def get_version_support(self, version_list):
supported = []
self.print_verbose(
"Enumerating TLS/SSL version support for: {0} port {1}".format(
self.target.host, self.target.port))
for v in version_list:
# try:
with TCP(self.target.host, self.target.port).connect() as tcp:
if self.clear_text_layer:
stls = StartTLS(self.clear_text_layer)
stls.prepare_socket(tcp)
tls = TLSConnection(
tcp
) # Pass the socket object (connection) to start a TLSConnection instance
if Protocol.is_tls1_3(versions[v]):
# TLS1.3 should ignore ciphers not supported so we SHOULD be able to provide all TLS ciphers we know
client_hello = self.get_tls13_extended_client_hello(
ciphers_tls)
response = tls.send_record(client_hello)
elif Protocol.is_ssl3_tls(versions[v]):
client_hello = self.get_ecc_extended_client_hello(
versions[v], ciphers_tls)
client_hello.set_compression(
bytearray(b'\x01\x00')) # DEFLATE, null
response = tls.send_record(client_hello)
elif Protocol.is_ssl2(versions[v]):
response = tls.send_record(
ClientHello(versions[v], ciphers_ssl2))
if len(
response
) > 0: # ToDo: response may be referenced before assignment -> fix!
s_hello = None
# The ServerHello may not be the first Record received
for record in response:
if isinstance(record, ServerHello):
s_hello = record
break
if s_hello:
if s_hello.handshake_protocol == versions[v]:
supported.append(v)
self.print_verbose(" [+]: {0}".format(v))
if s_hello.compression_method is not None:
self.print_verbose(
" Compression: {0}".format(
s_hello.compression_method.name))
if Protocol.is_tls1_3(
versions[v]
): # Need to see if extension is present
for extension in s_hello.extensions():
if extension.extension_type == ExtensionType.supported_versions:
supported.append(v)
self.print_verbose(" [+]: {0}".format(v))
# except AttributeError:
# break
# except:
# raise
return supported
def get_version_support(self, version_list):
supported = []
if self.sni:
self.print_verbose(" [*] Using SNI: '{}'".format(self.sni_name))
else:
self.print_verbose(" [*] SNI extension disabled.")
self.print_verbose("Enumerating TLS/SSL protocol version support for: {0} port {1}"
.format(self.target.host, self.target.port))
for v in version_list:
response = self.send_client_hello(v)
if len(response) > 0:
s_hello = None
for record in response:
if isinstance(record, ServerHello):
s_hello = record
break
if s_hello:
if s_hello.handshake_protocol == versions[v]:
supported.append(v)
self.print_verbose(" [+] {0}".format(v))
if s_hello.compression_method is not None:
self.print_verbose(" Compression: {0}".format(s_hello.compression_method.name))
if Protocol.is_tls1_3(versions[v]) and \
s_hello.extensions_length > 0: # Check if relevant extension is present
for extension in s_hello.extensions():
if extension.extension_type == ExtensionType.supported_versions:
supported.append(v)
self.print_verbose(" [+] {0}".format(v))
return supported
def get_version_support(self, version_list):
supported = []
if self.sni:
self.print_verbose(" [*] Using SNI: '{}'".format(self.sni_name))
else:
self.print_verbose(" [*] SNI extension disabled.")
self.print_verbose(
"Enumerating TLS/SSL protocol version support for: {0} port {1}".
format(self.target.host, self.target.port))
for v in version_list:
response = self.send_client_hello(v)
if len(response) > 0:
s_hello = None
for record in response:
if isinstance(record, ServerHello):
s_hello = record
break
if s_hello:
if s_hello.handshake_protocol == versions[v]:
supported.append(v)
self.print_verbose(" [+] {0}".format(v))
if s_hello.compression_method is not None:
self.print_verbose(" Compression: {0}".format(
s_hello.compression_method.name))
if Protocol.is_tls1_3(versions[v]) and \
s_hello.extensions_length > 0: # Check if relevant extension is present
for extension in s_hello.extensions():
if extension.extension_type == ExtensionType.supported_versions:
supported.append(v)
self.print_verbose(" [+] {0}".format(v))
return supported
def send_client_hello(self, version, ciphers_tls=ciphers_tls):
response = None
with TCP(self.target.host, self.target.port).connect() as tcp:
if self.clear_text_layer:
stls = StartTLS(self.clear_text_layer)
stls.prepare_socket(tcp)
tls = TLSConnection(
tcp
) # Pass the socket object (connection) to start a TLSConnection instance
if Protocol.is_tls1_3(versions[version]):
# TLS1.3 should ignore ciphers not supported so we SHOULD be able to provide all TLS ciphers we know
client_hello = self.create_tls13_extended_client_hello(
ciphers_tls)
response = tls.send_record(client_hello)
elif Protocol.is_ssl3_tls(versions[version]):
client_hello = self.create_ecc_extended_client_hello(
versions[version], ciphers_tls)
client_hello.set_compression(
bytearray(b'\x01\x00')) # DEFLATE, null
response = tls.send_record(client_hello)
elif Protocol.is_ssl2(versions[version]):
response = tls.send_record(
ClientHello(versions[version], ciphers_ssl2))
return response
def __init__(self, version, ciphers_dict):
self.cipher_suites = ciphers_dict
self.extension_list = [
] # ToDo: make a dict to prevent duplicate extensions
try:
if Protocol.is_ssl3_tls(version):
if Protocol.is_tls1_3(version):
# TLS1.3 uses 'legacy version' TLS1.2 for the record layer
super(self.__class__,
self).__init__(versions['TLSv1_2'],
ContentType.handshake)
self.handshake_version = versions['TLSv1_2']
else:
# Record version set to TLSv1_0
super(self.__class__,
self).__init__(versions['TLSv1_0'],
ContentType.handshake)
self.handshake_version = version
self.compression = b'\x00'
self.length = len(self.cipher_spec) + len(
self.compression) + 42 # 32 random + 4 length + ..
self._set_tls_hello_body_bytes()
elif Protocol.is_ssl2(version):
super(self.__class__,
self).__init__(version, HandshakeTypeSsl2.client_hello)
self.challenge = os.urandom(16)
record_length = len(self.cipher_spec) + len(self.challenge) + 9
self.length = RecordHelper.get_ssl2_record_len(
record_length, True) # Set MSB (no padding)
self._set_ssl2_hello_body_bytes()
except:
raise Exception("Failed to craft ClientHello")
def send_client_hello(self, version, ciphers_tls=ciphers_tls):
response = None
with TCP(self.target.host, self.target.port).connect() as tcp:
if self.clear_text_layer:
stls = StartTLS(self.clear_text_layer)
stls.prepare_socket(tcp)
tls = TLSConnection(tcp) # Pass the socket object (connection) to start a TLSConnection instance
if Protocol.is_tls1_3(versions[version]):
# TLS1.3 should ignore ciphers not supported so we SHOULD be able to provide all TLS ciphers we know
client_hello = self.create_tls13_extended_client_hello(ciphers_tls)
response = tls.send_record(client_hello)
elif Protocol.is_ssl3_tls(versions[version]):
client_hello = self.create_ecc_extended_client_hello(versions[version], ciphers_tls)
client_hello.set_compression(bytearray(b'\x01\x00')) # DEFLATE, null
response = tls.send_record(client_hello)
elif Protocol.is_ssl2(versions[version]):
response = tls.send_record(ClientHello(versions[version], ciphers_ssl2))
return response