Pentesting custom TLS stacks

Pentesting custom TLS stacksAlex Moneger

Alex Moneger - Pentesting custom TLS stacks

2

Who am I?• Security engineer at Citrix• Interest in low level topics (crypto, fuzzing,

exploit dev)• "the views expressed herein are personal and

stated in my individual capacity and in no way a statement or position of my employer”

1/16/16


3

Agenda1. TLS attacks timeline2. Difficulty in reproducing attacks3. Quick refresher on TLS4. Scapy-ssl_tls goals5. Quick demo of scapy-ssl_tls capabilities6. Custom TLS stacks, what to look for?7. Scapy-ssl_tls crypto8. Demo: detecting Poodle9. Fuzzing capabilities

1/16/16


4

Introduction• TLS is a critical protocol to the internet• Very few alternatives• Session layer protocol for other protocols• Very complex

1/16/16


5

Introduction• Protocol under scrutiny• Growth of the number of attacks• General lack of tooling• Attacks are developed ad-hoc:– Extensions of OpenSSL– …

1/16/16


6

TLS PROTOCOL LEVEL ATTACKS

1/16/16


7

Introduction• Protocol under scrutiny• Growth of the number of protocol level

attacks• Numerous implementation bugs

1/16/16


8

Timeline

1/16/16

Renegotiation

2009 20162013

BEAST CRIME

2014 2015201220112010

BREACH

Lucky13

POODLE

POODLE2

FREAK

LOGJAM

SLOTH

THS


9

Observations• TLS protocol attacks increase:– Frequency– Complexity

• 2 classes:– Protocol level– Crypto level

1/16/16


10

REPRODUCING ATTACKS

1/16/16


11

Problems• Understand the attack properly• Practical impact (as opposed to theoretical

problem)• Reproducibility• Fix (dev + Q&A) • Fix for good (regression)1/16/16


12

Response• Customers do not always understand the practical impact• Your response team has to provide a definite answer• 2 solutions for custom implementations:

– Crypto code review:• Lack of comparison point• Hard to get the full picture when deep into a crypto routine

– PoC:• Lack of tooling• Big difference between regular lib and security focused lib

1/16/16


13

TLS REFRESHER

1/16/16


14

Basics• TLS is session layer (layer 5)• Performs a handshake then provides crypto• Transparent to protocol• High RTT (at least 4 packets, 2 RTT for handshake)• Offers session resumption• Can authenticate both client and server• Provides integrity and confidentiality• Relies on TCP for packet delivery and ordering

1/16/16


15

Message format• Has sub-protocols within the protocol:

1. Handshake (negotiate parameters)2. Change Cipher Spec (signal a cipher change)3. Alert (error handling)4. Application data (move data)

• Each of these sub-protocols are encapsulated in a Record header which holds:– Proto version– Payload length– Payload type

1/16/16


16

TLS Record• In charge of transporting the sub-protocols

• Record is always cleartext• Payload length is not completely protected in TLS• Records can be “stacked” inside a packet:

VersionSize

LengthHandshake, Data, …

Record Handshake, Data, … Record Handshake, Data, …1/16/16


17

Handshake• In charge of negotiating:– Compression– Crypto parameters– Initiating crypto material

• In charge of ensuring handshake is free of in transit tampering (finish message)

• Extensible (through TLS extensions)1/16/16


20

Handshake quirks• Max size: 2**16, can be TLS fragmented• Some messages can have arbitrary trailing data

(support for unknown extensions)• Doesn’t need a certificate (anonymous RSA, DH

and ECDH)• Can have “stacked” handshakes in a record (Java)

Record Handshake Handshake Handshake

1/16/16


22

Application Data• Encrypted + authenticated packets• Cleartext is HMACd then padded => MAC then

encrypt…

Padding is not protected by the MAC• Stream ciphers:

Record Cleartext HMAC padding Paddinglength

Encrypted

Record Cleartext HMAC

Encrypted1/16/16


24

SCAPY-SSL_TLS

1/16/16

https://github.com/tintinweb/scapy-ssl_tls/


25

Introduction• TLS & DTLS attack stack built above scapy• Stateless (as much as possible)• Packet crafting and dissecting• Crypto session handling• Sniffing (wire, pcap, …)

1/16/16


26

Why bother?• TLS stacks are built to be robust• Enforce input parameters to be valid• Tear down connection on error• Not very flexible

1/16/16


27

Goals• Easy to install and use• Simplify discovery and exploitation of TLS vulnerabilities• Allow full control of any TLS field• Tries very hard to maintain absolutely no state• Good documentation and examples• No checks or enforcements (up to user if desired)• Sane defaults• Transparent encryption

1/16/16


28

Features• Full support:

– SSLv3, TLS 1.0, TLS 1.1, TLS1.2 and DTLS– RSA, DHE, ECDHE key exchanges with all available ciphers– RSA and DSA signature– All TLS records and extensions– Transparent decryption of TLS traffic– Client certs

• Missing:– AES-GCM and CCM

1/16/16


29

Installation• Stable branch (v1.2.2 today):– pip install scapy-ssl_tls

• Dev branch (latest features + examples):– git clone https://github.com/tintinweb/scapy-ssl_tls– Or pip install git+https://github.com/tintinweb/scapy-

ssl_tls@master• Feature branches:– Replace @master by @branch

1/16/16


30

Concepts• Start scapy• All classes start with TLS:

– Allows easy autocomplete• What fields are available in a given TLS record?

– ls(TLSClientHello)• TLSSocket() is used to wrap the TCP socket

– This is your base element to send/recv traffic• Build packets scapy style:

– p = TLSRecord()/TLSHandshake()/TLSClientHello()

1/16/16


31

DEMOPacket crafting/parsing

1/16/16


32

Packet crafting/parsingimport socket

version = TLSVersion.TLS_1_2ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA]host = ("localhost", 8443)

socket_ = socket.socket()socket_.connect(host)tls_socket = TLSSocket(socket_, client=True)packet = TLSRecord() / TLSHandshake() /\ TLSClientHello(version=version, cipher_suites=ciphers)tls_socket.sendall(packet)response = tls_socket.recvall()response.show()response[TLSServerECDHParams].show()print(tls_socket.tls_ctx)

1/16/16


33

Extensions import socket

version = TLSVersion.TLS_1_2ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA]host = ("localhost", 8443)sni = TLSExtension() /\ TLSExtServerNameIndication(server_names= [TLSServerName(data=”localhost",length=9)])alpn = TLSExtension() /\ TLSExtALPN(protocol_name_list=[TLSALPNProtocol(data="h2")])frag = TLSExtension() / TLSExtMaxFragmentLength(fragment_length=233)extensions = [sni, alpn, frag]

socket_ = socket.socket()socket_.connect(host)tls_socket = TLSSocket(socket_, client=True)packet = TLSRecord() / TLSHandshake() /\ TLSClientHello(version=version, cipher_suites=ciphers, extensions=extensions)tls_socket.sendall(packet)response = tls_socket.recvall()response.show()

1/16/16


34

Transparent traffic decryptionimport socket

version = TLSVersion.TLS_1_2ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA]host = ("localhost", 8443)app_payload = "GET / HTTP/1.1\r\nHOST: example.com\r\n\r\n"

socket_ = socket.socket()socket_.connect(host)tls_socket = TLSSocket(socket_, client=True)# Handshaketls_do_handshake(tls_socket, version, ciphers)# Application datatls_socket.sendall(to_raw(TLSPlaintext(data=app_payload), tls_socket.tls_ctx))response = tls_socket.recvall()response.show()print(tls_socket.tls_ctx)

1/16/16


35

WHAT TO LOOK FOR

1/16/16


36

Basic recon• Supported TLS versions• Supported ciphers• Supported compression methods• Cipher preference ordering• Certificates• Trust chain1/16/16


37

Recon• Fingerprint possible fork• OpenSSL empty plaintext fragment• JSSE stacked handshake• Difference in Alert type when tampering with

Finish message

1/16/16


38

State machine• Tricky testing: mostly manual work and knowledge of

RFC• Automated testing: FlexTLS:– Example: mono FlexApps.exe -s efin --connect

localhost:8443• Gives a good starting point for manual testing• Lot of legacy stuff: server-gated cryptography anyone?

1/16/16

http://smacktest.com/files/miTLS-0.9.0-Usenix2015.tar

http://localhost:8443/


39

Diffie Hellman• Check the validity of server (EC)DH params

– Group size– Primality– Subgroup confinement attack (e.g: Off curve test (EC))– Signature algo used– …

• Send random values (small, non-prime, …)• Scapy-ssl_tls uses TinyEC for EC calculation• Allows to perform EC arithmetic

1/16/16

https://github.com/alexmgr/tinyec


40

Side channels (RSA)• Pre Master Secret is decrypted• TLS mandates PKCS1 v1.5 for padding• This needs to be constant time, see classic Bleichenbacher• Time and Check for response difference on invalid

padding (alert vs tcp reset)• Can use pybleach pkcs1_test_client.py to generate faulty

padding for your PMS

1/16/16

http://archiv.infsec.ethz.ch/education/fs08/secsem/Bleichenbacher98.pdf

https://github.com/alexmgr/pybleach


41

Side channels (ciphers)• Padding and MAC checks must be constant

time• Alert type must be identical• Time and check response when flipping bytes

in padding and MAC

1/16/16


42

Proper byte checking• Some implementation only verify a few bytes

of padding, MAC and verify_data (finish hash)• All bytes must be checked for obvious reasons• Send application data packets with flipped

padding, MAC and verify_data• Make sure you always get an alert1/16/16


43

DDoS• DTLS is UDP• Returns a certificate chain on first packet• DTLS hello => 64 bytes• DTLS response => can be several kB• Protection is built into the protocol, but is a MAY =>

HelloVerifyRequest• Make sure to check cookie is returned upon multiple spoofed

requests

1/16/16


44

Fragmentation• Any packet above 2**14 (16384) bytes must be fragmented• But any fragment size can be chosen• Few stacks support TLS re-assembly• Can be used to bypass devices which parse TLS, but fail-open• Server can be requested to fragment using the Maximum

Fragment Length Negotiation extension• DTLS allows to specify the fragment offset in the handshake

1/16/16


45

CRYPTO HOOKS

1/16/16


46

tls_to_raw• Scapy-ssl_tls exposes tls_to_raw()

• Calculates all crypto material for the packet• Exposes some hooks:

– At compression time– Pre and post encryption

• Allows to act on pre-calculated padding and MACs1/16/16

to_raw(pkt, tls_ctx, include_record=True, compress_hook=None, pre_encrypt_hook=None, encrypt_hook=None)


47

Crypto container• All crypto material stored in a CryptoContainer:– IV, mac, padding, padding length

• Passed to and returned by crypto hooks:

1/16/16

def modify_padding(crypto_container): padding = crypto_container.padding byte_flip = chr(ord(padding[index]) ^ 0xff) crypto_container.padding = "%s%s%s" % (padding[:index], byte_flip, padding[index + 1:]) return crypto_container

tls_to_raw(TLSPlaintext(data=data), tls_socket.tls_ctx, pre_encrypt_hook=modify_padding)


48

Usage• Very useful to modify crypto state• Without keeping track of PRF, ciphers, MACs,…• Allows to easily reproduce attacks on crypto

material

1/16/16


49

DEMO POODLE2 CHECK

1/16/16


50

DEMOFragmentation

1/16/16


51

Fragmentation code import socket

version = TLSVersion.TLS_1_2ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_CBC_SHA]host = ("localhost", 8443)frag = TLSExtension() / TLSExtMaxFragmentLength(fragment_length=1)extensions = [frag]

s = socket.socket()s.connect(host)ts = TLSSocket(s, client=True)payload = TLSHandshake()/TLSClientHello(version=version, cipher_suites=ciphers, extensions=extensions)frags = tls_fragment_payload(payload, TLSRecord(version=version, content_type=TLSContentType.HANDSHAKE), 16)ts.sendall(frags)r = ts.recvall()

1/16/16


52

CONCLUSION

1/16/16


53

Strengths• Scapy-ssl_tls can speed up PoC development• PoC can be re-used as part of testing QA and

regression• Valuable to reproduce findings & develop

mitigations• Help in learning & experimenting with TLS1/16/16


54

Thanks• Thanks to tintinweb who started the project• Bugs:

https://github.com/tintinweb/scapy-ssl_tls/• Contact:– Github: alexmgr

1/16/16

https://github.com/tintinweb/



https://github.com/alexmgr/


55

THANKS

1/16/16


56

IF TIME ALLOWS

1/16/16


57

Fuzzing• Provides basic fuzzing through scapy• Tries to be smart by preserving semantically necessary fields• Use fuzz() function on any element

1/16/16

fuzz(TLSRecord()/TLSHandshake(type=TLSHandshakeType.SUPPLEMENTAL_DATA)/TLSAlert()).show2()###[ TLS Record ]### content_type= handshake <= preserved version= 0x7391 <= fuzzed length= 0x6 <= preserved###[ TLS Handshake ]### type= supplemental_data <= overriden length= 0x2 <= preserved###[ Raw ]### load= '(\r’ <= fuzzed


58

Fuzzing• Only good for basic fuzzing• Simple to plug in your own fuzzer• Just generate data, scapy-ssl_tls takes care of

the rest• Good targets: TLS extensions, certificates, …

1/16/16


59

Examples• The example section contains some useful base tools:

– RSA session sniffer: given a cert, can decrypt wire traffic (like Wireshark)

– Security scanner: a rudimentary TLS scanner (versions, ciphers, SCSV, …)

– Downgrade test– …

• Just baselines to write your own tools1/16/16

Pentesting custom TLS stacks

Engineering

Transcript of Pentesting custom TLS stacks