AM
Uploaded byAlexandre Moneger
PPTX, PDF3,193 views

Scapy TLS: A scriptable TLS 1.3 stack

The document presents an overview of Scapy-SSL_TLS, a scriptable TLS 1.3 stack designed to simplify the discovery and exploitation of TLS vulnerabilities. It discusses the increasing complexity and frequency of TLS attacks, the difficulty of reproducing them, and outlines goals for the Scapy-SSL_TLS project. Additionally, it provides insights into fuzzing capabilities, custom TLS stacks, and serves as a guide for developers and security researchers.

Embed presentation

Downloaded 30 times
Scapy TLS: a scriptable TLS 1.3 stack Alex Moneger
Agenda 1. TLS attacks timeline 2. Difficulty in reproducing attacks 3. Scapy-ssl_tls goals 4. Quick demo of scapy-ssl_tls capabilities 5. Custom TLS stacks, what to look for? 6. Fuzzing capabilities 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 1
Introduction • TLS is a critical protocol to the internet • Very few alternatives • Session layer protocol for other protocols • Very complex 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 2
TLS PROTOCOL LEVEL ATTACKS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 3
Introduction • Protocol under scrutiny • Growth of the number of protocol level attacks • Numerous implementation bugs 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 4
Timeline 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 5 Renegotiation 2009 20162013 BEAST CRIME 2014 2015201220112010 BREACH Lucky13 POODLE POODLE2 FREAK LOGJAM SLOTH THS
Observations • TLS protocol attacks increase: – Frequency – Complexity • 2 classes: – Protocol level – Crypto level 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 6
REPRODUCING ATTACKS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 7
Problems • Understand the attack properly • Practical impact (as opposed to theoretical problem) • Reproducibility • Fix (dev + Q&A) • Fix for good (regression) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 8
Response • Customers do not always understand the practical impact • Your response team has to provide a definite answer • 2 solutions for custom implementations: – Crypto code review: • Lack of comparison point • Hard to get the full picture when deep into a crypto routine – PoC: • Lack of tooling • Big difference between regular lib and security focused lib 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 9
SCAPY-SSL_TLS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 10
Introduction • TLS & DTLS scriptable stack built above scapy • Stateless (as much as possible) • Packet crafting and dissecting • Crypto session handling • Sniffing (wire, pcap, …) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 11
Why bother? • TLS stacks are built to be robust • Enforce input parameters to be valid • Tear down connection on error • Not very flexible 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 12
Goals • Easy to install and use • Simplify discovery and exploitation of TLS vulnerabilities • Allow full control of any TLS field • Tries very hard to maintain absolutely no state • Good documentation and examples • No checks or enforcements (up to user if desired) • Sane defaults • Transparent encryption 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 13
Concepts • Start scapy • All classes start with TLS: – Allows easy autocomplete • What fields are available in a given TLS record? – ls(TLSClientHello) • TLSSocket() is used to wrap the TCP socket – This is your base element to send/recv traffic • Build packets scapy style: – p = TLSRecord()/TLSHandshake()/TLSClientHello() 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 14
DEMO Packet crafting/parsing 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 15
A simple TLS 1.3 client with TLSSocket(client=True) as tls_socket: try: tls_socket.connect(ip) print("Connected to server: %s" % (ip,)) except socket.timeout: print("Failed to open connection to server: %s" % (ip,), file=sys.stderr) else: try: server_hello, server_kex = tls_socket.do_handshake(tls_version, ciphers, extensions) server_hello.show() except TLSProtocolError as tpe: print("Got TLS error: %s" % tpe, file=sys.stderr) tpe.response.show() else: resp = tls_socket.do_round_trip(TLSPlaintext(data="GET / HTTP/1.1rnHOST: localhostrnrn")) print("Got response from server") resp.show() finally: print(tls_socket.tls_ctx) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 16
Viewing a packet ###[ TLS Record ]### content_type= handshake version= TLS_1_0 length= 0x36 ###[ TLS Handshakes ]### handshakes |###[ TLS Handshake ]### | type= client_hello | length= 0x32 |###[ TLS Client Hello ]### | version= TLS_1_2 | gmt_unix_time= 1494985553 | random_bytes= 'xa6;x10{x0fx7fUx88xeaHxc6xafxf8xe4xedxd56x07xcfxd6x85xc1^xbdx1fxa3x02x85' | session_id_length= 0x0 | session_id= '' | cipher_suites_length= 0x2 | cipher_suites= ['ECDHE_RSA_WITH_AES_256_GCM_SHA384'] | compression_methods_length= 0x1 | compression_methods= ['NULL'] | extensions_length= 0x7 | extensions | |###[ TLS Extension ]### | | type= supported_versions | | length= 0x3 | |###[ TLS Extension Supported Versions ]### | | length= 0x2 | | versions= ['TLS_1_3_DRAFT_18'] 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 17
A TLS 1.3 server server_hello = TLSRecord() / TLSHandshakes(handshakes=[ TLSHandshake() / TLSServerHello(version=version, cipher_suite=TLSCipherSuite.TLS_AES_256_GCM_SHA384, extensions=[key_share])]) client_socket.sendall(server_hello) client_socket.sendall(TLSRecord() / TLSHandshakes(handshakes=[ TLSHandshake() / TLSEncryptedExtensions(extensions=[named_groups]), TLSHandshake() / TLSCertificateList() / TLS13Certificate( certificates=certificates)])) client_socket.sendall(TLSHandshakes(handshakes=[ TLSHandshake() / TLSCertificateVerify(alg=TLSSignatureScheme.RSA_PKCS1_SHA256, sig=client_socket.tls_ctx.compute_server_cert_verify())])) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 18
WHAT TO LOOK FOR 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 19
Recon • Fingerprint possible fork • OpenSSL empty plaintext fragment • JSSE, NSS stacked handshake • Difference in Alert type when tampering with Finish message • Alert is loosely defined, so stack specific 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 20
State machine • Tricky testing: mostly manual work and knowledge of RFC • Automated testing: FlexTLS: – Example: mono FlexApps.exe -s efin --connect localhost:8443 • Gives a good starting point for manual testing • Lot of legacy stuff: server-gated cryptography anyone? 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 21
Diffie Hellman • Check the validity of server (EC)DH params – Group size – Primality – Subgroup confinement attack (e.g: Off curve test (EC)) – Signature algo used – … • Send interesting values (small, non-prime, …) • Scapy-ssl_tls uses TinyEC for EC calculation • Allows to perform EC arithmetic 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 22
Side channels (RSA) • Pre Master Secret is decrypted • TLS mandates PKCS1 v1.5 for padding • This needs to be constant time, see classic Bleichenbacher • Time and Check for response difference on invalid padding (alert vs tcp reset) • Can use pybleach pkcs1_test_client.py to generate faulty padding for your PMS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 23
Side channels (ciphers) • Padding and MAC checks must be constant time • Alert type must be identical • Time and check response when flipping bytes in padding and MAC • Check for nonce reuse 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 24
Proper byte checking • Some implementation only verify a few bytes of padding, MAC and verify_data (finish hash) • All bytes must be checked for obvious reasons • Send application data packets with flipped padding, MAC and verify_data • Make sure you always get an alert 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 25
Fragmentation • Any packet above 2**14 (16384) bytes must be fragmented • But any fragment size can be chosen • Some stacks don’t cope well with TLS re-assembly • Can be used to bypass devices which parse TLS, but fail- open • Server can be requested to fragment using the Maximum Fragment Length Negotiation extension • DTLS allows to specify the fragment offset in the handshake 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 26
TLS 1.3 specific • Spec doesn’t leave a lot of room for implementation errors • Handling of 0-RTT, early data, PFS • Resumption checks (SNI) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 27
CONCLUSION 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 28
Strengths • Scapy-ssl_tls can speed up PoC development • PoC can be re-used as part of testing QA and regression • Valuable to reproduce findings & develop mitigations • Help in learning & experimenting with TLS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 29
Thanks • Thanks to tintinweb who started the project • Bugs: https://github.com/tintinweb/scapy- ssl_tls/ • Contact: – Github: alexmgr 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 30
THANKS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 31
IF TIME ALLOWS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 32
Fuzzing • Provides basic fuzzing through scapy • Tries to be smart by preserving semantically necessary fields • Use fuzz() function on any element 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 33 fuzz(TLSRecord()/TLSHandshake(type=TLSHandshakeType.SUPPLEMENTAL_DATA)/TLSAlert()).show2() ###[ TLS Record ]### content_type= handshake <= preserved version= 0x7391 <= fuzzed length= 0x6 <= preserved ###[ TLS Handshake ]### type= supplemental_data <= overriden length= 0x2 <= preserved ###[ Raw ]### load= '(r’ <= fuzzed
Fuzzing • Only good for basic fuzzing • Simple to plug in your own fuzzer • Just generate data, scapy-ssl_tls takes care of the rest • Good targets: TLS extensions, certificates, … 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 34
Examples • The example section contains some useful base tools: – RSA session sniffer: given a cert, can decrypt wire traffic (like Wireshark) – Security scanner: a rudimentary TLS scanner (versions, ciphers, SCSV, …) – Downgrade test – … • Just baselines to write your own tools 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 35

More Related Content

PDF
Intel dpdk Tutorial
bySaifuddin Kaijar
 
PDF
How VXLAN works on Linux
byEtsuji Nakai
 
PDF
DPDK In Depth
byKernel TLV
 
PDF
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
PDF
TC Flower Offload
byNetronome
 
PPTX
File transfer protocol (ftp)
byCort1026
 
PDF
Ixgbe internals
bySUSE Labs Taipei
 
PDF
Network Programming: Data Plane Development Kit (DPDK)
byAndriy Berestovskyy
 
Intel dpdk Tutorial
bySaifuddin Kaijar
 
How VXLAN works on Linux
byEtsuji Nakai
 
DPDK In Depth
byKernel TLV
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
TC Flower Offload
byNetronome
 
File transfer protocol (ftp)
byCort1026
 
Ixgbe internals
bySUSE Labs Taipei
 
Network Programming: Data Plane Development Kit (DPDK)
byAndriy Berestovskyy
 

What's hot

PDF
PLNOG 7: Pierre Francois - BGP Add-Paths
byPROIDEA
 
PPTX
Understanding DPDK
byDenys Haryachyy
 
PDF
ProxySQL at Scale on AWS.pdf
byAleksandr Kuzminsky
 
PDF
Linux Performance Profiling and Monitoring
byGeorg Schönberger
 
PDF
Plny12 galera-cluster-best-practices
byDimas Prasetyo
 
PDF
DPDK: Multi Architecture High Performance Packet Processing
byMichelle Holley
 
PPTX
Testing an onion architecture - done right
byMichel Schudel
 
PDF
Learned from KIND
byHungWei Chiu
 
PPTX
OVS v OVS-DPDK
byMd Safiyat Reza
 
PDF
Velocity 2015 linux perf tools
byBrendan Gregg
 
PDF
VLANs in the Linux Kernel
byKernel TLV
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
DOCX
3PAR: HOW TO CHANGE THE IP ADDRESS OF HP 3PAR SAN
bySaroj Sahu
 
PPTX
Dpdk applications
byVipin Varghese
 
PPTX
HyperText Transfer Protocol (HTTP)
byGurjot Singh
 
PDF
Demystfying container-networking
byBalasundaram Natarajan
 
PDF
Traceroute- A Networking Tool
byAmit Kumar
 
PPT
System Administration: Introduction to system administration
byKhang-Ling Loh
 
PDF
TFTP - Trivial File Transfer Protocol
byPeter R. Egli
 
PDF
Linux Systems Performance 2016
byBrendan Gregg
 
PLNOG 7: Pierre Francois - BGP Add-Paths
byPROIDEA
 
Understanding DPDK
byDenys Haryachyy
 
ProxySQL at Scale on AWS.pdf
byAleksandr Kuzminsky
 
Linux Performance Profiling and Monitoring
byGeorg Schönberger
 
Plny12 galera-cluster-best-practices
byDimas Prasetyo
 
DPDK: Multi Architecture High Performance Packet Processing
byMichelle Holley
 
Testing an onion architecture - done right
byMichel Schudel
 
Learned from KIND
byHungWei Chiu
 
OVS v OVS-DPDK
byMd Safiyat Reza
 
Velocity 2015 linux perf tools
byBrendan Gregg
 
VLANs in the Linux Kernel
byKernel TLV
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
3PAR: HOW TO CHANGE THE IP ADDRESS OF HP 3PAR SAN
bySaroj Sahu
 
Dpdk applications
byVipin Varghese
 
HyperText Transfer Protocol (HTTP)
byGurjot Singh
 
Demystfying container-networking
byBalasundaram Natarajan
 
Traceroute- A Networking Tool
byAmit Kumar
 
System Administration: Introduction to system administration
byKhang-Ling Loh
 
TFTP - Trivial File Transfer Protocol
byPeter R. Egli
 
Linux Systems Performance 2016
byBrendan Gregg
 

Similar to Scapy TLS: A scriptable TLS 1.3 stack

PPTX
Pentesting custom TLS stacks
byAlexandre Moneger
 
PDF
CNIT 141: 13. TLS
bySam Bowne
 
PDF
CNIT 141 13. TLS
bySam Bowne
 
PPTX
Cours4.pptx
byBellaj Badr
 
ODP
Tls 13final13
byVitezslav Cizek
 
PDF
wolfSSL and TLS 1.3
bywolfSSL
 
PDF
Transport Layer Security
byIbrahiem Mohammed
 
PDF
CNIT 141: 13. TLS
bySam Bowne
 
PPT
Transport layer security.ppt
byImXaib
 
PPTX
Transport Layer Security
byHuda Seyam
 
PPTX
SIP over TLS
byHossein Yavari
 
DOCX
6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
bytroutmanboris
 
PPTX
Module2 PPrwgerbetytbteynyunyunythyhtyT.pptx
byThanushB1
 
PDF
Study and analysis of some known attacks on transport layer security
byNazmul Hossain Rakib
 
DOCX
Transport Layer Security
bySanjeev Kumar Jaiswal
 
PPTX
Sequere socket Layer
byRaghavendra Rao
 
PDF
Overview of SSL & TLS Client-Server Interactions
byKatie Knowles
 
PPTX
Transport layer security
byHrudya Balachandran
 
PPTX
Transport layer security
byHrudya Balachandran
 
PPTX
ncsmodule module department of electronics
byPrateekJoshi63
 
Pentesting custom TLS stacks
byAlexandre Moneger
 
CNIT 141: 13. TLS
bySam Bowne
 
CNIT 141 13. TLS
bySam Bowne
 
Cours4.pptx
byBellaj Badr
 
Tls 13final13
byVitezslav Cizek
 
wolfSSL and TLS 1.3
bywolfSSL
 
Transport Layer Security
byIbrahiem Mohammed
 
CNIT 141: 13. TLS
bySam Bowne
 
Transport layer security.ppt
byImXaib
 
Transport Layer Security
byHuda Seyam
 
SIP over TLS
byHossein Yavari
 
6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
bytroutmanboris
 
Module2 PPrwgerbetytbteynyunyunythyhtyT.pptx
byThanushB1
 
Study and analysis of some known attacks on transport layer security
byNazmul Hossain Rakib
 
Transport Layer Security
bySanjeev Kumar Jaiswal
 
Sequere socket Layer
byRaghavendra Rao
 
Overview of SSL & TLS Client-Server Interactions
byKatie Knowles
 
Transport layer security
byHrudya Balachandran
 
Transport layer security
byHrudya Balachandran
 
ncsmodule module department of electronics
byPrateekJoshi63
 

More from Alexandre Moneger

PPTX
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
byAlexandre Moneger
 
PPTX
NBTC#2 - Why instrumentation is cooler then ice
byAlexandre Moneger
 
PPTX
Practical rsa padding oracle attacks
byAlexandre Moneger
 
PPTX
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
byAlexandre Moneger
 
PPTX
03 - Refresher on buffer overflow in the old days
byAlexandre Moneger
 
PPTX
07 - Bypassing ASLR, or why X^W matters
byAlexandre Moneger
 
PPTX
02 - Introduction to the cdecl ABI and the x86 stack
byAlexandre Moneger
 
PPTX
06 - ELF format, knowing your friend
byAlexandre Moneger
 
PPTX
05 - Bypassing DEP, or why ASLR matters
byAlexandre Moneger
 
PPTX
04 - I love my OS, he protects me (sometimes, in specific circumstances)
byAlexandre Moneger
 
PPTX
09 - ROP countermeasures, can we fix this?
byAlexandre Moneger
 
PPTX
08 - Return Oriented Programming, the chosen one
byAlexandre Moneger
 
PPTX
ROP ‘n’ ROLL, a peak into modern exploits
byAlexandre Moneger
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
byAlexandre Moneger
 
NBTC#2 - Why instrumentation is cooler then ice
byAlexandre Moneger
 
Practical rsa padding oracle attacks
byAlexandre Moneger
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
byAlexandre Moneger
 
03 - Refresher on buffer overflow in the old days
byAlexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
byAlexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
byAlexandre Moneger
 
06 - ELF format, knowing your friend
byAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
byAlexandre Moneger
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
byAlexandre Moneger
 
09 - ROP countermeasures, can we fix this?
byAlexandre Moneger
 
08 - Return Oriented Programming, the chosen one
byAlexandre Moneger
 
ROP ‘n’ ROLL, a peak into modern exploits
byAlexandre Moneger
 

Recently uploaded

PPTX
M1 - HPE Alletra Storage MP B10000 - presenter.pptx
byThanhBnhNguyn92
 
PDF
Basic Thumb rule For switchgear Selection
byVimal Kr
 
PDF
FPGA Fabric and Synthesis All Parts Combined
byAmr Adel
 
PDF
Reality Check Deploying Computer Vision and LLMs at the Edge
byICS
 
PPTX
What TPM Looks Like When You’re Short-Staffed and Still Make It Work | Lean T...
byMaintWiz Technologies Private Limited
 
PPTX
The Half-Life of Preventive Maintenance: Why PM Compliance Fails & How to Res...
byMaintWiz Technologies Private Limited
 
PPTX
Fake News Detection System | Plagiarism detection
bysurajkanojiya13
 
PPT
psoc_unit_one_for_all_thoery_potion_are_coverd_in_the_this_unit_for_everything
bysabinesh200517
 
PPTX
WOWVerse Workshop: Agentic AI & LLM Workshop
byram27belitkar
 
PDF
Brillouin zone analysis using Kronig-Penny model
byRCC Institute of Information Technology
 
PDF
5.5 Inch 4K TFT LCD Display 3840×2160 UHD Panel – LS055D1SX05(G)
bySyluxdisplay
 
PDF
JVM in the Age of AI: 2026 Edition - Deep Dive
byArtur Skowroński
 
PPTX
TRICKLING FILTER PROCESS FOR WASTEWATER TREATMENT.pptx
byChemical Engineering Dept. NIT Rourkela-769008, Odisha, India
 
PDF
God series - Physics video office crossed
byjangidankit8781
 
PDF
Formality - Logic Equivalence Checking - Part 2
byAmr Adel
 
PDF
Process Scheduling Scheduling Queue, Types of Sheduler
bySanjay Gunjal
 
PDF
EDIH TRAINING AI FOR COMPANIES: MODULE 4
byHristian Daskalov
 
PDF
10 Tips for Successfully Purchasing Twitter Accounts.pdf
bymarketing
 
PPTX
Why Air Droppable Containers Are Critical for Modern Aerial Logistics
byNeometrix_Engineering_Pvt_Ltd
 
PPTX
Tips for Designing Flex Circuits for Medical Applications
byEpec Engineered Technologies
 
M1 - HPE Alletra Storage MP B10000 - presenter.pptx
byThanhBnhNguyn92
 
Basic Thumb rule For switchgear Selection
byVimal Kr
 
FPGA Fabric and Synthesis All Parts Combined
byAmr Adel
 
Reality Check Deploying Computer Vision and LLMs at the Edge
byICS
 
What TPM Looks Like When You’re Short-Staffed and Still Make It Work | Lean T...
byMaintWiz Technologies Private Limited
 
The Half-Life of Preventive Maintenance: Why PM Compliance Fails & How to Res...
byMaintWiz Technologies Private Limited
 
Fake News Detection System | Plagiarism detection
bysurajkanojiya13
 
psoc_unit_one_for_all_thoery_potion_are_coverd_in_the_this_unit_for_everything
bysabinesh200517
 
WOWVerse Workshop: Agentic AI & LLM Workshop
byram27belitkar
 
Brillouin zone analysis using Kronig-Penny model
byRCC Institute of Information Technology
 
5.5 Inch 4K TFT LCD Display 3840×2160 UHD Panel – LS055D1SX05(G)
bySyluxdisplay
 
JVM in the Age of AI: 2026 Edition - Deep Dive
byArtur Skowroński
 
TRICKLING FILTER PROCESS FOR WASTEWATER TREATMENT.pptx
byChemical Engineering Dept. NIT Rourkela-769008, Odisha, India
 
God series - Physics video office crossed
byjangidankit8781
 
Formality - Logic Equivalence Checking - Part 2
byAmr Adel
 
Process Scheduling Scheduling Queue, Types of Sheduler
bySanjay Gunjal
 
EDIH TRAINING AI FOR COMPANIES: MODULE 4
byHristian Daskalov
 
10 Tips for Successfully Purchasing Twitter Accounts.pdf
bymarketing
 
Why Air Droppable Containers Are Critical for Modern Aerial Logistics
byNeometrix_Engineering_Pvt_Ltd
 
Tips for Designing Flex Circuits for Medical Applications
byEpec Engineered Technologies
 

Scapy TLS: A scriptable TLS 1.3 stack

  • 1.
    Scapy TLS: ascriptable TLS 1.3 stack Alex Moneger
  • 2.
    Agenda 1. TLS attackstimeline 2. Difficulty in reproducing attacks 3. Scapy-ssl_tls goals 4. Quick demo of scapy-ssl_tls capabilities 5. Custom TLS stacks, what to look for? 6. Fuzzing capabilities 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 1
  • 3.
    Introduction • TLS isa critical protocol to the internet • Very few alternatives • Session layer protocol for other protocols • Very complex 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 2
  • 4.
    TLS PROTOCOL LEVELATTACKS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 3
  • 5.
    Introduction • Protocol underscrutiny • Growth of the number of protocol level attacks • Numerous implementation bugs 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 4
  • 6.
    Timeline 18 May 2017 AlexMoneger - Scapy TLS: a scriptable TLS 1.3 stack 5 Renegotiation 2009 20162013 BEAST CRIME 2014 2015201220112010 BREACH Lucky13 POODLE POODLE2 FREAK LOGJAM SLOTH THS
  • 7.
    Observations • TLS protocolattacks increase: – Frequency – Complexity • 2 classes: – Protocol level – Crypto level 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 6
  • 8.
    REPRODUCING ATTACKS 18 May2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 7
  • 9.
    Problems • Understand theattack properly • Practical impact (as opposed to theoretical problem) • Reproducibility • Fix (dev + Q&A) • Fix for good (regression) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 8
  • 10.
    Response • Customers donot always understand the practical impact • Your response team has to provide a definite answer • 2 solutions for custom implementations: – Crypto code review: • Lack of comparison point • Hard to get the full picture when deep into a crypto routine – PoC: • Lack of tooling • Big difference between regular lib and security focused lib 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 9
  • 11.
    SCAPY-SSL_TLS 18 May 2017 AlexMoneger - Scapy TLS: a scriptable TLS 1.3 stack 10
  • 12.
    Introduction • TLS &DTLS scriptable stack built above scapy • Stateless (as much as possible) • Packet crafting and dissecting • Crypto session handling • Sniffing (wire, pcap, …) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 11
  • 13.
    Why bother? • TLSstacks are built to be robust • Enforce input parameters to be valid • Tear down connection on error • Not very flexible 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 12
  • 14.
    Goals • Easy toinstall and use • Simplify discovery and exploitation of TLS vulnerabilities • Allow full control of any TLS field • Tries very hard to maintain absolutely no state • Good documentation and examples • No checks or enforcements (up to user if desired) • Sane defaults • Transparent encryption 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 13
  • 15.
    Concepts • Start scapy •All classes start with TLS: – Allows easy autocomplete • What fields are available in a given TLS record? – ls(TLSClientHello) • TLSSocket() is used to wrap the TCP socket – This is your base element to send/recv traffic • Build packets scapy style: – p = TLSRecord()/TLSHandshake()/TLSClientHello() 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 14
  • 16.
    DEMO Packet crafting/parsing 18 May2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 15
  • 17.
    A simple TLS1.3 client with TLSSocket(client=True) as tls_socket: try: tls_socket.connect(ip) print("Connected to server: %s" % (ip,)) except socket.timeout: print("Failed to open connection to server: %s" % (ip,), file=sys.stderr) else: try: server_hello, server_kex = tls_socket.do_handshake(tls_version, ciphers, extensions) server_hello.show() except TLSProtocolError as tpe: print("Got TLS error: %s" % tpe, file=sys.stderr) tpe.response.show() else: resp = tls_socket.do_round_trip(TLSPlaintext(data="GET / HTTP/1.1rnHOST: localhostrnrn")) print("Got response from server") resp.show() finally: print(tls_socket.tls_ctx) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 16
  • 18.
    Viewing a packet ###[TLS Record ]### content_type= handshake version= TLS_1_0 length= 0x36 ###[ TLS Handshakes ]### handshakes |###[ TLS Handshake ]### | type= client_hello | length= 0x32 |###[ TLS Client Hello ]### | version= TLS_1_2 | gmt_unix_time= 1494985553 | random_bytes= 'xa6;x10{x0fx7fUx88xeaHxc6xafxf8xe4xedxd56x07xcfxd6x85xc1^xbdx1fxa3x02x85' | session_id_length= 0x0 | session_id= '' | cipher_suites_length= 0x2 | cipher_suites= ['ECDHE_RSA_WITH_AES_256_GCM_SHA384'] | compression_methods_length= 0x1 | compression_methods= ['NULL'] | extensions_length= 0x7 | extensions | |###[ TLS Extension ]### | | type= supported_versions | | length= 0x3 | |###[ TLS Extension Supported Versions ]### | | length= 0x2 | | versions= ['TLS_1_3_DRAFT_18'] 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 17
  • 19.
    A TLS 1.3server server_hello = TLSRecord() / TLSHandshakes(handshakes=[ TLSHandshake() / TLSServerHello(version=version, cipher_suite=TLSCipherSuite.TLS_AES_256_GCM_SHA384, extensions=[key_share])]) client_socket.sendall(server_hello) client_socket.sendall(TLSRecord() / TLSHandshakes(handshakes=[ TLSHandshake() / TLSEncryptedExtensions(extensions=[named_groups]), TLSHandshake() / TLSCertificateList() / TLS13Certificate( certificates=certificates)])) client_socket.sendall(TLSHandshakes(handshakes=[ TLSHandshake() / TLSCertificateVerify(alg=TLSSignatureScheme.RSA_PKCS1_SHA256, sig=client_socket.tls_ctx.compute_server_cert_verify())])) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 18
  • 20.
    WHAT TO LOOKFOR 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 19
  • 21.
    Recon • Fingerprint possiblefork • OpenSSL empty plaintext fragment • JSSE, NSS stacked handshake • Difference in Alert type when tampering with Finish message • Alert is loosely defined, so stack specific 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 20
  • 22.
    State machine • Trickytesting: mostly manual work and knowledge of RFC • Automated testing: FlexTLS: – Example: mono FlexApps.exe -s efin --connect localhost:8443 • Gives a good starting point for manual testing • Lot of legacy stuff: server-gated cryptography anyone? 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 21
  • 23.
    Diffie Hellman • Checkthe validity of server (EC)DH params – Group size – Primality – Subgroup confinement attack (e.g: Off curve test (EC)) – Signature algo used – … • Send interesting values (small, non-prime, …) • Scapy-ssl_tls uses TinyEC for EC calculation • Allows to perform EC arithmetic 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 22
  • 24.
    Side channels (RSA) •Pre Master Secret is decrypted • TLS mandates PKCS1 v1.5 for padding • This needs to be constant time, see classic Bleichenbacher • Time and Check for response difference on invalid padding (alert vs tcp reset) • Can use pybleach pkcs1_test_client.py to generate faulty padding for your PMS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 23
  • 25.
    Side channels (ciphers) •Padding and MAC checks must be constant time • Alert type must be identical • Time and check response when flipping bytes in padding and MAC • Check for nonce reuse 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 24
  • 26.
    Proper byte checking •Some implementation only verify a few bytes of padding, MAC and verify_data (finish hash) • All bytes must be checked for obvious reasons • Send application data packets with flipped padding, MAC and verify_data • Make sure you always get an alert 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 25
  • 27.
    Fragmentation • Any packetabove 2**14 (16384) bytes must be fragmented • But any fragment size can be chosen • Some stacks don’t cope well with TLS re-assembly • Can be used to bypass devices which parse TLS, but fail- open • Server can be requested to fragment using the Maximum Fragment Length Negotiation extension • DTLS allows to specify the fragment offset in the handshake 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 26
  • 28.
    TLS 1.3 specific •Spec doesn’t leave a lot of room for implementation errors • Handling of 0-RTT, early data, PFS • Resumption checks (SNI) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 27
  • 29.
    CONCLUSION 18 May 2017 AlexMoneger - Scapy TLS: a scriptable TLS 1.3 stack 28
  • 30.
    Strengths • Scapy-ssl_tls canspeed up PoC development • PoC can be re-used as part of testing QA and regression • Valuable to reproduce findings & develop mitigations • Help in learning & experimenting with TLS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 29
  • 31.
    Thanks • Thanks totintinweb who started the project • Bugs: https://github.com/tintinweb/scapy- ssl_tls/ • Contact: – Github: alexmgr 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 30
  • 32.
    THANKS 18 May 2017 AlexMoneger - Scapy TLS: a scriptable TLS 1.3 stack 31
  • 33.
    IF TIME ALLOWS 18May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 32
  • 34.
    Fuzzing • Provides basicfuzzing through scapy • Tries to be smart by preserving semantically necessary fields • Use fuzz() function on any element 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 33 fuzz(TLSRecord()/TLSHandshake(type=TLSHandshakeType.SUPPLEMENTAL_DATA)/TLSAlert()).show2() ###[ TLS Record ]### content_type= handshake <= preserved version= 0x7391 <= fuzzed length= 0x6 <= preserved ###[ TLS Handshake ]### type= supplemental_data <= overriden length= 0x2 <= preserved ###[ Raw ]### load= '(r’ <= fuzzed
  • 35.
    Fuzzing • Only goodfor basic fuzzing • Simple to plug in your own fuzzer • Just generate data, scapy-ssl_tls takes care of the rest • Good targets: TLS extensions, certificates, … 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 34
  • 36.
    Examples • The examplesection contains some useful base tools: – RSA session sniffer: given a cert, can decrypt wire traffic (like Wireshark) – Security scanner: a rudimentary TLS scanner (versions, ciphers, SCSV, …) – Downgrade test – … • Just baselines to write your own tools 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 35

Editor's Notes

  • #10 I’m quite slow, so to fully understand something, I need to repro and play with it
  • #11 Customer don’t always understand the practical impact. No kidding, sometimes as a security engineer it takes you a few hours/days But your response team has to provide a statement quickly Both approaches require you to understand the issue in depth. But it’s harder to make a mistake with a PoC. It’s also easier to perform code review with a PoC PoC provides reproducibility, which provides Q&A and regression for free
  • #14 Writing an offensive stack is very different. All recommendations you normally provide to devs should be ignored. Do not validate length, format, signatures, … All validation is up to you, scapy-ssl_tls only reports data
  • #17 cd /Users/amoneger/projects/contrib/scapy-ssl_tls tests/integration/openssl_tls_server.sh tls1_2 Enter TLS and press tab to autocomplete Craft a TLSRecord with a TLSHandshake. Do a show(), do a ls() Modify length field of the record
  • #18 With transparent decryption p = TLSRecord() / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(extensions=[TLSExtension() / TLSExtSupportedVersions(versions=[tls_draft_version(18)])])])
  • #19 p = TLSRecord() / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(cipher_suites=[TLSCipherSuite.ECDHE_RSA_WITH_AES_256_GCM_SHA384], extensions=[TLSExtension() / TLSExtSupportedVersions(versions=[tls_draft_version(18)])])])
  • #22 Custom stacks seem to generally be forks of OSS projects at one stage. It is interesting to try and fingerprint where it comes from, to then try and look for known implementation vulnerabilities on the stack You can probably pinpoint to the version with some research
  • #23 FlexTLS is based on miTLS which is A Verified Reference Implementation of TLS It implements a number of know attacks against the TLS state machine. Source code was only very recently released. A great reference tool to go after TLS state machine server-gated cryptography: client renegotiation based on server cert
  • #24 TLS 1.3 killed this
  • #25 Mention that PMS should start by handshake client version. Prevents rollback attacks TLS 1.3 killed this
  • #26 TLS 1.3 killed this
  • #27 Padding in TLS can be any length upto 255 bytes. Check that implementation respects that.
  • #28 DTLS is like IP from the old days ;) Possible values start at 2**9 = 512. Only active after Server Hello is received.