Exemple #1
0
 def should_add_ClientHello(self):
     if self.client_hello:
         p = self.client_hello
     else:
         p = TLSClientHello()
     # Add TLS_Ext_SignatureAlgorithms for TLS 1.2 ClientHello
     if self.cur_session.advertised_tls_version == 0x0303:
         p.ext = TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsa"])
     self.add_msg(p)
     raise self.ADDED_CLIENTHELLO()
Exemple #2
0
def build_client_hello(tls_version, cipher_suites, session_ticket=None):
    """
    Build a ClientHello with the given TLS version, cipher suite, and optional
    session ticket.
    """

    client_hello_record = None

    # Build TLS ClientHello
    if tls_version > 0x0002:
        extensions = None
        if session_ticket:
            extensions = [TLS_Ext_SessionTicket(ticket=session_ticket)]
        tls_client_hello = TLSClientHello(version=tls_version,
                                          gmt_unix_time=int(time.time()),
                                          random_bytes=randstring(28),
                                          sidlen=0,
                                          ciphers=cipher_suites,
                                          complen=1,
                                          ext=extensions)
        client_hello_record = TLS(msg=[tls_client_hello])
    else:
        # SSLv2 ClientHello
        sslv2_client_hello = SSLv2ClientHello(version=tls_version,
                                              sidlen=0,
                                              ciphers=cipher_suites)
        client_hello_record = SSLv2(msg=[sslv2_client_hello])

    return client_hello_record
Exemple #3
0
def run_tls_test_client(send_data=None, cipher_suite_code=None, version=None):
    if version == "0002":
        t = TLSClientAutomaton(data=[send_data, "stop_server", "quit"],
                               version="sslv2")
    else:
        ch = TLSClientHello(version=int(version, 16),
                            ciphers=int(cipher_suite_code, 16))
        t = TLSClientAutomaton(client_hello=ch,
                               data=[send_data, "stop_server", "quit"])
    t.run()
Exemple #4
0
def get_tls_session_secrets(docker_client, session, openssl_client_version,
                            openssl_server_version, tls_version, cipher):
    """Donne les secrets d'une session TLS.

    Args:
        docker_client: Client Docker.
        session: Exit code et sortie standard de l'exécution de la session TLS.
        openssl_client_version: Version OpenSSL du client sans les points.
        openssl_server_version: Version OpenSSL du serveur sans les points.
        tls_version: Version TLS de utilisée.
        cipher: Nom du cipher utilisé.

    Returns:
        Secrets d'une session TLS avec le bon format.
    """
    formatted_tls_secrets = "None"
    random = ""
    master_key = ""

    if tls_session_passed(session):
        if tls_version == "1_3":
            if "111" in openssl_client_version:
                container = docker_client.containers.get(
                    "client-" + openssl_client_version)
                res = container.exec_run(cmd="cat tls.secrets")
                formatted_tls_secrets = res.output.decode("utf-8")
                container.exec_run(cmd="rm tls.secrets")
        else:
            logs = session[1]
            capture = rdpcap("results/client_" + openssl_client_version +
                             "/server_" + openssl_server_version + "/tls" +
                             tls_version + "/" + cipher + ".pcap")
            client_hello = TLSClientHello()
            load_layer("tls")

            for packet in capture:
                if TLS in packet and isinstance(packet.msg[0], TLSClientHello):
                    client_hello = packet.msg[0]
                    break

            gmt_unix_time = format(client_hello.gmt_unix_time, 'x')
            random_bytes = client_hello.random_bytes.hex()
            random = gmt_unix_time + random_bytes

            for line in logs.split("\n"):
                if "Master-Key:" in line:
                    master_key = line.replace(" ", "").split(":")[1]
                    break

            formatted_tls_secrets = "CLIENT_RANDOM " + random + " " + master_key + "\n"

    return formatted_tls_secrets
Exemple #5
0
 def tls13_should_add_ClientHello(self):
     # we have to use the legacy, plaintext TLS record here
     self.add_record(is_tls13=False)
     if self.client_hello:
         p = self.client_hello
     else:
         # When trying to connect to a public TLS 1.3 server,
         # you will most likely need to provide an SNI extension.
         # sn = ServerName(servername="<put server name here>")
         ext = [
             TLS_Ext_SupportedGroups(groups=["secp256r1"]),
             # TLS_Ext_ServerName(servernames=[sn]),
             TLS_Ext_KeyShare_CH(client_shares=[KeyShareEntry(group=23)]
                                 ),  # noqa: E501
             TLS_Ext_SupportedVersions(versions=["TLS 1.3-d18"]),
             TLS_Ext_SignatureAlgorithms(
                 sig_algs=["sha256+rsapss", "sha256+rsa"])
         ]
         p = TLSClientHello(ciphers=0x1301, ext=ext)
     self.add_msg(p)
     raise self.TLS13_ADDED_CLIENTHELLO()
Exemple #6
0
async def get_sros_certificate(address, port, timeout=3):
    """
    Function to connect to a SROS Node, simulate the TLS handshake, and get it's server certificate on the process.
    :param address: Address of the node.
    :param port: Port of the node.
    :param timeout: Timeout for the connection.
    :return: A tuple containing the address, port and certificate if found, otherwise,
    a tuple containing address, port and None.
    """
    client_hello = TLS(
        version='TLS 1.0',
        msg=TLSClientHello(
            ciphers=[
                49200, 49196, 49202, 49198, 49199, 49195, 49201, 49197, 165,
                163, 161, 159, 164, 162, 160, 158, 49192, 49188, 49172, 49162,
                49194, 49190, 49167, 49157, 107, 106, 105, 104,
                57, 56, 55, 54, 49191, 49187, 49171, 49161, 49193, 49189,
                49166, 49156, 103, 64, 63, 62, 51, 50, 49, 48, 136, 135, 134,
                133, 69, 68, 67, 66, 49170, 49160, 49165, 49155,
                22, 19, 16, 13, 157, 156, 61, 53, 60, 47, 132, 65, 10, 255
            ],
            comp=[0],
            gmt_unix_time=12345566,
            ext=[
                TLS_Ext_SupportedGroups(
                    groups=[23, 25, 28, 27, 24, 26, 22, 14, 13, 11, 12, 9, 10
                            ]),
                TLS_Ext_SupportedPointFormat(ecpl=[0, 1, 2]),
                TLS_Ext_SignatureAlgorithms(sig_algs=[
                    1537, 1538, 1539, 1281, 1282, 1283, 1025, 1026, 1027, 769,
                    770, 771, 513, 514, 515
                ]),
                TLS_Ext_Heartbeat(heartbeat_mode=1),
                TLS_Ext_Padding(padding=212 * b'\x00')
            ]))

    tls_header = b'\x16\x03\x03'
    server_hello_done = b'\x0e\x00\x00\x00'
    received_data = b''
    is_sros = True
    writer = None
    try:
        conn = asyncio.open_connection(str(address),
                                       port,
                                       loop=asyncio.get_event_loop())
        reader, writer = await asyncio.wait_for(conn, timeout=timeout)
        writer.write(bytes(client_hello))
        await writer.drain()
        while received_data[-4:] != server_hello_done:
            received_data += await asyncio.wait_for(reader.read(1024),
                                                    timeout=3)
            if received_data[:3] != tls_header:
                is_sros = False
                break
    except Exception as e:
        logger.error('[-] Error connecting to host ' + str(address) + ': ' +
                     str(e) + '\n\tNot a SROS host')
        return address, port, None
    else:
        if is_sros:
            server_hello = TLS(received_data)
            cert = server_hello.payload.msg[0].certs[0][1]
            logger.warning('[+] SROS host found!!!')
            return address, port, cert
    finally:
        if writer:
            writer.close()
            await writer.wait_closed()
    return address, port, None
Exemple #7
0
args = parser.parse_args()

# By default, PFS is set
if args.no_pfs:
    psk_mode = "psk_ke"
else:
    psk_mode = "psk_dhe_ke"

v = _tls_version_options.get(args.version, None)
if not v:
    sys.exit("Unrecognized TLS version option.")

if args.ciphersuite:
    ciphers = int(args.ciphersuite, 16)
    if ciphers not in list(range(0x1301, 0x1306)):
        ch = TLSClientHello(ciphers=ciphers)
    else:
        ch = TLS13ClientHello(ciphers=ciphers)
else:
    ch = None

t = TLSClientAutomaton(
    client_hello=ch,
    version=args.version,
    mycert=basedir + "/test/tls/pki/cli_cert.pem",
    mykey=basedir + "/test/tls/pki/cli_key.pem",
    psk=args.psk,
    psk_mode=psk_mode,
)
t.run()
Exemple #8
0
## This file is part of Scapy
## This program is published under a GPLv2 license

"""
Basic TLS client. A ciphersuite may be commanded via a first argument.

For instance, "sudo ./client_simple.py c014" will try to connect to any TLS
server at 127.0.0.1:4433, with suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.
"""

import os
import sys

basedir = os.path.abspath(os.path.join(os.path.dirname(__file__),"../../"))
sys.path=[basedir]+sys.path

from scapy.layers.tls.automaton import TLSClientAutomaton
from scapy.layers.tls.handshake import TLSClientHello


if len(sys.argv) == 2:
    ch = TLSClientHello(ciphers=int(sys.argv[1], 16))
else:
    ch = None

t = TLSClientAutomaton(client_hello=ch)
t.run()


Exemple #9
0
 def should_add_ClientHello(self):
     self.add_msg(self.client_hello or TLSClientHello())
     raise self.ADDED_CLIENTHELLO()
Exemple #10
0
def run_tls_test_client(send_data=None, cipher_suite_code=None, version=None):
    ch = TLSClientHello(version=int(version, 16),
                        ciphers=int(cipher_suite_code, 16))
    t = TLSClientAutomaton(client_hello=ch, data=send_data)
    t.run()