![Viewing a packet
###[ TLS Record ]###
content_type= handshake
version= TLS_1_0
length= 0x36
###[ TLS Handshakes ]###
handshakes
|###[ TLS Handshake ]###
| type= client_hello
| length= 0x32
|###[ TLS Client Hello ]###
| version= TLS_1_2
| gmt_unix_time= 1494985553
| random_bytes= 'xa6;x10{x0fx7fUx88xeaHxc6xafxf8xe4xedxd56x07xcfxd6x85xc1^xbdx1fxa3x02x85'
| session_id_length= 0x0
| session_id= ''
| cipher_suites_length= 0x2
| cipher_suites= ['ECDHE_RSA_WITH_AES_256_GCM_SHA384']
| compression_methods_length= 0x1
| compression_methods= ['NULL']
| extensions_length= 0x7
| extensions
| |###[ TLS Extension ]###
| | type= supported_versions
| | length= 0x3
| |###[ TLS Extension Supported Versions ]###
| | length= 0x2
| | versions= ['TLS_1_3_DRAFT_18']
18 May 2017
Alex Moneger - Scapy TLS: a scriptable TLS
1.3 stack
17](https://image.slidesharecdn.com/scapytls-ascriptabletls1-170522192735/85/Scapy-TLS-A-scriptable-TLS-1-3-stack-18-320.jpg)
![A TLS 1.3 server
server_hello = TLSRecord() / TLSHandshakes(handshakes=[
TLSHandshake() / TLSServerHello(version=version,
cipher_suite=TLSCipherSuite.TLS_AES_256_GCM_SHA384,
extensions=[key_share])])
client_socket.sendall(server_hello)
client_socket.sendall(TLSRecord() / TLSHandshakes(handshakes=[
TLSHandshake() / TLSEncryptedExtensions(extensions=[named_groups]),
TLSHandshake() / TLSCertificateList() / TLS13Certificate(
certificates=certificates)]))
client_socket.sendall(TLSHandshakes(handshakes=[
TLSHandshake() / TLSCertificateVerify(alg=TLSSignatureScheme.RSA_PKCS1_SHA256,
sig=client_socket.tls_ctx.compute_server_cert_verify())]))
18 May 2017
Alex Moneger - Scapy TLS: a scriptable TLS
1.3 stack
18](https://image.slidesharecdn.com/scapytls-ascriptabletls1-170522192735/85/Scapy-TLS-A-scriptable-TLS-1-3-stack-19-320.jpg)
![Fuzzing
• Provides basic fuzzing through scapy
• Tries to be smart by preserving semantically necessary
fields
• Use fuzz() function on any element
18 May 2017
Alex Moneger - Scapy TLS: a scriptable TLS
1.3 stack
33
fuzz(TLSRecord()/TLSHandshake(type=TLSHandshakeType.SUPPLEMENTAL_DATA)/TLSAlert()).show2()
###[ TLS Record ]###
content_type= handshake <= preserved
version= 0x7391 <= fuzzed
length= 0x6 <= preserved
###[ TLS Handshake ]###
type= supplemental_data <= overriden
length= 0x2 <= preserved
###[ Raw ]###
load= '(r’ <= fuzzed](https://image.slidesharecdn.com/scapytls-ascriptabletls1-170522192735/85/Scapy-TLS-A-scriptable-TLS-1-3-stack-34-320.jpg)
Scapy TLS: A scriptable TLS 1.3 stack
- 1. Scapy TLS: a scriptable TLS 1.3 stack Alex Moneger
- 2. Agenda 1. TLS attacks timeline 2. Difficulty in reproducing attacks 3. Scapy-ssl_tls goals 4. Quick demo of scapy-ssl_tls capabilities 5. Custom TLS stacks, what to look for? 6. Fuzzing capabilities 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 1
- 3. Introduction • TLS is a critical protocol to the internet • Very few alternatives • Session layer protocol for other protocols • Very complex 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 2
- 4. TLS PROTOCOL LEVEL ATTACKS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 3
- 5. Introduction • Protocol under scrutiny • Growth of the number of protocol level attacks • Numerous implementation bugs 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 4
- 6. Timeline 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 5 Renegotiation 2009 20162013 BEAST CRIME 2014 2015201220112010 BREACH Lucky13 POODLE POODLE2 FREAK LOGJAM SLOTH THS
- 7. Observations • TLS protocol attacks increase: – Frequency – Complexity • 2 classes: – Protocol level – Crypto level 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 6
- 8. REPRODUCING ATTACKS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 7
- 9. Problems • Understand the attack properly • Practical impact (as opposed to theoretical problem) • Reproducibility • Fix (dev + Q&A) • Fix for good (regression) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 8
- 10. Response • Customers do not always understand the practical impact • Your response team has to provide a definite answer • 2 solutions for custom implementations: – Crypto code review: • Lack of comparison point • Hard to get the full picture when deep into a crypto routine – PoC: • Lack of tooling • Big difference between regular lib and security focused lib 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 9
- 11. SCAPY-SSL_TLS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 10
- 12. Introduction • TLS & DTLS scriptable stack built above scapy • Stateless (as much as possible) • Packet crafting and dissecting • Crypto session handling • Sniffing (wire, pcap, …) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 11
- 13. Why bother? • TLS stacks are built to be robust • Enforce input parameters to be valid • Tear down connection on error • Not very flexible 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 12
- 14. Goals • Easy to install and use • Simplify discovery and exploitation of TLS vulnerabilities • Allow full control of any TLS field • Tries very hard to maintain absolutely no state • Good documentation and examples • No checks or enforcements (up to user if desired) • Sane defaults • Transparent encryption 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 13
- 15. Concepts • Start scapy • All classes start with TLS: – Allows easy autocomplete • What fields are available in a given TLS record? – ls(TLSClientHello) • TLSSocket() is used to wrap the TCP socket – This is your base element to send/recv traffic • Build packets scapy style: – p = TLSRecord()/TLSHandshake()/TLSClientHello() 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 14
- 16. DEMO Packet crafting/parsing 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 15
- 17. A simple TLS 1.3 client with TLSSocket(client=True) as tls_socket: try: tls_socket.connect(ip) print("Connected to server: %s" % (ip,)) except socket.timeout: print("Failed to open connection to server: %s" % (ip,), file=sys.stderr) else: try: server_hello, server_kex = tls_socket.do_handshake(tls_version, ciphers, extensions) server_hello.show() except TLSProtocolError as tpe: print("Got TLS error: %s" % tpe, file=sys.stderr) tpe.response.show() else: resp = tls_socket.do_round_trip(TLSPlaintext(data="GET / HTTP/1.1rnHOST: localhostrnrn")) print("Got response from server") resp.show() finally: print(tls_socket.tls_ctx) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 16
- 18. Viewing a packet ###[ TLS Record ]### content_type= handshake version= TLS_1_0 length= 0x36 ###[ TLS Handshakes ]### handshakes |###[ TLS Handshake ]### | type= client_hello | length= 0x32 |###[ TLS Client Hello ]### | version= TLS_1_2 | gmt_unix_time= 1494985553 | random_bytes= 'xa6;x10{x0fx7fUx88xeaHxc6xafxf8xe4xedxd56x07xcfxd6x85xc1^xbdx1fxa3x02x85' | session_id_length= 0x0 | session_id= '' | cipher_suites_length= 0x2 | cipher_suites= ['ECDHE_RSA_WITH_AES_256_GCM_SHA384'] | compression_methods_length= 0x1 | compression_methods= ['NULL'] | extensions_length= 0x7 | extensions | |###[ TLS Extension ]### | | type= supported_versions | | length= 0x3 | |###[ TLS Extension Supported Versions ]### | | length= 0x2 | | versions= ['TLS_1_3_DRAFT_18'] 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 17
- 19. A TLS 1.3 server server_hello = TLSRecord() / TLSHandshakes(handshakes=[ TLSHandshake() / TLSServerHello(version=version, cipher_suite=TLSCipherSuite.TLS_AES_256_GCM_SHA384, extensions=[key_share])]) client_socket.sendall(server_hello) client_socket.sendall(TLSRecord() / TLSHandshakes(handshakes=[ TLSHandshake() / TLSEncryptedExtensions(extensions=[named_groups]), TLSHandshake() / TLSCertificateList() / TLS13Certificate( certificates=certificates)])) client_socket.sendall(TLSHandshakes(handshakes=[ TLSHandshake() / TLSCertificateVerify(alg=TLSSignatureScheme.RSA_PKCS1_SHA256, sig=client_socket.tls_ctx.compute_server_cert_verify())])) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 18
- 20. WHAT TO LOOK FOR 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 19
- 21. Recon • Fingerprint possible fork • OpenSSL empty plaintext fragment • JSSE, NSS stacked handshake • Difference in Alert type when tampering with Finish message • Alert is loosely defined, so stack specific 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 20
- 22. State machine • Tricky testing: mostly manual work and knowledge of RFC • Automated testing: FlexTLS: – Example: mono FlexApps.exe -s efin --connect localhost:8443 • Gives a good starting point for manual testing • Lot of legacy stuff: server-gated cryptography anyone? 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 21
- 23. Diffie Hellman • Check the validity of server (EC)DH params – Group size – Primality – Subgroup confinement attack (e.g: Off curve test (EC)) – Signature algo used – … • Send interesting values (small, non-prime, …) • Scapy-ssl_tls uses TinyEC for EC calculation • Allows to perform EC arithmetic 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 22
- 24. Side channels (RSA) • Pre Master Secret is decrypted • TLS mandates PKCS1 v1.5 for padding • This needs to be constant time, see classic Bleichenbacher • Time and Check for response difference on invalid padding (alert vs tcp reset) • Can use pybleach pkcs1_test_client.py to generate faulty padding for your PMS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 23
- 25. Side channels (ciphers) • Padding and MAC checks must be constant time • Alert type must be identical • Time and check response when flipping bytes in padding and MAC • Check for nonce reuse 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 24
- 26. Proper byte checking • Some implementation only verify a few bytes of padding, MAC and verify_data (finish hash) • All bytes must be checked for obvious reasons • Send application data packets with flipped padding, MAC and verify_data • Make sure you always get an alert 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 25
- 27. Fragmentation • Any packet above 2**14 (16384) bytes must be fragmented • But any fragment size can be chosen • Some stacks don’t cope well with TLS re-assembly • Can be used to bypass devices which parse TLS, but fail- open • Server can be requested to fragment using the Maximum Fragment Length Negotiation extension • DTLS allows to specify the fragment offset in the handshake 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 26
- 28. TLS 1.3 specific • Spec doesn’t leave a lot of room for implementation errors • Handling of 0-RTT, early data, PFS • Resumption checks (SNI) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 27
- 29. CONCLUSION 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 28
- 30. Strengths • Scapy-ssl_tls can speed up PoC development • PoC can be re-used as part of testing QA and regression • Valuable to reproduce findings & develop mitigations • Help in learning & experimenting with TLS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 29
- 31. Thanks • Thanks to tintinweb who started the project • Bugs: https://github.com/tintinweb/scapy- ssl_tls/ • Contact: – Github: alexmgr 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 30
- 32. THANKS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 31
- 33. IF TIME ALLOWS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 32
- 34. Fuzzing • Provides basic fuzzing through scapy • Tries to be smart by preserving semantically necessary fields • Use fuzz() function on any element 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 33 fuzz(TLSRecord()/TLSHandshake(type=TLSHandshakeType.SUPPLEMENTAL_DATA)/TLSAlert()).show2() ###[ TLS Record ]### content_type= handshake <= preserved version= 0x7391 <= fuzzed length= 0x6 <= preserved ###[ TLS Handshake ]### type= supplemental_data <= overriden length= 0x2 <= preserved ###[ Raw ]### load= '(r’ <= fuzzed
- 35. Fuzzing • Only good for basic fuzzing • Simple to plug in your own fuzzer • Just generate data, scapy-ssl_tls takes care of the rest • Good targets: TLS extensions, certificates, … 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 34
- 36. Examples • The example section contains some useful base tools: – RSA session sniffer: given a cert, can decrypt wire traffic (like Wireshark) – Security scanner: a rudimentary TLS scanner (versions, ciphers, SCSV, …) – Downgrade test – … • Just baselines to write your own tools 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 35
Editor's Notes
- #10: I’m quite slow, so to fully understand something, I need to repro and play with it
- #11: Customer don’t always understand the practical impact. No kidding, sometimes as a security engineer it takes you a few hours/days But your response team has to provide a statement quickly Both approaches require you to understand the issue in depth. But it’s harder to make a mistake with a PoC. It’s also easier to perform code review with a PoC PoC provides reproducibility, which provides Q&A and regression for free
- #14: Writing an offensive stack is very different. All recommendations you normally provide to devs should be ignored. Do not validate length, format, signatures, … All validation is up to you, scapy-ssl_tls only reports data
- #17: cd /Users/amoneger/projects/contrib/scapy-ssl_tls tests/integration/openssl_tls_server.sh tls1_2 Enter TLS and press tab to autocomplete Craft a TLSRecord with a TLSHandshake. Do a show(), do a ls() Modify length field of the record
- #18: With transparent decryption p = TLSRecord() / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(extensions=[TLSExtension() / TLSExtSupportedVersions(versions=[tls_draft_version(18)])])])
- #19: p = TLSRecord() / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(cipher_suites=[TLSCipherSuite.ECDHE_RSA_WITH_AES_256_GCM_SHA384], extensions=[TLSExtension() / TLSExtSupportedVersions(versions=[tls_draft_version(18)])])])
- #22: Custom stacks seem to generally be forks of OSS projects at one stage. It is interesting to try and fingerprint where it comes from, to then try and look for known implementation vulnerabilities on the stack You can probably pinpoint to the version with some research
- #23: FlexTLS is based on miTLS which is A Verified Reference Implementation of TLS It implements a number of know attacks against the TLS state machine. Source code was only very recently released. A great reference tool to go after TLS state machine server-gated cryptography: client renegotiation based on server cert
- #24: TLS 1.3 killed this
- #25: Mention that PMS should start by handshake client version. Prevents rollback attacks TLS 1.3 killed this
- #26: TLS 1.3 killed this
- #27: Padding in TLS can be any length upto 255 bytes. Check that implementation respects that.
- #28: DTLS is like IP from the old days ;) Possible values start at 2**9 = 512. Only active after Server Hello is received.