SlideShare uma empresa Scribd logo
1 de 55
Baixar para ler offline
Pentesting custom TLS stacks
Alex Moneger
Who am I?
• Security engineer at Citrix
• Interest in low level topics (crypto, fuzzing,
exploit dev)
• "the views expressed herein are personal and
stated in my individual capacity and in no way
a statement or position of my employer”
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
1
Agenda
1. TLS attacks timeline
2. Difficulty in reproducing attacks
3. Quick refresher on TLS
4. Scapy-ssl_tls goals
5. Quick demo of scapy-ssl_tls capabilities
6. Custom TLS stacks, what to look for?
7. Scapy-ssl_tls crypto
8. Demo: detecting Poodle
9. Fuzzing capabilities
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
2
Introduction
• TLS is a critical protocol to the internet
• Very few alternatives
• Session layer protocol for other protocols
• Very complex
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
3
Introduction
• Protocol under scrutiny
• Growth of the number of attacks
• General lack of tooling
• Attacks are developed ad-hoc:
– Extensions of OpenSSL
– …
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
4
TLS PROTOCOL LEVEL ATTACKS
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
5
Introduction
• Protocol under scrutiny
• Growth of the number of protocol level
attacks
• Numerous implementation bugs
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
6
Timeline
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
7
Renegotiation
2009 20162013
BEAST CRIME
2014 2015201220112010
BREACH
Lucky13
POODLE
POODLE2
FREAK
LOGJAM
SLOTH
THS
Observations
• TLS protocol attacks increase:
– Frequency
– Complexity
• 2 classes:
– Protocol level
– Crypto level
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
8
REPRODUCING ATTACKS
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
9
Problems
• Understand the attack properly
• Practical impact (as opposed to theoretical
problem)
• Reproducibility
• Fix (dev + Q&A)
• Fix for good (regression)
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
10
Response
• Customers do not always understand the practical impact
• Your response team has to provide a definite answer
• 2 solutions for custom implementations:
– Crypto code review:
• Lack of comparison point
• Hard to get the full picture when deep into a crypto routine
– PoC:
• Lack of tooling
• Big difference between regular lib and security focused lib
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
11
TLS REFRESHER
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
12
Basics
• TLS is session layer (layer 5)
• Performs a handshake then provides crypto
• Transparent to protocol
• High RTT (at least 4 packets, 2 RTT for handshake)
• Offers session resumption
• Can authenticate both client and server
• Provides integrity and confidentiality
• Relies on TCP for packet delivery and ordering
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
13
Message format
• Has sub-protocols within the protocol:
1. Handshake (negotiate parameters)
2. Change Cipher Spec (signal a cipher change)
3. Alert (error handling)
4. Application data (move data)
• Each of these sub-protocols are encapsulated in a Record header
which holds:
– Proto version
– Payload length
– Payload type
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
14
TLS Record
• In charge of transporting the sub-protocols
• Record is always cleartext
• Payload length is not completely protected in TLS
• Records can be “stacked” inside a packet:
Version
Size
Length
Handshake, Data, …
Record Handshake, Data, … Record Handshake, Data, …
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
15
Handshake
• In charge of negotiating:
– Compression
– Crypto parameters
– Initiating crypto material
• In charge of ensuring handshake is free of in
transit tampering (finish message)
• Extensible (through TLS extensions)
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
16
Handshake quirks
• Max size: 2**16, can be TLS fragmented
• Some messages can have arbitrary trailing data
(support for unknown extensions)
• Doesn’t need a certificate (anonymous RSA, DH
and ECDH)
• Can have “stacked” handshakes in a record (Java)
Record Handshake Handshake Handshake
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
19
Application Data
• Encrypted + authenticated packets
• Cleartext is HMACd then padded => MAC then
encrypt…
Padding is not protected by the MAC
• Stream ciphers:
Record Cleartext HMAC padding
Padding
length
Encrypted
Record Cleartext HMAC
Encrypted
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
21
SCAPY-SSL_TLS
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
23
Introduction
• TLS & DTLS attack stack built above scapy
• Stateless (as much as possible)
• Packet crafting and dissecting
• Crypto session handling
• Sniffing (wire, pcap, …)
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
24
Why bother?
• TLS stacks are built to be robust
• Enforce input parameters to be valid
• Tear down connection on error
• Not very flexible
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
25
Goals
• Easy to install and use
• Simplify discovery and exploitation of TLS vulnerabilities
• Allow full control of any TLS field
• Tries very hard to maintain absolutely no state
• Good documentation and examples
• No checks or enforcements (up to user if desired)
• Sane defaults
• Transparent encryption
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
26
Features
• Full support:
– SSLv3, TLS 1.0, TLS 1.1, TLS1.2 and DTLS
– RSA, DHE, ECDHE key exchanges with all available ciphers
– RSA and DSA signature
– All TLS records and extensions
– Transparent decryption of TLS traffic
– Client certs
• Missing:
– AES-GCM and CCM
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
27
Installation
• Stable branch (v1.2.2 today):
– pip install scapy-ssl_tls
• Dev branch (latest features + examples):
– git clone https://github.com/tintinweb/scapy-ssl_tls
– Or pip install git+https://github.com/tintinweb/scapy-
ssl_tls@master
• Feature branches:
– Replace @master by @branch
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
28
Concepts
• Start scapy
• All classes start with TLS:
– Allows easy autocomplete
• What fields are available in a given TLS record?
– ls(TLSClientHello)
• TLSSocket() is used to wrap the TCP socket
– This is your base element to send/recv traffic
• Build packets scapy style:
– p = TLSRecord()/TLSHandshake()/TLSClientHello()
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
29
DEMO
Packet crafting/parsing
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
30
Packet crafting/parsing
import socket
version = TLSVersion.TLS_1_2
ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA]
host = ("localhost", 8443)
socket_ = socket.socket()
socket_.connect(host)
tls_socket = TLSSocket(socket_, client=True)
packet = TLSRecord() / TLSHandshake() /
TLSClientHello(version=version, cipher_suites=ciphers)
tls_socket.sendall(packet)
response = tls_socket.recvall()
response.show()
response[TLSServerECDHParams].show()
print(tls_socket.tls_ctx)
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
31
Extensions
import socket
version = TLSVersion.TLS_1_2
ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA]
host = ("localhost", 8443)
sni = TLSExtension() /
TLSExtServerNameIndication(server_names=
[TLSServerName(data=”localhost",length=9)])
alpn = TLSExtension() /
TLSExtALPN(protocol_name_list=[TLSALPNProtocol(data="h2")])
frag = TLSExtension() / TLSExtMaxFragmentLength(fragment_length=233)
extensions = [sni, alpn, frag]
socket_ = socket.socket()
socket_.connect(host)
tls_socket = TLSSocket(socket_, client=True)
packet = TLSRecord() / TLSHandshake() /
TLSClientHello(version=version, cipher_suites=ciphers, extensions=extensions)
tls_socket.sendall(packet)
response = tls_socket.recvall()
response.show()
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
32
Transparent traffic decryption
import socket
version = TLSVersion.TLS_1_2
ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA]
host = ("localhost", 8443)
app_payload = "GET / HTTP/1.1rnHOST: example.comrnrn"
socket_ = socket.socket()
socket_.connect(host)
tls_socket = TLSSocket(socket_, client=True)
# Handshake
tls_do_handshake(tls_socket, version, ciphers)
# Application data
tls_socket.sendall(to_raw(TLSPlaintext(data=app_payload),
tls_socket.tls_ctx))
response = tls_socket.recvall()
response.show()
print(tls_socket.tls_ctx)
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
33
WHAT TO LOOK FOR
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
34
Basic recon
• Supported TLS versions
• Supported ciphers
• Supported compression methods
• Cipher preference ordering
• Certificates
• Trust chain
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
35
Recon
• Fingerprint possible fork
• OpenSSL empty plaintext fragment
• JSSE stacked handshake
• Difference in Alert type when tampering with
Finish message
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
36
State machine
• Tricky testing: mostly manual work and
knowledge of RFC
• Automated testing: FlexTLS:
– Example: mono FlexApps.exe -s efin --connect
localhost:8443
• Gives a good starting point for manual testing
• Lot of legacy stuff: server-gated cryptography
anyone?
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
37
Diffie Hellman
• Check the validity of server (EC)DH params
– Group size
– Primality
– Subgroup confinement attack (e.g: Off curve test (EC))
– Signature algo used
– …
• Send random values (small, non-prime, …)
• Scapy-ssl_tls uses TinyEC for EC calculation
• Allows to perform EC arithmetic
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
38
Side channels (RSA)
• Pre Master Secret is decrypted
• TLS mandates PKCS1 v1.5 for padding
• This needs to be constant time, see classic
Bleichenbacher
• Time and Check for response difference on invalid
padding (alert vs tcp reset)
• Can use pybleach pkcs1_test_client.py to
generate faulty padding for your PMS
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
39
Side channels (ciphers)
• Padding and MAC checks must be constant
time
• Alert type must be identical
• Time and check response when flipping bytes
in padding and MAC
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
40
Proper byte checking
• Some implementation only verify a few bytes
of padding, MAC and verify_data (finish hash)
• All bytes must be checked for obvious reasons
• Send application data packets with flipped
padding, MAC and verify_data
• Make sure you always get an alert
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
41
DDoS
• DTLS is UDP
• Returns a certificate chain on first packet
• DTLS hello => 64 bytes
• DTLS response => can be several kB
• Protection is built into the protocol, but is a MAY =>
HelloVerifyRequest
• Make sure to check cookie is returned upon multiple
spoofed requests
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
42
Fragmentation
• Any packet above 2**14 (16384) bytes must be fragmented
• But any fragment size can be chosen
• Few stacks support TLS re-assembly
• Can be used to bypass devices which parse TLS, but fail-
open
• Server can be requested to fragment using the Maximum
Fragment Length Negotiation extension
• DTLS allows to specify the fragment offset in the handshake
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
43
CRYPTO HOOKS
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
44
tls_to_raw
• Scapy-ssl_tls exposes tls_to_raw()
• Calculates all crypto material for the packet
• Exposes some hooks:
– At compression time
– Pre and post encryption
• Allows to act on pre-calculated padding and MACs
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
45
to_raw(pkt, tls_ctx, include_record=True, compress_hook=None, pre_encrypt_hook=None,
encrypt_hook=None)
Crypto container
• All crypto material stored in a
CryptoContainer:
– IV, mac, padding, padding length
• Passed to and returned by crypto hooks:
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
46
def modify_padding(crypto_container):
padding = crypto_container.padding
byte_flip = chr(ord(padding[index]) ^ 0xff)
crypto_container.padding = "%s%s%s" % (padding[:index], byte_flip, padding[index + 1:])
return crypto_container
tls_to_raw(TLSPlaintext(data=data), tls_socket.tls_ctx, pre_encrypt_hook=modify_padding)
Usage
• Very useful to modify crypto state
• Without keeping track of PRF, ciphers, MACs,…
• Allows to easily reproduce attacks on crypto
material
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
47
DEMO
POODLE2 CHECK
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
48
DEMO
Fragmentation
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
49
Fragmentation code
import socket
version = TLSVersion.TLS_1_2
ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA]
host = ("localhost", 8443)
frag = TLSExtension() / TLSExtMaxFragmentLength(fragment_length=1)
extensions = [frag]
s = socket.socket()
s.connect(host)
ts = TLSSocket(s, client=True)
payload = TLSHandshake()/TLSClientHello(version=version, cipher_suites=ciphers,
extensions=extensions)
frags = tls_fragment_payload(payload, TLSRecord(version=version,
content_type=TLSContentType.HANDSHAKE), 16)
ts.sendall(frags)
r = ts.recvall()
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
50
CONCLUSION
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
51
Strengths
• Scapy-ssl_tls can speed up PoC development
• PoC can be re-used as part of testing QA and
regression
• Valuable to reproduce findings & develop
mitigations
• Help in learning & experimenting with TLS
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
52
Thanks
• Thanks to tintinweb who started the project
• Bugs: https://github.com/tintinweb/scapy-
ssl_tls/
• Contact:
– Github: alexmgr
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
53
THANKS
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
54
IF TIME ALLOWS
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
55
Fuzzing
• Provides basic fuzzing through scapy
• Tries to be smart by preserving semantically necessary
fields
• Use fuzz() function on any element
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
56
fuzz(TLSRecord()/TLSHandshake(type=TLSHandshakeType.SUPPLEMENTAL_DATA)/TLSAlert()).show2()
###[ TLS Record ]###
content_type= handshake <= preserved
version= 0x7391 <= fuzzed
length= 0x6 <= preserved
###[ TLS Handshake ]###
type= supplemental_data <= overriden
length= 0x2 <= preserved
###[ Raw ]###
load= '(r’ <= fuzzed
Fuzzing
• Only good for basic fuzzing
• Simple to plug in your own fuzzer
• Just generate data, scapy-ssl_tls takes care of
the rest
• Good targets: TLS extensions, certificates, …
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
57
Examples
• The example section contains some useful base tools:
– RSA session sniffer: given a cert, can decrypt wire traffic
(like Wireshark)
– Security scanner: a rudimentary TLS scanner (versions,
ciphers, SCSV, …)
– Downgrade test
– …
• Just baselines to write your own tools
1/16/16
Alex Moneger - Pentesting custom TLS
stacks
58

Mais conteúdo relacionado

Mais procurados

The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
secure socket layer
secure socket layersecure socket layer
secure socket layerAmar Shah
 
Shellshock - A Software Bug
Shellshock - A Software BugShellshock - A Software Bug
Shellshock - A Software Bugvwchu
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)Mehedi Farazi
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresNothing Nowhere
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversVi Tính Hoàng Nam
 
Chapter 1: Overview of Network Security
Chapter 1: Overview of Network SecurityChapter 1: Overview of Network Security
Chapter 1: Overview of Network SecurityShafaan Khaliq Bhatti
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolS. Hasnain Raza
 

Mais procurados (20)

SSL
SSLSSL
SSL
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Transport layer security
Transport layer securityTransport layer security
Transport layer security
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
 
TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3
 
Shellshock - A Software Bug
Shellshock - A Software BugShellshock - A Software Bug
Shellshock - A Software Bug
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJS
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
 
Hash function
Hash function Hash function
Hash function
 
A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic Failures
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webservers
 
Chapter 1: Overview of Network Security
Chapter 1: Overview of Network SecurityChapter 1: Overview of Network Security
Chapter 1: Overview of Network Security
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
 
Eap intro
Eap introEap intro
Eap intro
 
Web Security
Web SecurityWeb Security
Web Security
 

Destaque

New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSwolfSSL
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture shortAvirot Mitamura
 
SSL/TLSの基礎と最新動向
SSL/TLSの基礎と最新動向SSL/TLSの基礎と最新動向
SSL/TLSの基礎と最新動向shigeki_ohtsu
 

Destaque (9)

New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Scapy talk
Scapy talkScapy talk
Scapy talk
 
SSL intro
SSL introSSL intro
SSL intro
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLS
 
Unit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsUnit 08: Security for Web Applications
Unit 08: Security for Web Applications
 
HTTP/2, QUIC入門
HTTP/2, QUIC入門HTTP/2, QUIC入門
HTTP/2, QUIC入門
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture short
 
SSL/TLSの基礎と最新動向
SSL/TLSの基礎と最新動向SSL/TLSの基礎と最新動向
SSL/TLSの基礎と最新動向
 

Semelhante a Pentesting custom TLS stacks

Vulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityVulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityMiguel Pardal
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Study and Analysis of some Known attacks on Transport Layer Security
Study and Analysis of some Known attacks on Transport Layer SecurityStudy and Analysis of some Known attacks on Transport Layer Security
Study and Analysis of some Known attacks on Transport Layer SecurityNazmul Hossain Rakib
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyPriyanka Aash
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityssuserec53e73
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
WebRTC security+more @ KamailioWorld 2018
WebRTC security+more @ KamailioWorld 2018WebRTC security+more @ KamailioWorld 2018
WebRTC security+more @ KamailioWorld 2018Lorenzo Miniero
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALBSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALGlenn Haley
 
Egor Podmokov - TLS from security point of view
Egor Podmokov - TLS from security point of viewEgor Podmokov - TLS from security point of view
Egor Podmokov - TLS from security point of viewSergey Arkhipov
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia -  Running a secure pulsar clusterPulsar Summit Asia -  Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
 

Semelhante a Pentesting custom TLS stacks (20)

Vulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityVulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer Security
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
 
Rootconf2019
Rootconf2019Rootconf2019
Rootconf2019
 
Transport Layer Security
Transport Layer Security Transport Layer Security
Transport Layer Security
 
SSL overview
SSL overviewSSL overview
SSL overview
 
Cours4.pptx
Cours4.pptxCours4.pptx
Cours4.pptx
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 
Study and Analysis of some Known attacks on Transport Layer Security
Study and Analysis of some Known attacks on Transport Layer SecurityStudy and Analysis of some Known attacks on Transport Layer Security
Study and Analysis of some Known attacks on Transport Layer Security
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Recover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecyRecover A RSA Private key from a TLS session with perfect forward secrecy
Recover A RSA Private key from a TLS session with perfect forward secrecy
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
 
WebRTC security+more @ KamailioWorld 2018
WebRTC security+more @ KamailioWorld 2018WebRTC security+more @ KamailioWorld 2018
WebRTC security+more @ KamailioWorld 2018
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALBSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINAL
 
Egor Podmokov - TLS from security point of view
Egor Podmokov - TLS from security point of viewEgor Podmokov - TLS from security point of view
Egor Podmokov - TLS from security point of view
 
Tls 13final13
Tls 13final13Tls 13final13
Tls 13final13
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia -  Running a secure pulsar clusterPulsar Summit Asia -  Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
 

Mais de Alexandre Moneger

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceAlexandre Moneger
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 

Mais de Alexandre Moneger (13)

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 

Último

A Seminar on Electric Vehicle Software Simulation
A Seminar on Electric Vehicle Software SimulationA Seminar on Electric Vehicle Software Simulation
A Seminar on Electric Vehicle Software SimulationMohsinKhanA
 
Quasi-Stochastic Approximation: Algorithm Design Principles with Applications...
Quasi-Stochastic Approximation: Algorithm Design Principles with Applications...Quasi-Stochastic Approximation: Algorithm Design Principles with Applications...
Quasi-Stochastic Approximation: Algorithm Design Principles with Applications...Sean Meyn
 
IT3401-WEB ESSENTIALS PRESENTATIONS.pptx
IT3401-WEB ESSENTIALS PRESENTATIONS.pptxIT3401-WEB ESSENTIALS PRESENTATIONS.pptx
IT3401-WEB ESSENTIALS PRESENTATIONS.pptxSAJITHABANUS
 
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....santhyamuthu1
 
EPE3163_Hydro power stations_Unit2_Lect2.pptx
EPE3163_Hydro power stations_Unit2_Lect2.pptxEPE3163_Hydro power stations_Unit2_Lect2.pptx
EPE3163_Hydro power stations_Unit2_Lect2.pptxJoseeMusabyimana
 
Graphics Primitives and CG Display Devices
Graphics Primitives and CG Display DevicesGraphics Primitives and CG Display Devices
Graphics Primitives and CG Display DevicesDIPIKA83
 
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...amrabdallah9
 
Design of Clutches and Brakes in Design of Machine Elements.pptx
Design of Clutches and Brakes in Design of Machine Elements.pptxDesign of Clutches and Brakes in Design of Machine Elements.pptx
Design of Clutches and Brakes in Design of Machine Elements.pptxYogeshKumarKJMIT
 
Nodal seismic construction requirements.pptx
Nodal seismic construction requirements.pptxNodal seismic construction requirements.pptx
Nodal seismic construction requirements.pptxwendy cai
 
Multicomponent Spiral Wound Membrane Separation Model.pdf
Multicomponent Spiral Wound Membrane Separation Model.pdfMulticomponent Spiral Wound Membrane Separation Model.pdf
Multicomponent Spiral Wound Membrane Separation Model.pdfGiovanaGhasary1
 
Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)Bahzad5
 
Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...
Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...
Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...Amil baba
 
Clutches and brkesSelect any 3 position random motion out of real world and d...
Clutches and brkesSelect any 3 position random motion out of real world and d...Clutches and brkesSelect any 3 position random motion out of real world and d...
Clutches and brkesSelect any 3 position random motion out of real world and d...sahb78428
 
ChatGPT-and-Generative-AI-Landscape Working of generative ai search
ChatGPT-and-Generative-AI-Landscape Working of generative ai searchChatGPT-and-Generative-AI-Landscape Working of generative ai search
ChatGPT-and-Generative-AI-Landscape Working of generative ai searchrohitcse52
 
The relationship between iot and communication technology
The relationship between iot and communication technologyThe relationship between iot and communication technology
The relationship between iot and communication technologyabdulkadirmukarram03
 
Basic Principle of Electrochemical Sensor
Basic Principle of  Electrochemical SensorBasic Principle of  Electrochemical Sensor
Basic Principle of Electrochemical SensorTanvir Moin
 
UNIT4_ESD_wfffffggggggggggggith_ARM.pptx
UNIT4_ESD_wfffffggggggggggggith_ARM.pptxUNIT4_ESD_wfffffggggggggggggith_ARM.pptx
UNIT4_ESD_wfffffggggggggggggith_ARM.pptxrealme6igamerr
 
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdfsdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdfJulia Kaye
 

Último (20)

A Seminar on Electric Vehicle Software Simulation
A Seminar on Electric Vehicle Software SimulationA Seminar on Electric Vehicle Software Simulation
A Seminar on Electric Vehicle Software Simulation
 
Quasi-Stochastic Approximation: Algorithm Design Principles with Applications...
Quasi-Stochastic Approximation: Algorithm Design Principles with Applications...Quasi-Stochastic Approximation: Algorithm Design Principles with Applications...
Quasi-Stochastic Approximation: Algorithm Design Principles with Applications...
 
IT3401-WEB ESSENTIALS PRESENTATIONS.pptx
IT3401-WEB ESSENTIALS PRESENTATIONS.pptxIT3401-WEB ESSENTIALS PRESENTATIONS.pptx
IT3401-WEB ESSENTIALS PRESENTATIONS.pptx
 
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
 
EPE3163_Hydro power stations_Unit2_Lect2.pptx
EPE3163_Hydro power stations_Unit2_Lect2.pptxEPE3163_Hydro power stations_Unit2_Lect2.pptx
EPE3163_Hydro power stations_Unit2_Lect2.pptx
 
Graphics Primitives and CG Display Devices
Graphics Primitives and CG Display DevicesGraphics Primitives and CG Display Devices
Graphics Primitives and CG Display Devices
 
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
 
Design of Clutches and Brakes in Design of Machine Elements.pptx
Design of Clutches and Brakes in Design of Machine Elements.pptxDesign of Clutches and Brakes in Design of Machine Elements.pptx
Design of Clutches and Brakes in Design of Machine Elements.pptx
 
Nodal seismic construction requirements.pptx
Nodal seismic construction requirements.pptxNodal seismic construction requirements.pptx
Nodal seismic construction requirements.pptx
 
Multicomponent Spiral Wound Membrane Separation Model.pdf
Multicomponent Spiral Wound Membrane Separation Model.pdfMulticomponent Spiral Wound Membrane Separation Model.pdf
Multicomponent Spiral Wound Membrane Separation Model.pdf
 
Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)
 
計劃趕得上變化
計劃趕得上變化計劃趕得上變化
計劃趕得上變化
 
Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...
Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...
Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...
 
Clutches and brkesSelect any 3 position random motion out of real world and d...
Clutches and brkesSelect any 3 position random motion out of real world and d...Clutches and brkesSelect any 3 position random motion out of real world and d...
Clutches and brkesSelect any 3 position random motion out of real world and d...
 
Présentation IIRB 2024 Marine Cordonnier.pdf
Présentation IIRB 2024 Marine Cordonnier.pdfPrésentation IIRB 2024 Marine Cordonnier.pdf
Présentation IIRB 2024 Marine Cordonnier.pdf
 
ChatGPT-and-Generative-AI-Landscape Working of generative ai search
ChatGPT-and-Generative-AI-Landscape Working of generative ai searchChatGPT-and-Generative-AI-Landscape Working of generative ai search
ChatGPT-and-Generative-AI-Landscape Working of generative ai search
 
The relationship between iot and communication technology
The relationship between iot and communication technologyThe relationship between iot and communication technology
The relationship between iot and communication technology
 
Basic Principle of Electrochemical Sensor
Basic Principle of  Electrochemical SensorBasic Principle of  Electrochemical Sensor
Basic Principle of Electrochemical Sensor
 
UNIT4_ESD_wfffffggggggggggggith_ARM.pptx
UNIT4_ESD_wfffffggggggggggggith_ARM.pptxUNIT4_ESD_wfffffggggggggggggith_ARM.pptx
UNIT4_ESD_wfffffggggggggggggith_ARM.pptx
 
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdfsdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
 

Pentesting custom TLS stacks

  • 1. Pentesting custom TLS stacks Alex Moneger
  • 2. Who am I? • Security engineer at Citrix • Interest in low level topics (crypto, fuzzing, exploit dev) • "the views expressed herein are personal and stated in my individual capacity and in no way a statement or position of my employer” 1/16/16 Alex Moneger - Pentesting custom TLS stacks 1
  • 3. Agenda 1. TLS attacks timeline 2. Difficulty in reproducing attacks 3. Quick refresher on TLS 4. Scapy-ssl_tls goals 5. Quick demo of scapy-ssl_tls capabilities 6. Custom TLS stacks, what to look for? 7. Scapy-ssl_tls crypto 8. Demo: detecting Poodle 9. Fuzzing capabilities 1/16/16 Alex Moneger - Pentesting custom TLS stacks 2
  • 4. Introduction • TLS is a critical protocol to the internet • Very few alternatives • Session layer protocol for other protocols • Very complex 1/16/16 Alex Moneger - Pentesting custom TLS stacks 3
  • 5. Introduction • Protocol under scrutiny • Growth of the number of attacks • General lack of tooling • Attacks are developed ad-hoc: – Extensions of OpenSSL – … 1/16/16 Alex Moneger - Pentesting custom TLS stacks 4
  • 6. TLS PROTOCOL LEVEL ATTACKS 1/16/16 Alex Moneger - Pentesting custom TLS stacks 5
  • 7. Introduction • Protocol under scrutiny • Growth of the number of protocol level attacks • Numerous implementation bugs 1/16/16 Alex Moneger - Pentesting custom TLS stacks 6
  • 8. Timeline 1/16/16 Alex Moneger - Pentesting custom TLS stacks 7 Renegotiation 2009 20162013 BEAST CRIME 2014 2015201220112010 BREACH Lucky13 POODLE POODLE2 FREAK LOGJAM SLOTH THS
  • 9. Observations • TLS protocol attacks increase: – Frequency – Complexity • 2 classes: – Protocol level – Crypto level 1/16/16 Alex Moneger - Pentesting custom TLS stacks 8
  • 10. REPRODUCING ATTACKS 1/16/16 Alex Moneger - Pentesting custom TLS stacks 9
  • 11. Problems • Understand the attack properly • Practical impact (as opposed to theoretical problem) • Reproducibility • Fix (dev + Q&A) • Fix for good (regression) 1/16/16 Alex Moneger - Pentesting custom TLS stacks 10
  • 12. Response • Customers do not always understand the practical impact • Your response team has to provide a definite answer • 2 solutions for custom implementations: – Crypto code review: • Lack of comparison point • Hard to get the full picture when deep into a crypto routine – PoC: • Lack of tooling • Big difference between regular lib and security focused lib 1/16/16 Alex Moneger - Pentesting custom TLS stacks 11
  • 13. TLS REFRESHER 1/16/16 Alex Moneger - Pentesting custom TLS stacks 12
  • 14. Basics • TLS is session layer (layer 5) • Performs a handshake then provides crypto • Transparent to protocol • High RTT (at least 4 packets, 2 RTT for handshake) • Offers session resumption • Can authenticate both client and server • Provides integrity and confidentiality • Relies on TCP for packet delivery and ordering 1/16/16 Alex Moneger - Pentesting custom TLS stacks 13
  • 15. Message format • Has sub-protocols within the protocol: 1. Handshake (negotiate parameters) 2. Change Cipher Spec (signal a cipher change) 3. Alert (error handling) 4. Application data (move data) • Each of these sub-protocols are encapsulated in a Record header which holds: – Proto version – Payload length – Payload type 1/16/16 Alex Moneger - Pentesting custom TLS stacks 14
  • 16. TLS Record • In charge of transporting the sub-protocols • Record is always cleartext • Payload length is not completely protected in TLS • Records can be “stacked” inside a packet: Version Size Length Handshake, Data, … Record Handshake, Data, … Record Handshake, Data, … 1/16/16 Alex Moneger - Pentesting custom TLS stacks 15
  • 17. Handshake • In charge of negotiating: – Compression – Crypto parameters – Initiating crypto material • In charge of ensuring handshake is free of in transit tampering (finish message) • Extensible (through TLS extensions) 1/16/16 Alex Moneger - Pentesting custom TLS stacks 16
  • 18. Handshake quirks • Max size: 2**16, can be TLS fragmented • Some messages can have arbitrary trailing data (support for unknown extensions) • Doesn’t need a certificate (anonymous RSA, DH and ECDH) • Can have “stacked” handshakes in a record (Java) Record Handshake Handshake Handshake 1/16/16 Alex Moneger - Pentesting custom TLS stacks 19
  • 19. Application Data • Encrypted + authenticated packets • Cleartext is HMACd then padded => MAC then encrypt… Padding is not protected by the MAC • Stream ciphers: Record Cleartext HMAC padding Padding length Encrypted Record Cleartext HMAC Encrypted 1/16/16 Alex Moneger - Pentesting custom TLS stacks 21
  • 20. SCAPY-SSL_TLS 1/16/16 Alex Moneger - Pentesting custom TLS stacks 23
  • 21. Introduction • TLS & DTLS attack stack built above scapy • Stateless (as much as possible) • Packet crafting and dissecting • Crypto session handling • Sniffing (wire, pcap, …) 1/16/16 Alex Moneger - Pentesting custom TLS stacks 24
  • 22. Why bother? • TLS stacks are built to be robust • Enforce input parameters to be valid • Tear down connection on error • Not very flexible 1/16/16 Alex Moneger - Pentesting custom TLS stacks 25
  • 23. Goals • Easy to install and use • Simplify discovery and exploitation of TLS vulnerabilities • Allow full control of any TLS field • Tries very hard to maintain absolutely no state • Good documentation and examples • No checks or enforcements (up to user if desired) • Sane defaults • Transparent encryption 1/16/16 Alex Moneger - Pentesting custom TLS stacks 26
  • 24. Features • Full support: – SSLv3, TLS 1.0, TLS 1.1, TLS1.2 and DTLS – RSA, DHE, ECDHE key exchanges with all available ciphers – RSA and DSA signature – All TLS records and extensions – Transparent decryption of TLS traffic – Client certs • Missing: – AES-GCM and CCM 1/16/16 Alex Moneger - Pentesting custom TLS stacks 27
  • 25. Installation • Stable branch (v1.2.2 today): – pip install scapy-ssl_tls • Dev branch (latest features + examples): – git clone https://github.com/tintinweb/scapy-ssl_tls – Or pip install git+https://github.com/tintinweb/scapy- ssl_tls@master • Feature branches: – Replace @master by @branch 1/16/16 Alex Moneger - Pentesting custom TLS stacks 28
  • 26. Concepts • Start scapy • All classes start with TLS: – Allows easy autocomplete • What fields are available in a given TLS record? – ls(TLSClientHello) • TLSSocket() is used to wrap the TCP socket – This is your base element to send/recv traffic • Build packets scapy style: – p = TLSRecord()/TLSHandshake()/TLSClientHello() 1/16/16 Alex Moneger - Pentesting custom TLS stacks 29
  • 27. DEMO Packet crafting/parsing 1/16/16 Alex Moneger - Pentesting custom TLS stacks 30
  • 28. Packet crafting/parsing import socket version = TLSVersion.TLS_1_2 ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA] host = ("localhost", 8443) socket_ = socket.socket() socket_.connect(host) tls_socket = TLSSocket(socket_, client=True) packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=ciphers) tls_socket.sendall(packet) response = tls_socket.recvall() response.show() response[TLSServerECDHParams].show() print(tls_socket.tls_ctx) 1/16/16 Alex Moneger - Pentesting custom TLS stacks 31
  • 29. Extensions import socket version = TLSVersion.TLS_1_2 ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA] host = ("localhost", 8443) sni = TLSExtension() / TLSExtServerNameIndication(server_names= [TLSServerName(data=”localhost",length=9)]) alpn = TLSExtension() / TLSExtALPN(protocol_name_list=[TLSALPNProtocol(data="h2")]) frag = TLSExtension() / TLSExtMaxFragmentLength(fragment_length=233) extensions = [sni, alpn, frag] socket_ = socket.socket() socket_.connect(host) tls_socket = TLSSocket(socket_, client=True) packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=ciphers, extensions=extensions) tls_socket.sendall(packet) response = tls_socket.recvall() response.show() 1/16/16 Alex Moneger - Pentesting custom TLS stacks 32
  • 30. Transparent traffic decryption import socket version = TLSVersion.TLS_1_2 ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA] host = ("localhost", 8443) app_payload = "GET / HTTP/1.1rnHOST: example.comrnrn" socket_ = socket.socket() socket_.connect(host) tls_socket = TLSSocket(socket_, client=True) # Handshake tls_do_handshake(tls_socket, version, ciphers) # Application data tls_socket.sendall(to_raw(TLSPlaintext(data=app_payload), tls_socket.tls_ctx)) response = tls_socket.recvall() response.show() print(tls_socket.tls_ctx) 1/16/16 Alex Moneger - Pentesting custom TLS stacks 33
  • 31. WHAT TO LOOK FOR 1/16/16 Alex Moneger - Pentesting custom TLS stacks 34
  • 32. Basic recon • Supported TLS versions • Supported ciphers • Supported compression methods • Cipher preference ordering • Certificates • Trust chain 1/16/16 Alex Moneger - Pentesting custom TLS stacks 35
  • 33. Recon • Fingerprint possible fork • OpenSSL empty plaintext fragment • JSSE stacked handshake • Difference in Alert type when tampering with Finish message 1/16/16 Alex Moneger - Pentesting custom TLS stacks 36
  • 34. State machine • Tricky testing: mostly manual work and knowledge of RFC • Automated testing: FlexTLS: – Example: mono FlexApps.exe -s efin --connect localhost:8443 • Gives a good starting point for manual testing • Lot of legacy stuff: server-gated cryptography anyone? 1/16/16 Alex Moneger - Pentesting custom TLS stacks 37
  • 35. Diffie Hellman • Check the validity of server (EC)DH params – Group size – Primality – Subgroup confinement attack (e.g: Off curve test (EC)) – Signature algo used – … • Send random values (small, non-prime, …) • Scapy-ssl_tls uses TinyEC for EC calculation • Allows to perform EC arithmetic 1/16/16 Alex Moneger - Pentesting custom TLS stacks 38
  • 36. Side channels (RSA) • Pre Master Secret is decrypted • TLS mandates PKCS1 v1.5 for padding • This needs to be constant time, see classic Bleichenbacher • Time and Check for response difference on invalid padding (alert vs tcp reset) • Can use pybleach pkcs1_test_client.py to generate faulty padding for your PMS 1/16/16 Alex Moneger - Pentesting custom TLS stacks 39
  • 37. Side channels (ciphers) • Padding and MAC checks must be constant time • Alert type must be identical • Time and check response when flipping bytes in padding and MAC 1/16/16 Alex Moneger - Pentesting custom TLS stacks 40
  • 38. Proper byte checking • Some implementation only verify a few bytes of padding, MAC and verify_data (finish hash) • All bytes must be checked for obvious reasons • Send application data packets with flipped padding, MAC and verify_data • Make sure you always get an alert 1/16/16 Alex Moneger - Pentesting custom TLS stacks 41
  • 39. DDoS • DTLS is UDP • Returns a certificate chain on first packet • DTLS hello => 64 bytes • DTLS response => can be several kB • Protection is built into the protocol, but is a MAY => HelloVerifyRequest • Make sure to check cookie is returned upon multiple spoofed requests 1/16/16 Alex Moneger - Pentesting custom TLS stacks 42
  • 40. Fragmentation • Any packet above 2**14 (16384) bytes must be fragmented • But any fragment size can be chosen • Few stacks support TLS re-assembly • Can be used to bypass devices which parse TLS, but fail- open • Server can be requested to fragment using the Maximum Fragment Length Negotiation extension • DTLS allows to specify the fragment offset in the handshake 1/16/16 Alex Moneger - Pentesting custom TLS stacks 43
  • 41. CRYPTO HOOKS 1/16/16 Alex Moneger - Pentesting custom TLS stacks 44
  • 42. tls_to_raw • Scapy-ssl_tls exposes tls_to_raw() • Calculates all crypto material for the packet • Exposes some hooks: – At compression time – Pre and post encryption • Allows to act on pre-calculated padding and MACs 1/16/16 Alex Moneger - Pentesting custom TLS stacks 45 to_raw(pkt, tls_ctx, include_record=True, compress_hook=None, pre_encrypt_hook=None, encrypt_hook=None)
  • 43. Crypto container • All crypto material stored in a CryptoContainer: – IV, mac, padding, padding length • Passed to and returned by crypto hooks: 1/16/16 Alex Moneger - Pentesting custom TLS stacks 46 def modify_padding(crypto_container): padding = crypto_container.padding byte_flip = chr(ord(padding[index]) ^ 0xff) crypto_container.padding = "%s%s%s" % (padding[:index], byte_flip, padding[index + 1:]) return crypto_container tls_to_raw(TLSPlaintext(data=data), tls_socket.tls_ctx, pre_encrypt_hook=modify_padding)
  • 44. Usage • Very useful to modify crypto state • Without keeping track of PRF, ciphers, MACs,… • Allows to easily reproduce attacks on crypto material 1/16/16 Alex Moneger - Pentesting custom TLS stacks 47
  • 45. DEMO POODLE2 CHECK 1/16/16 Alex Moneger - Pentesting custom TLS stacks 48
  • 46. DEMO Fragmentation 1/16/16 Alex Moneger - Pentesting custom TLS stacks 49
  • 47. Fragmentation code import socket version = TLSVersion.TLS_1_2 ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA] host = ("localhost", 8443) frag = TLSExtension() / TLSExtMaxFragmentLength(fragment_length=1) extensions = [frag] s = socket.socket() s.connect(host) ts = TLSSocket(s, client=True) payload = TLSHandshake()/TLSClientHello(version=version, cipher_suites=ciphers, extensions=extensions) frags = tls_fragment_payload(payload, TLSRecord(version=version, content_type=TLSContentType.HANDSHAKE), 16) ts.sendall(frags) r = ts.recvall() 1/16/16 Alex Moneger - Pentesting custom TLS stacks 50
  • 48. CONCLUSION 1/16/16 Alex Moneger - Pentesting custom TLS stacks 51
  • 49. Strengths • Scapy-ssl_tls can speed up PoC development • PoC can be re-used as part of testing QA and regression • Valuable to reproduce findings & develop mitigations • Help in learning & experimenting with TLS 1/16/16 Alex Moneger - Pentesting custom TLS stacks 52
  • 50. Thanks • Thanks to tintinweb who started the project • Bugs: https://github.com/tintinweb/scapy- ssl_tls/ • Contact: – Github: alexmgr 1/16/16 Alex Moneger - Pentesting custom TLS stacks 53
  • 51. THANKS 1/16/16 Alex Moneger - Pentesting custom TLS stacks 54
  • 52. IF TIME ALLOWS 1/16/16 Alex Moneger - Pentesting custom TLS stacks 55
  • 53. Fuzzing • Provides basic fuzzing through scapy • Tries to be smart by preserving semantically necessary fields • Use fuzz() function on any element 1/16/16 Alex Moneger - Pentesting custom TLS stacks 56 fuzz(TLSRecord()/TLSHandshake(type=TLSHandshakeType.SUPPLEMENTAL_DATA)/TLSAlert()).show2() ###[ TLS Record ]### content_type= handshake <= preserved version= 0x7391 <= fuzzed length= 0x6 <= preserved ###[ TLS Handshake ]### type= supplemental_data <= overriden length= 0x2 <= preserved ###[ Raw ]### load= '(r’ <= fuzzed
  • 54. Fuzzing • Only good for basic fuzzing • Simple to plug in your own fuzzer • Just generate data, scapy-ssl_tls takes care of the rest • Good targets: TLS extensions, certificates, … 1/16/16 Alex Moneger - Pentesting custom TLS stacks 57
  • 55. Examples • The example section contains some useful base tools: – RSA session sniffer: given a cert, can decrypt wire traffic (like Wireshark) – Security scanner: a rudimentary TLS scanner (versions, ciphers, SCSV, …) – Downgrade test – … • Just baselines to write your own tools 1/16/16 Alex Moneger - Pentesting custom TLS stacks 58

Notas do Editor

  1. I’m quite slow, so to fully understand something, I need to repro and play with it
  2. Customer don’t always understand the practical impact. No kidding, sometimes as a security engineer it takes you a few hours/days But your response team has to provide a statement quickly Both approaches require you to understand the issue in depth. But it’s harder to make a mistake with a PoC. It’s also easier to perform code review with a PoC PoC provides reproducibility, which provides Q&A and regression for free
  3. CCS encrypts one byte under the current cipher state. Next packet will be encrypted with the new cipher All attacks on 1 handshake or 4 app data No attacks on record layer
  4. Compression is not a good idea. See CRIME Crypto parameters: - Kex (what is used to exchange the PMS)? ECDH, DH, RSA, … - Sig (what is used to sign the Kex)? - Cipher used (stream, CBC) - HMAC hash algo to generate the MAC Notice that signature method for Kex is not specified. Hardcoded as MD5+SHA in the spec. Configured through TLS extension in TLS 1.2 tLS finish message is the first encrypted message and carries the hash of previous messages. Assures that both client and server agree about messages exchanged.
  5. ALPN tells the server which upper layer protocol is negotiated (http2, speedy, …) SNI tells which hostname the TLS connection is destined to. Allows the server to return the right cert when TLS sites are co-hosted
  6. PRF is a mixing function which uses MD5+SHA1 until TLS 1.2 TLS 1.2 uses SHA256
  7. Fragment size is 2**14, so a handshake payload can be fragmented across several records This is an interesting edge case, especially for DTLS where one can specify both the fragment sequence and offset. Exposes interesting attacks, very similar to IP fragmentation Arbitrary trailing data, Sloth used pre-images in md5 TLS 1.2 to MITM TLS connections (+ known weak DH params) Stacked handshakes can be used to fingerprint TLS stacks to some extent
  8. Source of problems that we know of, poodle, poodle2…
  9. Explicit IVs are the cause of the delay in migration to TLS 1.1 I think Force to reset the state of the cipher
  10. Writing an offensive stack is very different. All recommendations you normally provide to devs should be ignored. Do not validate length, format, signatures, … All validation is up to you, scapy-ssl_tls only reports data
  11. cd /Users/amoneger/projects/contrib/scapy-ssl_tls tests/integration/openssl_tls_server.sh tls1_2 Enter TLS and press tab to autocomplete Craft a TLSRecord with a TLSHandshake. Do a show(), do a ls() Modify length field of the record
  12. import socket version = TLSVersion.TLS_1_2 ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA] host = ("localhost", 8443) socket_ = socket.socket() socket_.connect(host) tls_socket = TLSSocket(socket_, client=True) packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=ciphers) tls_socket.sendall(packet) response = tls_socket.recvall() response.show() response[TLSServerECDHParams].show() print(tls_socket.tls_ctx)
  13. import socket version = TLSVersion.TLS_1_2 ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA] host = ("localhost", 8443) sni = TLSExtension() / TLSExtServerNameIndication(server_names=[TLSServerName(data=”localhost",length=9)]) alpn = TLSExtension() / TLSExtALPN(protocol_name_list=[TLSALPNProtocol(data="h2")]) frag = TLSExtension() / TLSExtMaxFragmentLength(fragment_length=233) extensions = [sni, alpn, frag] socket_ = socket.socket() socket_.connect(host) tls_socket = TLSSocket(socket_, client=True) packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=ciphers, extensions=extensions) tls_socket.sendall(packet) response = tls_socket.recvall() response.show()
  14. Talk about tls_context and the various crypto parameters import socket version = TLSVersion.TLS_1_2 ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA] host = ("localhost", 8443) app_payload = "GET / HTTP/1.1\r\nHOST: example.com\r\n\r\n" socket_ = socket.socket() socket_.connect(host) tls_socket = TLSSocket(socket_, client=True) # Handshake tls_do_handshake(tls_socket, version, ciphers) # Application data tls_socket.sendall(to_raw(TLSPlaintext(data=app_payload), tls_socket.tls_ctx)) response = tls_socket.recvall() response.show() print(tls_socket.tls_ctx)
  15. For ciphers, check SCSV for downgrade prevention
  16. Custom stacks seem to generally be forks of OSS projects at one stage. It is interesting to try and fingerprint where it comes from, to then try and look for known implementation vulnerabilities on the stack You can probably pinpoint to the version with some research
  17. FlexTLS is based on miTLS which is A Verified Reference Implementation of TLS It implements a number of know attacks against the TLS state machine. Source code was only very recently released. A great reference tool to go after TLS state machine server-gated cryptography: client renegotiation based on server cert
  18. Mention that PMS should start by handshake client version. Prevents rollback attacks
  19. Padding in TLS can be any length upto 255 bytes. Check that implementation respects that.
  20. DTLS is like IP from the old days ;) Possible values start at 2**9 = 512. Only active after Server Hello is received.
  21. cd /Users/amoneger/projects/contrib/scapy-ssl_tls tests/integration/openssl_tls_server.sh ssl3 python examples/padding_and_mac_checks.py localhost 8443 770 tests/integration/openssl_tls_server.sh tls1 python examples/padding_and_mac_checks.py
  22. cd /Users/amoneger/projects/contrib/scapy-ssl_tls tests/integration/openssl_tls_server.sh tls1_2 import socket version = TLSVersion.TLS_1_2 ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA] host = ("localhost", 8443) frag = TLSExtension() / TLSExtMaxFragmentLength(fragment_length=4) extensions = [frag] s = socket.socket() s.connect(host) ts = TLSSocket(s, client=True) payload = TLSHandshake()/TLSClientHello(version=version, cipher_suites=ciphers, extensions=extensions) frags = tls_fragment_payload(payload, TLSRecord(version=version, content_type=TLSContentType.HANDSHAKE), 16) ts.sendall(frags) r = ts.recvall()
  23. import socket version = TLSVersion.TLS_1_2 ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA] host = ("localhost", 8443) frag = TLSExtension() / TLSExtMaxFragmentLength(fragment_length=1) extensions = [frag] s = socket.socket() s.connect(host) ts = TLSSocket(s, client=True) payload = TLSHandshake()/TLSClientHello(version=version, cipher_suites=ciphers) frags = tls_fragment_payload(payload, TLSRecord(version=version, content_type=TLSContentType.HANDSHAKE), 16) ts.sendall(frags ) r = ts.recvall()