very recently released. A great reference tool to go after TLS state machine
server-gated cryptography: client renegotiation based on server cert
Mention that PMS should start by handshake client version. Prevents rollback attacks
Padding in TLS can be any length upto 255 bytes.
Check that implementation respects that.
DTLS is like IP from the old days ;)
Possible values start at 2**9 = 512. Only active after Server Hello is received.