def should_add_ClientHello(self):
if self.client_hello:
p = self.client_hello
else:
p = TLSClientHello()
# Add TLS_Ext_SignatureAlgorithms for TLS 1.2 ClientHello
if self.cur_session.advertised_tls_version == 0x0303:
p.ext = TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsa"])
self.add_msg(p)
raise self.ADDED_CLIENTHELLO()
def build_client_hello(tls_version, cipher_suites, session_ticket=None):
"""
Build a ClientHello with the given TLS version, cipher suite, and optional
session ticket.
"""
client_hello_record = None
# Build TLS ClientHello
if tls_version > 0x0002:
extensions = None
if session_ticket:
extensions = [TLS_Ext_SessionTicket(ticket=session_ticket)]
tls_client_hello = TLSClientHello(version=tls_version,
gmt_unix_time=int(time.time()),
random_bytes=randstring(28),
sidlen=0,
ciphers=cipher_suites,
complen=1,
ext=extensions)
client_hello_record = TLS(msg=[tls_client_hello])
else:
# SSLv2 ClientHello
sslv2_client_hello = SSLv2ClientHello(version=tls_version,
sidlen=0,
ciphers=cipher_suites)
client_hello_record = SSLv2(msg=[sslv2_client_hello])
return client_hello_record
def run_tls_test_client(send_data=None, cipher_suite_code=None, version=None):
if version == "0002":
t = TLSClientAutomaton(data=[send_data, "stop_server", "quit"],
version="sslv2")
else:
ch = TLSClientHello(version=int(version, 16),
ciphers=int(cipher_suite_code, 16))
t = TLSClientAutomaton(client_hello=ch,
data=[send_data, "stop_server", "quit"])
t.run()
def get_tls_session_secrets(docker_client, session, openssl_client_version,
openssl_server_version, tls_version, cipher):
"""Donne les secrets d'une session TLS.
Args:
docker_client: Client Docker.
session: Exit code et sortie standard de l'exécution de la session TLS.
openssl_client_version: Version OpenSSL du client sans les points.
openssl_server_version: Version OpenSSL du serveur sans les points.
tls_version: Version TLS de utilisée.
cipher: Nom du cipher utilisé.
Returns:
Secrets d'une session TLS avec le bon format.
"""
formatted_tls_secrets = "None"
random = ""
master_key = ""
if tls_session_passed(session):
if tls_version == "1_3":
if "111" in openssl_client_version:
container = docker_client.containers.get(
"client-" + openssl_client_version)
res = container.exec_run(cmd="cat tls.secrets")
formatted_tls_secrets = res.output.decode("utf-8")
container.exec_run(cmd="rm tls.secrets")
else:
logs = session[1]
capture = rdpcap("results/client_" + openssl_client_version +
"/server_" + openssl_server_version + "/tls" +
tls_version + "/" + cipher + ".pcap")
client_hello = TLSClientHello()
load_layer("tls")
for packet in capture:
if TLS in packet and isinstance(packet.msg[0], TLSClientHello):
client_hello = packet.msg[0]
break
gmt_unix_time = format(client_hello.gmt_unix_time, 'x')
random_bytes = client_hello.random_bytes.hex()
random = gmt_unix_time + random_bytes
for line in logs.split("\n"):
if "Master-Key:" in line:
master_key = line.replace(" ", "").split(":")[1]
break
formatted_tls_secrets = "CLIENT_RANDOM " + random + " " + master_key + "\n"
return formatted_tls_secrets
def tls13_should_add_ClientHello(self):
# we have to use the legacy, plaintext TLS record here
self.add_record(is_tls13=False)
if self.client_hello:
p = self.client_hello
else:
# When trying to connect to a public TLS 1.3 server,
# you will most likely need to provide an SNI extension.
# sn = ServerName(servername="<put server name here>")
ext = [
TLS_Ext_SupportedGroups(groups=["secp256r1"]),
# TLS_Ext_ServerName(servernames=[sn]),
TLS_Ext_KeyShare_CH(client_shares=[KeyShareEntry(group=23)]
), # noqa: E501
TLS_Ext_SupportedVersions(versions=["TLS 1.3-d18"]),
TLS_Ext_SignatureAlgorithms(
sig_algs=["sha256+rsapss", "sha256+rsa"])
]
p = TLSClientHello(ciphers=0x1301, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
async def get_sros_certificate(address, port, timeout=3):
"""
Function to connect to a SROS Node, simulate the TLS handshake, and get it's server certificate on the process.
:param address: Address of the node.
:param port: Port of the node.
:param timeout: Timeout for the connection.
:return: A tuple containing the address, port and certificate if found, otherwise,
a tuple containing address, port and None.
"""
client_hello = TLS(
version='TLS 1.0',
msg=TLSClientHello(
ciphers=[
49200, 49196, 49202, 49198, 49199, 49195, 49201, 49197, 165,
163, 161, 159, 164, 162, 160, 158, 49192, 49188, 49172, 49162,
49194, 49190, 49167, 49157, 107, 106, 105, 104,
57, 56, 55, 54, 49191, 49187, 49171, 49161, 49193, 49189,
49166, 49156, 103, 64, 63, 62, 51, 50, 49, 48, 136, 135, 134,
133, 69, 68, 67, 66, 49170, 49160, 49165, 49155,
22, 19, 16, 13, 157, 156, 61, 53, 60, 47, 132, 65, 10, 255
],
comp=[0],
gmt_unix_time=12345566,
ext=[
TLS_Ext_SupportedGroups(
groups=[23, 25, 28, 27, 24, 26, 22, 14, 13, 11, 12, 9, 10
]),
TLS_Ext_SupportedPointFormat(ecpl=[0, 1, 2]),
TLS_Ext_SignatureAlgorithms(sig_algs=[
1537, 1538, 1539, 1281, 1282, 1283, 1025, 1026, 1027, 769,
770, 771, 513, 514, 515
]),
TLS_Ext_Heartbeat(heartbeat_mode=1),
TLS_Ext_Padding(padding=212 * b'\x00')
]))
tls_header = b'\x16\x03\x03'
server_hello_done = b'\x0e\x00\x00\x00'
received_data = b''
is_sros = True
writer = None
try:
conn = asyncio.open_connection(str(address),
port,
loop=asyncio.get_event_loop())
reader, writer = await asyncio.wait_for(conn, timeout=timeout)
writer.write(bytes(client_hello))
await writer.drain()
while received_data[-4:] != server_hello_done:
received_data += await asyncio.wait_for(reader.read(1024),
timeout=3)
if received_data[:3] != tls_header:
is_sros = False
break
except Exception as e:
logger.error('[-] Error connecting to host ' + str(address) + ': ' +
str(e) + '\n\tNot a SROS host')
return address, port, None
else:
if is_sros:
server_hello = TLS(received_data)
cert = server_hello.payload.msg[0].certs[0][1]
logger.warning('[+] SROS host found!!!')
return address, port, cert
finally:
if writer:
writer.close()
await writer.wait_closed()
return address, port, None
args = parser.parse_args()
# By default, PFS is set
if args.no_pfs:
psk_mode = "psk_ke"
else:
psk_mode = "psk_dhe_ke"
v = _tls_version_options.get(args.version, None)
if not v:
sys.exit("Unrecognized TLS version option.")
if args.ciphersuite:
ciphers = int(args.ciphersuite, 16)
if ciphers not in list(range(0x1301, 0x1306)):
ch = TLSClientHello(ciphers=ciphers)
else:
ch = TLS13ClientHello(ciphers=ciphers)
else:
ch = None
t = TLSClientAutomaton(
client_hello=ch,
version=args.version,
mycert=basedir + "/test/tls/pki/cli_cert.pem",
mykey=basedir + "/test/tls/pki/cli_key.pem",
psk=args.psk,
psk_mode=psk_mode,
)
t.run()
## This file is part of Scapy
## This program is published under a GPLv2 license
"""
Basic TLS client. A ciphersuite may be commanded via a first argument.
For instance, "sudo ./client_simple.py c014" will try to connect to any TLS
server at 127.0.0.1:4433, with suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.
"""
import os
import sys
basedir = os.path.abspath(os.path.join(os.path.dirname(__file__),"../../"))
sys.path=[basedir]+sys.path
from scapy.layers.tls.automaton import TLSClientAutomaton
from scapy.layers.tls.handshake import TLSClientHello
if len(sys.argv) == 2:
ch = TLSClientHello(ciphers=int(sys.argv[1], 16))
else:
ch = None
t = TLSClientAutomaton(client_hello=ch)
t.run()
def should_add_ClientHello(self):
self.add_msg(self.client_hello or TLSClientHello())
raise self.ADDED_CLIENTHELLO()
def run_tls_test_client(send_data=None, cipher_suite_code=None, version=None):
ch = TLSClientHello(version=int(version, 16),
ciphers=int(cipher_suite_code, 16))
t = TLSClientAutomaton(client_hello=ch, data=send_data)
t.run()