HTTPs/TLS Attacks

TLS 1.3

TLS 1.3 made several improvements over TLS 1.2. That includes dropping support for insecure cryptographic parameters and thereby reducing complexity. Furthermore, improvements to the handshake were made to allow for faster session establishment.

Cipher Suites and Cryptography

Several cryptographic improvements have been made with the new version TLS 1.3. These enhancements include the removal of older, less secure cryptographic techniques and the addition of newer, more secure techniques. TLS 1.3 also includes improved key exchange algorithms and support for post-quantum cryptography. In particular, TLS 1.3 only supports key exchange algorithms that support PFS.

For instance, a TLS 1.3 cipher suite looks like this:

TLS_AES_128_GCM_SHA256

It is significantly shorter than TLS 1.2 cipher suites since it only specifies the encryption algorithm and mode as well as the hash function used for the HMAC algorithm. TLS 1.3 cipher suites do not specify the method used for server authentication and the key exchange algorithm.

Handshake

Several changes were introduced in the TLS 1.3 handshake process. Some messages have been redesigned for efficiency, while other messages have been eliminated completely to reduce the latency and overhead of the handshake which enables a faster connection establishment.

Just like in TLS 1.2, the TLS 1.3 handshake begins with the ClientHello message. However, in TLS1.3 this message contains the client's key share in addition to the supported cipher suites. This eliminates the need for the ClientKeyExchange message later on in the handshake. This key share is contained in an extension that is sent with the ClientHello message.

The server responds with the ServerHello message that confirms the key agreement protocol and specifies the chosen cipher suite, just like in TLS 1.2. This message also contains the server's key share. A fresh key share is always transmitted here to guarantee PFS. This replaces the need for the ServerKeyExchange message in TLS1.2, which was required when PFS cipher suites were used. The server's certificate is also contained within the ServerHello message.

The handshake concludes with a ServerFinished and ClientFinished message.

Note: All messages after the ServerHello are already encrypted. Therefore, the TLS 1.3 handshake is significantly shorter than the TLS 1.2 handshake.

Analyzing a TLS 1.3 Handshake in Wireshark

When looking at a TLS 1.3 handshake in Wireshark, the differences to a TLS 1.2 handshake become apparent. In particular, we can see that there are no Certificate and ClientKeyExchange messages since they have been removed:

We can find the client's key share in the key_share extension in the ClientHello message. In this case, the client chooses two different shares for different groups. That is because the group is chosen by the server in the ServerHello message, which the client has not received yet. Therefore, the client transmits multiple shares to increase the chance of agreement on a group with the server:

The server's key share can be inspected in the key_share extension in the ServerHello message. The server chooses a group and only transmits its key share for that group:

From this point on, all transmitted data is encrypted, as indicated by the EncryptedApplicationData tag in Wireshark.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

+ 2 Download the attached file. Open the pcap file in Wireshark and analyze the TLS 1.3 handshake. Answer the following questions. How many cipher suites are supported by the client?

+10 Streak pts

tls13_handshake.zip

+ 2 What cipher suite was agreed upon for the TLS session?

+10 Streak pts

+ 2 What is the server's key share?

+10 Streak pts

Previous Next

Go to Questions

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

OpenSSL

Command	Description
`openssl genrsa -out key.pem 2048`	Generate 2048 Bit RSA key
`openssl s_client -connect hackthebox.com:443 \| openssl x509 > hackthebox.pem`	Download certificate of web server
`openssl x509 -outform der -in hackthebox.pem -out hackthebox.der`	Convert PEM certificate to DER format
`openssl crl2pkcs7 -nocrl -certfile hackthebox.pem -out hackthebox.p7`	Convert PEM certificate to PKCS#7 format
`openssl req -x509 -newkey rsa:4096 -keyout key.pem -out selfsigned.pem -sha256 -days 365`	Create self-signed certificate
`openssl rsa -in rsa.pem -pubout > rsa_pub.pem`	Extract public key from RSA key-pair
`openssl rsautl -encrypt -inkey rsa_pub.pem -pubin -in msg.txt -out msg.enc`	Encrypt file with RSA public key
`openssl rsautl -decrypt -inkey rsa.pem -in msg.enc > decrypted.txt`	Decrypt file with RSA private key

TLS 1.2 Handshake

Message	Description
ClientHello	Contains ClientRandom, Cipher Suites supported by client
ServerHello	Contains TLS version, Cipher Suite for session, ServerRandom
Certificate	Contains server certificate
ServerKeyExchange	Contains server key share (only for PFS cipher suites)
ServerHelloDone	Tells client that the ServerHello is complete
ClientKeyExchange	Contains client key share
ChangeCipherSpec	Concludes handshake, all subsequent messages are protected

TLS 1.3 Handshake

Message	Description
ClientHello	Contains ClientRandom, Cipher Suites supported by client, client key share
ServerHello	Contains TLS version, Cipher Suite for session, ServerRandom, server key share
Finished	Concludes handshake

Padding Oracles

Command	Description
`padbuster http://127.0.0.1:4000/admin "AAAAAAAAAAAAAAAAAAAAAJQB/nhNEuPuNC8ox7cN1z0=" 16 -encoding 0 -cookies "user=AAAAAAAAAAAAAAAAAAAAAJQB/nhNEuPuNC8ox7cN1z0="`	Run padbuster with an encrypted sample with block size 16

Parameters:

specify block length
specify encoding with -encoding flag
specify location of ciphertext with -cookies or -post flags
specify plaintext to encrypt with -plaintext flag
specify -usebody flag to analyze response content

POODLE

SSL 3.0 padding:

arbitrary padding bytes
last byte is the length of padding excluding the length itself
Example for block size 8: DEADBEEF -> DEADBEEF00000003

Bleichenbacher

Command	Description
`java -jar bleichenbacher-1.0.0.jar -pcap ./bleichenbacher.pcap -executeAttack`	Run Bleichenbacher attack from pcap file
`java -jar bleichenbacher-1.0.0.jar -executeAttack -connect 127.0.0.1:443 -encrypted_premaster_secret <SNIP>`	Run Bleichenbacher attack against server with encrypted premaster secret
`echo -n 214[...]3a8 \| awk -F '0303' '{print "0303"$2}'`	Extract unpadded premaster secret from padded premaster secret
`PMS_CLIENT_RANDOM <client_random> <premaster_secret>`	Wireshark Key file syntax

Heartbleed

Command	Description
`java -jar heartbleed-1.0.0.jar -connect 127.0.0.1:443 -executeAttack -heartbeats 10`	Run Heartbleed attack

SSL Stripping

Command	Description
`sudo arpspoof -i docker0 172.17.0.5`	Run ARP spoofing attack on interface `docker0` targeting `172.17.0.5`
`Strict-Transport-Security: max-age=31536000`	HSTS header syntax

Testing TLS Configuration

Command	Description
`bash testssl.sh https://hackthebox.com`	Test TLS configuration of a website

TLS Best Practices:

do not offer SSL 2.0 or SSL 3.0
do not offer TLS 1.0 or TLS 1.1
no NULL cipher suites
no EXPORT cipher suites
prefer PFS cipher suites
prefer GCM mode over CBC mode

HTTPs/TLS Attacks

TLS 1.3

Cipher Suites and Cryptography

Handshake

Analyzing a TLS 1.3 Handshake in Wireshark

Questions

Table of Contents

Introduction to HTTPs/TLS

Padding Oracle Attacks

TLS Compression

Heartbleed

Further Attacks

TLS Best Practices

Skills Assessment

My Workstation