HTTPs/TLS Attacks

TLS 1.2 Handshake

The TLS handshake is the process in which the client and server negotiate all the parameters for the TLS session. It always follows a predefined scheme with the exception of minor deviations depending on the concrete parameters chosen for the connection.

Cipher Suites

In TLS, cipher suites define the cryptographic algorithms used for a connection. That includes the following information:

The key exchange algorithm
The method used for authentification
The encryption algorithm and mode, which provide confidentiality
The MAC algorithm, which provides integrity protection

As an example, let's have a look at the following TLS 1.2 cipher suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256

From the name, we can identify the algorithms used by this cipher suite:

The key exchange algorithm is Diffie-Hellman (DH)
Server authentification is performed via RSA
The encryption is AES-128 in CBC mode
The MAC algorithm is a SHA256 HMAC

All TLS 1.2 cipher suites follow this naming scheme. The encryption algorithm is always a symmetric algorithm. The symmetric key for this algorithm is exchanged using the key exchange algorithm, which is always an asymmetric algorithm. Thus, TLS encrypts data using a symmetric key due to significant performance advantages compared to asymmetric encryption. The cipher suite used by a specific connection is negotiated in the handshake.

Cipher Suites using the TLS_DHE and TLS_ECDHE key exchange algorithms provide Perfect Forward Secrecy (PFS), meaning an attacker is unable to decrypt past messages even after obtaining a future session key. In particular, this protects past communication from leaks potentially occurring in the future. Therefore, PFS cipher suites are preferable if they are supported by the client.

Handshake Overview

During the handshake, the client and server establish a connection and negotiate all the required parameters to establish a secure channel for application data. The handshake follows a well-defined schema and varies slightly depending on the cipher suite that is negotiated.

The handshake begins with the client sending the ClientHello message. This message informs the server that the client wants to establish a secure connection. It contains the latest TLS version supported by the client, as well as a list of cipher suites the client supports among other information.

The server responds with a ServerHello message. The server chooses a TLS version that is equal to or lower than the version provided by the client. Additionally, the server chooses one of the cipher suites provided in the ClientHello. This information is included in the ServerHello message.

After agreeing on the TLS version and cryptographic parameters, the server provides a certificate in the Certificate message, thereby proving the server's identity to the client.

If a PFS cipher suite was agreed upon, the server proceeds to share fresh key material in the ServerKeyExchange message. It contains a key share as well as a signature. This is followed by the ServerHelloDone message.

The client responds with the ClientKeyExchange message, containing the client's key share. After this, the key exchange is concluded and both parties share a secret that is used to derive a shared symmetric key. Both parties transmit a ChangeCipherSpec message to indicate that all following messages are encrypted using the computed symmetric key. From here on, all data is encrypted and MAC-protected.

Analyzing a TLS 1.2 Handshake in Wireshark

Let's have a look at a TLS 1.2 handshake in Wireshark, which is a network protocol analyzer. It can typically be installed from the package manager:

[!bash!]$ sudo apt install wireshark

We can then start Wireshark with a path to a packet capture (or pcap) file to analyze the packets:

[!bash!]$ Wireshark /path/to/file.pcap

After entering the protocol name tls in the filter bar, we can see the TLS handshake in Wireshark:

When expanding the ClientHello message, we can inspect the TLS version and supported cipher suites sent by the client:

Doing the same in the ServerHello message reveals the TLS version and cipher suite chosen by the server for this TLS connection:

Lastly, we can inspect the key information sent by the client in the ClientKeyExchange message. In this case, a TLS_RSA cipher suite was chosen, thus the key information sent by the client is the shared key encrypted with the server's public key.

Note: There is no Server Key Exchange message since the cipher suite does not provide PFS.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

+ 2 Download the attached file. Open the pcap file in Wireshark and analyze the TLS 1.2 handshake. Answer the following questions. How many cipher suites are supported by the client?

+10 Streak pts

tls12_handshake.zip

+ 2 What cipher suite was agreed upon for the TLS session?

+10 Streak pts

+ 2 Provide the first 10 characters of the encrypted premaster secret for the TLS session.

+10 Streak pts

Previous Next

Go to Questions

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

OpenSSL

Command	Description
`openssl genrsa -out key.pem 2048`	Generate 2048 Bit RSA key
`openssl s_client -connect hackthebox.com:443 \| openssl x509 > hackthebox.pem`	Download certificate of web server
`openssl x509 -outform der -in hackthebox.pem -out hackthebox.der`	Convert PEM certificate to DER format
`openssl crl2pkcs7 -nocrl -certfile hackthebox.pem -out hackthebox.p7`	Convert PEM certificate to PKCS#7 format
`openssl req -x509 -newkey rsa:4096 -keyout key.pem -out selfsigned.pem -sha256 -days 365`	Create self-signed certificate
`openssl rsa -in rsa.pem -pubout > rsa_pub.pem`	Extract public key from RSA key-pair
`openssl rsautl -encrypt -inkey rsa_pub.pem -pubin -in msg.txt -out msg.enc`	Encrypt file with RSA public key
`openssl rsautl -decrypt -inkey rsa.pem -in msg.enc > decrypted.txt`	Decrypt file with RSA private key

TLS 1.2 Handshake

Message	Description
ClientHello	Contains ClientRandom, Cipher Suites supported by client
ServerHello	Contains TLS version, Cipher Suite for session, ServerRandom
Certificate	Contains server certificate
ServerKeyExchange	Contains server key share (only for PFS cipher suites)
ServerHelloDone	Tells client that the ServerHello is complete
ClientKeyExchange	Contains client key share
ChangeCipherSpec	Concludes handshake, all subsequent messages are protected

TLS 1.3 Handshake

Message	Description
ClientHello	Contains ClientRandom, Cipher Suites supported by client, client key share
ServerHello	Contains TLS version, Cipher Suite for session, ServerRandom, server key share
Finished	Concludes handshake

Padding Oracles

Command	Description
`padbuster http://127.0.0.1:4000/admin "AAAAAAAAAAAAAAAAAAAAAJQB/nhNEuPuNC8ox7cN1z0=" 16 -encoding 0 -cookies "user=AAAAAAAAAAAAAAAAAAAAAJQB/nhNEuPuNC8ox7cN1z0="`	Run padbuster with an encrypted sample with block size 16

Parameters:

specify block length
specify encoding with -encoding flag
specify location of ciphertext with -cookies or -post flags
specify plaintext to encrypt with -plaintext flag
specify -usebody flag to analyze response content

POODLE

SSL 3.0 padding:

arbitrary padding bytes
last byte is the length of padding excluding the length itself
Example for block size 8: DEADBEEF -> DEADBEEF00000003

Bleichenbacher

Command	Description
`java -jar bleichenbacher-1.0.0.jar -pcap ./bleichenbacher.pcap -executeAttack`	Run Bleichenbacher attack from pcap file
`java -jar bleichenbacher-1.0.0.jar -executeAttack -connect 127.0.0.1:443 -encrypted_premaster_secret <SNIP>`	Run Bleichenbacher attack against server with encrypted premaster secret
`echo -n 214[...]3a8 \| awk -F '0303' '{print "0303"$2}'`	Extract unpadded premaster secret from padded premaster secret
`PMS_CLIENT_RANDOM <client_random> <premaster_secret>`	Wireshark Key file syntax

Heartbleed

Command	Description
`java -jar heartbleed-1.0.0.jar -connect 127.0.0.1:443 -executeAttack -heartbeats 10`	Run Heartbleed attack

SSL Stripping

Command	Description
`sudo arpspoof -i docker0 172.17.0.5`	Run ARP spoofing attack on interface `docker0` targeting `172.17.0.5`
`Strict-Transport-Security: max-age=31536000`	HSTS header syntax

Testing TLS Configuration

Command	Description
`bash testssl.sh https://hackthebox.com`	Test TLS configuration of a website

TLS Best Practices:

do not offer SSL 2.0 or SSL 3.0
do not offer TLS 1.0 or TLS 1.1
no NULL cipher suites
no EXPORT cipher suites
prefer PFS cipher suites
prefer GCM mode over CBC mode

HTTPs/TLS Attacks

TLS 1.2 Handshake

Cipher Suites

Handshake Overview

Analyzing a TLS 1.2 Handshake in Wireshark

Questions

Table of Contents

Introduction to HTTPs/TLS

Padding Oracle Attacks

TLS Compression

Heartbleed

Further Attacks

TLS Best Practices

Skills Assessment

My Workstation