SlideShare une entreprise Scribd logo

Scapy TLS: Script TLS Stacks for Testing

Télécharger en tant que PPTX, PDF
A
Alexandre Moneger

Quick talk on how to leverage scapy-ssl_tls to perform TLS 1.3 testing. Covers which area of the stack are less vulnerable with TLS 1.3 as opposed to 1.2.

Ingénierie
1  sur  36
Scapy TLS: a scriptable TLS 1.3 stack Alex Moneger
Agenda 1. TLS attacks timeline 2. Difficulty in reproducing attacks 3. Scapy-ssl_tls goals 4. Quick demo of scapy-ssl_tls capabilities 5. Custom TLS stacks, what to look for? 6. Fuzzing capabilities 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 1
Introduction • TLS is a critical protocol to the internet • Very few alternatives • Session layer protocol for other protocols • Very complex 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 2
TLS PROTOCOL LEVEL ATTACKS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 3
Introduction • Protocol under scrutiny • Growth of the number of protocol level attacks • Numerous implementation bugs 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 4
Timeline 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 5 Renegotiation 2009 20162013 BEAST CRIME 2014 2015201220112010 BREACH Lucky13 POODLE POODLE2 FREAK LOGJAM SLOTH THS
Observations • TLS protocol attacks increase: – Frequency – Complexity • 2 classes: – Protocol level – Crypto level 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 6
REPRODUCING ATTACKS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 7
Problems • Understand the attack properly • Practical impact (as opposed to theoretical problem) • Reproducibility • Fix (dev + Q&A) • Fix for good (regression) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 8
Response • Customers do not always understand the practical impact • Your response team has to provide a definite answer • 2 solutions for custom implementations: – Crypto code review: • Lack of comparison point • Hard to get the full picture when deep into a crypto routine – PoC: • Lack of tooling • Big difference between regular lib and security focused lib 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 9
SCAPY-SSL_TLS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 10
Introduction • TLS & DTLS scriptable stack built above scapy • Stateless (as much as possible) • Packet crafting and dissecting • Crypto session handling • Sniffing (wire, pcap, …) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 11
Why bother? • TLS stacks are built to be robust • Enforce input parameters to be valid • Tear down connection on error • Not very flexible 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 12
Goals • Easy to install and use • Simplify discovery and exploitation of TLS vulnerabilities • Allow full control of any TLS field • Tries very hard to maintain absolutely no state • Good documentation and examples • No checks or enforcements (up to user if desired) • Sane defaults • Transparent encryption 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 13
Concepts • Start scapy • All classes start with TLS: – Allows easy autocomplete • What fields are available in a given TLS record? – ls(TLSClientHello) • TLSSocket() is used to wrap the TCP socket – This is your base element to send/recv traffic • Build packets scapy style: – p = TLSRecord()/TLSHandshake()/TLSClientHello() 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 14
DEMO Packet crafting/parsing 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 15
A simple TLS 1.3 client with TLSSocket(client=True) as tls_socket: try: tls_socket.connect(ip) print("Connected to server: %s" % (ip,)) except socket.timeout: print("Failed to open connection to server: %s" % (ip,), file=sys.stderr) else: try: server_hello, server_kex = tls_socket.do_handshake(tls_version, ciphers, extensions) server_hello.show() except TLSProtocolError as tpe: print("Got TLS error: %s" % tpe, file=sys.stderr) tpe.response.show() else: resp = tls_socket.do_round_trip(TLSPlaintext(data="GET / HTTP/1.1rnHOST: localhostrnrn")) print("Got response from server") resp.show() finally: print(tls_socket.tls_ctx) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 16
Viewing a packet ###[ TLS Record ]### content_type= handshake version= TLS_1_0 length= 0x36 ###[ TLS Handshakes ]### handshakes |###[ TLS Handshake ]### | type= client_hello | length= 0x32 |###[ TLS Client Hello ]### | version= TLS_1_2 | gmt_unix_time= 1494985553 | random_bytes= 'xa6;x10{x0fx7fUx88xeaHxc6xafxf8xe4xedxd56x07xcfxd6x85xc1^xbdx1fxa3x02x85' | session_id_length= 0x0 | session_id= '' | cipher_suites_length= 0x2 | cipher_suites= ['ECDHE_RSA_WITH_AES_256_GCM_SHA384'] | compression_methods_length= 0x1 | compression_methods= ['NULL'] | extensions_length= 0x7 | extensions | |###[ TLS Extension ]### | | type= supported_versions | | length= 0x3 | |###[ TLS Extension Supported Versions ]### | | length= 0x2 | | versions= ['TLS_1_3_DRAFT_18'] 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 17
A TLS 1.3 server server_hello = TLSRecord() / TLSHandshakes(handshakes=[ TLSHandshake() / TLSServerHello(version=version, cipher_suite=TLSCipherSuite.TLS_AES_256_GCM_SHA384, extensions=[key_share])]) client_socket.sendall(server_hello) client_socket.sendall(TLSRecord() / TLSHandshakes(handshakes=[ TLSHandshake() / TLSEncryptedExtensions(extensions=[named_groups]), TLSHandshake() / TLSCertificateList() / TLS13Certificate( certificates=certificates)])) client_socket.sendall(TLSHandshakes(handshakes=[ TLSHandshake() / TLSCertificateVerify(alg=TLSSignatureScheme.RSA_PKCS1_SHA256, sig=client_socket.tls_ctx.compute_server_cert_verify())])) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 18
WHAT TO LOOK FOR 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 19
Recon • Fingerprint possible fork • OpenSSL empty plaintext fragment • JSSE, NSS stacked handshake • Difference in Alert type when tampering with Finish message • Alert is loosely defined, so stack specific 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 20
State machine • Tricky testing: mostly manual work and knowledge of RFC • Automated testing: FlexTLS: – Example: mono FlexApps.exe -s efin --connect localhost:8443 • Gives a good starting point for manual testing • Lot of legacy stuff: server-gated cryptography anyone? 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 21
Diffie Hellman • Check the validity of server (EC)DH params – Group size – Primality – Subgroup confinement attack (e.g: Off curve test (EC)) – Signature algo used – … • Send interesting values (small, non-prime, …) • Scapy-ssl_tls uses TinyEC for EC calculation • Allows to perform EC arithmetic 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 22
Side channels (RSA) • Pre Master Secret is decrypted • TLS mandates PKCS1 v1.5 for padding • This needs to be constant time, see classic Bleichenbacher • Time and Check for response difference on invalid padding (alert vs tcp reset) • Can use pybleach pkcs1_test_client.py to generate faulty padding for your PMS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 23
Side channels (ciphers) • Padding and MAC checks must be constant time • Alert type must be identical • Time and check response when flipping bytes in padding and MAC • Check for nonce reuse 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 24
Proper byte checking • Some implementation only verify a few bytes of padding, MAC and verify_data (finish hash) • All bytes must be checked for obvious reasons • Send application data packets with flipped padding, MAC and verify_data • Make sure you always get an alert 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 25
Fragmentation • Any packet above 2**14 (16384) bytes must be fragmented • But any fragment size can be chosen • Some stacks don’t cope well with TLS re-assembly • Can be used to bypass devices which parse TLS, but fail- open • Server can be requested to fragment using the Maximum Fragment Length Negotiation extension • DTLS allows to specify the fragment offset in the handshake 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 26
TLS 1.3 specific • Spec doesn’t leave a lot of room for implementation errors • Handling of 0-RTT, early data, PFS • Resumption checks (SNI) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 27
CONCLUSION 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 28
Strengths • Scapy-ssl_tls can speed up PoC development • PoC can be re-used as part of testing QA and regression • Valuable to reproduce findings & develop mitigations • Help in learning & experimenting with TLS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 29
Thanks • Thanks to tintinweb who started the project • Bugs: https://github.com/tintinweb/scapy- ssl_tls/ • Contact: – Github: alexmgr 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 30
THANKS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 31
IF TIME ALLOWS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 32
Fuzzing • Provides basic fuzzing through scapy • Tries to be smart by preserving semantically necessary fields • Use fuzz() function on any element 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 33 fuzz(TLSRecord()/TLSHandshake(type=TLSHandshakeType.SUPPLEMENTAL_DATA)/TLSAlert()).show2() ###[ TLS Record ]### content_type= handshake <= preserved version= 0x7391 <= fuzzed length= 0x6 <= preserved ###[ TLS Handshake ]### type= supplemental_data <= overriden length= 0x2 <= preserved ###[ Raw ]### load= '(r’ <= fuzzed
Fuzzing • Only good for basic fuzzing • Simple to plug in your own fuzzer • Just generate data, scapy-ssl_tls takes care of the rest • Good targets: TLS extensions, certificates, … 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 34
Examples • The example section contains some useful base tools: – RSA session sniffer: given a cert, can decrypt wire traffic (like Wireshark) – Security scanner: a rudimentary TLS scanner (versions, ciphers, SCSV, …) – Downgrade test – … • Just baselines to write your own tools 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 35

Recommandé

NGINX: Basics and Best Practices EMEA
NGINX: Basics and Best Practices EMEANGINX: Basics and Best Practices EMEA
NGINX: Basics and Best Practices EMEANGINX, Inc.
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
DMVPN
DMVPNDMVPN
DMVPNNetProtocol Xpert
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch IntroductionHungWei Chiu
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlowJoel W. King
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
TRex Realistic Traffic Generator - Stateless support
TRex Realistic Traffic Generator - Stateless support TRex Realistic Traffic Generator - Stateless support
TRex Realistic Traffic Generator - Stateless support Hanoch Haim
 

Recommandé

NGINX: Basics and Best Practices EMEA
NGINX: Basics and Best Practices EMEANGINX: Basics and Best Practices EMEA
NGINX: Basics and Best Practices EMEANGINX, Inc.
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
DMVPN
DMVPNDMVPN
DMVPNNetProtocol Xpert
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch IntroductionHungWei Chiu
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlowJoel W. King
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
TRex Realistic Traffic Generator - Stateless support
TRex Realistic Traffic Generator - Stateless support TRex Realistic Traffic Generator - Stateless support
TRex Realistic Traffic Generator - Stateless support Hanoch Haim
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1whitehat 'People'
 
Palo Alto U turn NAT for inside user's to access Web Server in a different Zo...
Palo Alto U turn NAT for inside user's to access Web Server in a different Zo...Palo Alto U turn NAT for inside user's to access Web Server in a different Zo...
Palo Alto U turn NAT for inside user's to access Web Server in a different Zo...David kankam
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsPatrick Coble
 
Proxmox Clustering with CEPH
Proxmox Clustering with CEPHProxmox Clustering with CEPH
Proxmox Clustering with CEPHFahadIbrar5
 
NGINX Installation and Tuning
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and TuningNGINX, Inc.
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
5 things you didn't know nginx could do
5 things you didn't know nginx could do5 things you didn't know nginx could do
5 things you didn't know nginx could dosarahnovotny
 
Microservices Network Architecture 101
Microservices Network Architecture 101Microservices Network Architecture 101
Microservices Network Architecture 101Cumulus Networks
 
Microservices Meetup San Francisco - August 2017 Talk on NATS
Microservices Meetup San Francisco - August 2017 Talk on NATSMicroservices Meetup San Francisco - August 2017 Talk on NATS
Microservices Meetup San Francisco - August 2017 Talk on NATSNATS
 
Kali linux guia español
Kali linux guia españolKali linux guia español
Kali linux guia españolHomero de la Barra
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 
Prometheus – a next-gen Monitoring System
Prometheus – a next-gen Monitoring SystemPrometheus – a next-gen Monitoring System
Prometheus – a next-gen Monitoring SystemFabian Reinartz
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityJean-Paul Azar
 
Linux or unix interview questions
Linux or unix interview questionsLinux or unix interview questions
Linux or unix interview questionsTeja Bheemanapally
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Seung-Hoon Baek
 
[234]멀티테넌트 하둡 클러스터 운영 경험기
[234]멀티테넌트 하둡 클러스터 운영 경험기[234]멀티테넌트 하둡 클러스터 운영 경험기
[234]멀티테넌트 하둡 클러스터 운영 경험기NAVER D2
 
Improved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and AlertmanagerImproved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and AlertmanagerJulien Pivotto
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)Cloudflare
 
Vulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityVulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityMiguel Pardal
 

Contenu connexe

Tendances

EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1whitehat 'People'
 
Palo Alto U turn NAT for inside user's to access Web Server in a different Zo...
Palo Alto U turn NAT for inside user's to access Web Server in a different Zo...Palo Alto U turn NAT for inside user's to access Web Server in a different Zo...
Palo Alto U turn NAT for inside user's to access Web Server in a different Zo...David kankam
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsPatrick Coble
 
Proxmox Clustering with CEPH
Proxmox Clustering with CEPHProxmox Clustering with CEPH
Proxmox Clustering with CEPHFahadIbrar5
 
NGINX Installation and Tuning
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and TuningNGINX, Inc.
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 
5 things you didn't know nginx could do
5 things you didn't know nginx could do5 things you didn't know nginx could do
5 things you didn't know nginx could dosarahnovotny
 
Microservices Network Architecture 101
Microservices Network Architecture 101Microservices Network Architecture 101
Microservices Network Architecture 101Cumulus Networks
 
Microservices Meetup San Francisco - August 2017 Talk on NATS
Microservices Meetup San Francisco - August 2017 Talk on NATSMicroservices Meetup San Francisco - August 2017 Talk on NATS
Microservices Meetup San Francisco - August 2017 Talk on NATSNATS
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 
Prometheus – a next-gen Monitoring System
Prometheus – a next-gen Monitoring SystemPrometheus – a next-gen Monitoring System
Prometheus – a next-gen Monitoring SystemFabian Reinartz
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityJean-Paul Azar
 
Linux or unix interview questions
Linux or unix interview questionsLinux or unix interview questions
Linux or unix interview questionsTeja Bheemanapally
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Seung-Hoon Baek
 
[234]멀티테넌트 하둡 클러스터 운영 경험기
[234]멀티테넌트 하둡 클러스터 운영 경험기[234]멀티테넌트 하둡 클러스터 운영 경험기
[234]멀티테넌트 하둡 클러스터 운영 경험기NAVER D2
 
Improved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and AlertmanagerImproved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and AlertmanagerJulien Pivotto
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 

Tendances (20)

EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
 
Palo Alto U turn NAT for inside user's to access Web Server in a different Zo...
Palo Alto U turn NAT for inside user's to access Web Server in a different Zo...Palo Alto U turn NAT for inside user's to access Web Server in a different Zo...
Palo Alto U turn NAT for inside user's to access Web Server in a different Zo...
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
 
Proxmox Clustering with CEPH
Proxmox Clustering with CEPHProxmox Clustering with CEPH
Proxmox Clustering with CEPH
 
NGINX Installation and Tuning
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and Tuning
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
5 things you didn't know nginx could do
5 things you didn't know nginx could do5 things you didn't know nginx could do
5 things you didn't know nginx could do
 
Microservices Network Architecture 101
Microservices Network Architecture 101Microservices Network Architecture 101
Microservices Network Architecture 101
 
Microservices Meetup San Francisco - August 2017 Talk on NATS
Microservices Meetup San Francisco - August 2017 Talk on NATSMicroservices Meetup San Francisco - August 2017 Talk on NATS
Microservices Meetup San Francisco - August 2017 Talk on NATS
 
Kali linux guia español
Kali linux guia españolKali linux guia español
Kali linux guia español
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
 
Prometheus – a next-gen Monitoring System
Prometheus – a next-gen Monitoring SystemPrometheus – a next-gen Monitoring System
Prometheus – a next-gen Monitoring System
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka Security
 
Linux or unix interview questions
Linux or unix interview questionsLinux or unix interview questions
Linux or unix interview questions
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
 
[234]멀티테넌트 하둡 클러스터 운영 경험기
[234]멀티테넌트 하둡 클러스터 운영 경험기[234]멀티테넌트 하둡 클러스터 운영 경험기
[234]멀티테넌트 하둡 클러스터 운영 경험기
 
Improved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and AlertmanagerImproved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and Alertmanager
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
 

Similaire à Scapy TLS: Script TLS Stacks for Testing

Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)Cloudflare
 
Vulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityVulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityMiguel Pardal
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Ontico
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
Java 9 Security Enhancements in Practice
Java 9 Security Enhancements in PracticeJava 9 Security Enhancements in Practice
Java 9 Security Enhancements in PracticeMartin Toshev
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!OWASP
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol DesignNate Lawson
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configurationextremeunix
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 

Similaire à Scapy TLS: Script TLS Stacks for Testing (20)

Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)
 
Vulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer SecurityVulnerability-tolerant Transport Layer Security
Vulnerability-tolerant Transport Layer Security
 
Rootconf2019
Rootconf2019Rootconf2019
Rootconf2019
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLS
 
Wireless LAN Security Fundamentals
Wireless LAN Security FundamentalsWireless LAN Security Fundamentals
Wireless LAN Security Fundamentals
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
 
Java 9 Security Enhancements in Practice
Java 9 Security Enhancements in PracticeJava 9 Security Enhancements in Practice
Java 9 Security Enhancements in Practice
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
Cours4.pptx
Cours4.pptxCours4.pptx
Cours4.pptx
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
暗認本読書会9
暗認本読書会9暗認本読書会9
暗認本読書会9
 
Go paranoid
Go paranoidGo paranoid
Go paranoid
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape TownDANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
 

Plus de Alexandre Moneger

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceAlexandre Moneger
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 

Plus de Alexandre Moneger (13)

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 

Dernier

Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating SystemRashmi Bhat
 
Steel Structures - Building technology.pptx
Steel Structures - Building technology.pptxSteel Structures - Building technology.pptx
Steel Structures - Building technology.pptxNikhil Raut
 
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxInternet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxVelmuruganTECE
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptJasonTagapanGulla
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptMadan Karki
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the weldingMuhammadUzairLiaqat
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxsiddharthjain2303
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsSachinPawar510423
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 

Dernier (20)

Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating System
 
Steel Structures - Building technology.pptx
Steel Structures - Building technology.pptxSteel Structures - Building technology.pptx
Steel Structures - Building technology.pptx
 
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxInternet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptx
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.ppt
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.ppt
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the welding
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptx
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documents
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 

Scapy TLS: Script TLS Stacks for Testing

  • 1. Scapy TLS: a scriptable TLS 1.3 stack Alex Moneger
  • 2. Agenda 1. TLS attacks timeline 2. Difficulty in reproducing attacks 3. Scapy-ssl_tls goals 4. Quick demo of scapy-ssl_tls capabilities 5. Custom TLS stacks, what to look for? 6. Fuzzing capabilities 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 1
  • 3. Introduction • TLS is a critical protocol to the internet • Very few alternatives • Session layer protocol for other protocols • Very complex 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 2
  • 4. TLS PROTOCOL LEVEL ATTACKS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 3
  • 5. Introduction • Protocol under scrutiny • Growth of the number of protocol level attacks • Numerous implementation bugs 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 4
  • 6. Timeline 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 5 Renegotiation 2009 20162013 BEAST CRIME 2014 2015201220112010 BREACH Lucky13 POODLE POODLE2 FREAK LOGJAM SLOTH THS
  • 7. Observations • TLS protocol attacks increase: – Frequency – Complexity • 2 classes: – Protocol level – Crypto level 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 6
  • 8. REPRODUCING ATTACKS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 7
  • 9. Problems • Understand the attack properly • Practical impact (as opposed to theoretical problem) • Reproducibility • Fix (dev + Q&A) • Fix for good (regression) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 8
  • 10. Response • Customers do not always understand the practical impact • Your response team has to provide a definite answer • 2 solutions for custom implementations: – Crypto code review: • Lack of comparison point • Hard to get the full picture when deep into a crypto routine – PoC: • Lack of tooling • Big difference between regular lib and security focused lib 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 9
  • 11. SCAPY-SSL_TLS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 10
  • 12. Introduction • TLS & DTLS scriptable stack built above scapy • Stateless (as much as possible) • Packet crafting and dissecting • Crypto session handling • Sniffing (wire, pcap, …) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 11
  • 13. Why bother? • TLS stacks are built to be robust • Enforce input parameters to be valid • Tear down connection on error • Not very flexible 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 12
  • 14. Goals • Easy to install and use • Simplify discovery and exploitation of TLS vulnerabilities • Allow full control of any TLS field • Tries very hard to maintain absolutely no state • Good documentation and examples • No checks or enforcements (up to user if desired) • Sane defaults • Transparent encryption 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 13
  • 15. Concepts • Start scapy • All classes start with TLS: – Allows easy autocomplete • What fields are available in a given TLS record? – ls(TLSClientHello) • TLSSocket() is used to wrap the TCP socket – This is your base element to send/recv traffic • Build packets scapy style: – p = TLSRecord()/TLSHandshake()/TLSClientHello() 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 14
  • 16. DEMO Packet crafting/parsing 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 15
  • 17. A simple TLS 1.3 client with TLSSocket(client=True) as tls_socket: try: tls_socket.connect(ip) print("Connected to server: %s" % (ip,)) except socket.timeout: print("Failed to open connection to server: %s" % (ip,), file=sys.stderr) else: try: server_hello, server_kex = tls_socket.do_handshake(tls_version, ciphers, extensions) server_hello.show() except TLSProtocolError as tpe: print("Got TLS error: %s" % tpe, file=sys.stderr) tpe.response.show() else: resp = tls_socket.do_round_trip(TLSPlaintext(data="GET / HTTP/1.1rnHOST: localhostrnrn")) print("Got response from server") resp.show() finally: print(tls_socket.tls_ctx) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 16
  • 18. Viewing a packet ###[ TLS Record ]### content_type= handshake version= TLS_1_0 length= 0x36 ###[ TLS Handshakes ]### handshakes |###[ TLS Handshake ]### | type= client_hello | length= 0x32 |###[ TLS Client Hello ]### | version= TLS_1_2 | gmt_unix_time= 1494985553 | random_bytes= 'xa6;x10{x0fx7fUx88xeaHxc6xafxf8xe4xedxd56x07xcfxd6x85xc1^xbdx1fxa3x02x85' | session_id_length= 0x0 | session_id= '' | cipher_suites_length= 0x2 | cipher_suites= ['ECDHE_RSA_WITH_AES_256_GCM_SHA384'] | compression_methods_length= 0x1 | compression_methods= ['NULL'] | extensions_length= 0x7 | extensions | |###[ TLS Extension ]### | | type= supported_versions | | length= 0x3 | |###[ TLS Extension Supported Versions ]### | | length= 0x2 | | versions= ['TLS_1_3_DRAFT_18'] 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 17
  • 19. A TLS 1.3 server server_hello = TLSRecord() / TLSHandshakes(handshakes=[ TLSHandshake() / TLSServerHello(version=version, cipher_suite=TLSCipherSuite.TLS_AES_256_GCM_SHA384, extensions=[key_share])]) client_socket.sendall(server_hello) client_socket.sendall(TLSRecord() / TLSHandshakes(handshakes=[ TLSHandshake() / TLSEncryptedExtensions(extensions=[named_groups]), TLSHandshake() / TLSCertificateList() / TLS13Certificate( certificates=certificates)])) client_socket.sendall(TLSHandshakes(handshakes=[ TLSHandshake() / TLSCertificateVerify(alg=TLSSignatureScheme.RSA_PKCS1_SHA256, sig=client_socket.tls_ctx.compute_server_cert_verify())])) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 18
  • 20. WHAT TO LOOK FOR 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 19
  • 21. Recon • Fingerprint possible fork • OpenSSL empty plaintext fragment • JSSE, NSS stacked handshake • Difference in Alert type when tampering with Finish message • Alert is loosely defined, so stack specific 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 20
  • 22. State machine • Tricky testing: mostly manual work and knowledge of RFC • Automated testing: FlexTLS: – Example: mono FlexApps.exe -s efin --connect localhost:8443 • Gives a good starting point for manual testing • Lot of legacy stuff: server-gated cryptography anyone? 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 21
  • 23. Diffie Hellman • Check the validity of server (EC)DH params – Group size – Primality – Subgroup confinement attack (e.g: Off curve test (EC)) – Signature algo used – … • Send interesting values (small, non-prime, …) • Scapy-ssl_tls uses TinyEC for EC calculation • Allows to perform EC arithmetic 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 22
  • 24. Side channels (RSA) • Pre Master Secret is decrypted • TLS mandates PKCS1 v1.5 for padding • This needs to be constant time, see classic Bleichenbacher • Time and Check for response difference on invalid padding (alert vs tcp reset) • Can use pybleach pkcs1_test_client.py to generate faulty padding for your PMS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 23
  • 25. Side channels (ciphers) • Padding and MAC checks must be constant time • Alert type must be identical • Time and check response when flipping bytes in padding and MAC • Check for nonce reuse 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 24
  • 26. Proper byte checking • Some implementation only verify a few bytes of padding, MAC and verify_data (finish hash) • All bytes must be checked for obvious reasons • Send application data packets with flipped padding, MAC and verify_data • Make sure you always get an alert 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 25
  • 27. Fragmentation • Any packet above 2**14 (16384) bytes must be fragmented • But any fragment size can be chosen • Some stacks don’t cope well with TLS re-assembly • Can be used to bypass devices which parse TLS, but fail- open • Server can be requested to fragment using the Maximum Fragment Length Negotiation extension • DTLS allows to specify the fragment offset in the handshake 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 26
  • 28. TLS 1.3 specific • Spec doesn’t leave a lot of room for implementation errors • Handling of 0-RTT, early data, PFS • Resumption checks (SNI) 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 27
  • 29. CONCLUSION 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 28
  • 30. Strengths • Scapy-ssl_tls can speed up PoC development • PoC can be re-used as part of testing QA and regression • Valuable to reproduce findings & develop mitigations • Help in learning & experimenting with TLS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 29
  • 31. Thanks • Thanks to tintinweb who started the project • Bugs: https://github.com/tintinweb/scapy- ssl_tls/ • Contact: – Github: alexmgr 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 30
  • 32. THANKS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 31
  • 33. IF TIME ALLOWS 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 32
  • 34. Fuzzing • Provides basic fuzzing through scapy • Tries to be smart by preserving semantically necessary fields • Use fuzz() function on any element 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 33 fuzz(TLSRecord()/TLSHandshake(type=TLSHandshakeType.SUPPLEMENTAL_DATA)/TLSAlert()).show2() ###[ TLS Record ]### content_type= handshake <= preserved version= 0x7391 <= fuzzed length= 0x6 <= preserved ###[ TLS Handshake ]### type= supplemental_data <= overriden length= 0x2 <= preserved ###[ Raw ]### load= '(r’ <= fuzzed
  • 35. Fuzzing • Only good for basic fuzzing • Simple to plug in your own fuzzer • Just generate data, scapy-ssl_tls takes care of the rest • Good targets: TLS extensions, certificates, … 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 34
  • 36. Examples • The example section contains some useful base tools: – RSA session sniffer: given a cert, can decrypt wire traffic (like Wireshark) – Security scanner: a rudimentary TLS scanner (versions, ciphers, SCSV, …) – Downgrade test – … • Just baselines to write your own tools 18 May 2017 Alex Moneger - Scapy TLS: a scriptable TLS 1.3 stack 35

Notes de l'éditeur

  1. I’m quite slow, so to fully understand something, I need to repro and play with it
  2. Customer don’t always understand the practical impact. No kidding, sometimes as a security engineer it takes you a few hours/days But your response team has to provide a statement quickly Both approaches require you to understand the issue in depth. But it’s harder to make a mistake with a PoC. It’s also easier to perform code review with a PoC PoC provides reproducibility, which provides Q&A and regression for free
  3. Writing an offensive stack is very different. All recommendations you normally provide to devs should be ignored. Do not validate length, format, signatures, … All validation is up to you, scapy-ssl_tls only reports data
  4. cd /Users/amoneger/projects/contrib/scapy-ssl_tls tests/integration/openssl_tls_server.sh tls1_2 Enter TLS and press tab to autocomplete Craft a TLSRecord with a TLSHandshake. Do a show(), do a ls() Modify length field of the record
  5. With transparent decryption p = TLSRecord() / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(extensions=[TLSExtension() / TLSExtSupportedVersions(versions=[tls_draft_version(18)])])])
  6. p = TLSRecord() / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(cipher_suites=[TLSCipherSuite.ECDHE_RSA_WITH_AES_256_GCM_SHA384], extensions=[TLSExtension() / TLSExtSupportedVersions(versions=[tls_draft_version(18)])])])
  7. Custom stacks seem to generally be forks of OSS projects at one stage. It is interesting to try and fingerprint where it comes from, to then try and look for known implementation vulnerabilities on the stack You can probably pinpoint to the version with some research
  8. FlexTLS is based on miTLS which is A Verified Reference Implementation of TLS It implements a number of know attacks against the TLS state machine. Source code was only very recently released. A great reference tool to go after TLS state machine server-gated cryptography: client renegotiation based on server cert
  9. TLS 1.3 killed this
  10. Mention that PMS should start by handshake client version. Prevents rollback attacks TLS 1.3 killed this
  11. TLS 1.3 killed this
  12. Padding in TLS can be any length upto 255 bytes. Check that implementation respects that.
  13. DTLS is like IP from the old days ;) Possible values start at 2**9 = 512. Only active after Server Hello is received.