HTTPs/TLS Attacks

CRIME & BREACH

CRIME

Compression Ratio Info-leak Made Easy (CRIME) is a compression-based attack that targets TLS compression. As such, it can target sensitive information present in the HTTP body and HTTP headers such as session cookies. To successfully exploit CRIME, an attacker needs to be able to intercept traffic from the victim, as well as force the victim to adjust the request parameters slightly, for instance via malicious JavaScript code. The attacker also needs to know the name of the session cookie and the length of its value.

Let's look at an example to illustrate how the attack works. For our example we make the following assumptions:

Let's assume the session cookie is called sess and has a length of 6 characters. The victim's session cookie's value is abcdef
Our target website is called crime.local and we are attacking the path /crime.html
A sliding-window compression algorithm is used that works similarly to LZ77 as discussed in the previous section

The attacker then forces the victim to request the target website but appends an extra HTTP parameter to the URL with the same name as the session cookie and an arbitrary value with the correct length. An exemplary request could look like this:

GET /crime.html?sess=XXXXXX HTTP/1.1
Host: crime.local
Cookie: sess=abcdef

This request is now compressed using a sliding window compression algorithm, meaning that the sess= string present in the Cookie Header is replaced with a back-reference to the sess= string appended by the attacker to the query string. The compressed data is then encrypted. Since the attacker can intercept the ciphertext, he denotes the ciphertext size.

In the second step, the attacker changes the query parameter slightly to brute-force the value of the session cookie character by character from left to right. So, the next request might look like this:

GET /crime.html?sess=aXXXXX HTTP/1.1
Host: crime.local
Cookie: sess=abcdef

In this case, the compression algorithm can now replace the string sess=a with a back-reference, since an additional character is the same in the cookie's value and query string. This means the resulting compressed data is smaller, potentially resulting in a smaller ciphertext. The attacker notices the smaller ciphertext and knows that the current character is correct. He can therefore move on to the next character:

GET /crime.html?sess=aaXXXX HTTP/1.1
Host: crime.local
Cookie: sess=abcdef

The attacker can apply this technique recursively to brute-force all characters of the cookie, thereby leaking the session cookie. Depending on the length of the session cookie, a lot of requests are required to perform this attack.

BREACH

Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) is a variant of CRIME that targets HTTP-level compression. Since HTTP-level compression can only compress the HTTP body, BREACH is unable to target session cookies that are transmitted in HTTP headers. Therefore, potential targets of BREACH are sensitive information contained in the HTTP body such as CSRF-tokens.

Conceptually, BREACH works identically to CRIME with the slight difference that the webserver's response needs to contain a reflected value in the body for the attack to work since the attacker cannot simply adjust the query string as it is not part of the HTTP body.

Tools & Prevention

The simplest countermeasure to prevent CRIME attacks is to disable TLS-level compression. Alternatively, compression algorithms that do not fulfill the requirements needed for the successful exploitation of CRIME can be used to mitigate this attack. As of today, up-to-date webservers and libraries are not vulnerable to CRIME as patches have been applied.

Similarly, the simplest countermeasure to prevent BREACH attacks is to disable HTTP-level compression.

Previous Next

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

OpenSSL

Command	Description
`openssl genrsa -out key.pem 2048`	Generate 2048 Bit RSA key
`openssl s_client -connect hackthebox.com:443 \| openssl x509 > hackthebox.pem`	Download certificate of web server
`openssl x509 -outform der -in hackthebox.pem -out hackthebox.der`	Convert PEM certificate to DER format
`openssl crl2pkcs7 -nocrl -certfile hackthebox.pem -out hackthebox.p7`	Convert PEM certificate to PKCS#7 format
`openssl req -x509 -newkey rsa:4096 -keyout key.pem -out selfsigned.pem -sha256 -days 365`	Create self-signed certificate
`openssl rsa -in rsa.pem -pubout > rsa_pub.pem`	Extract public key from RSA key-pair
`openssl rsautl -encrypt -inkey rsa_pub.pem -pubin -in msg.txt -out msg.enc`	Encrypt file with RSA public key
`openssl rsautl -decrypt -inkey rsa.pem -in msg.enc > decrypted.txt`	Decrypt file with RSA private key

TLS 1.2 Handshake

Message	Description
ClientHello	Contains ClientRandom, Cipher Suites supported by client
ServerHello	Contains TLS version, Cipher Suite for session, ServerRandom
Certificate	Contains server certificate
ServerKeyExchange	Contains server key share (only for PFS cipher suites)
ServerHelloDone	Tells client that the ServerHello is complete
ClientKeyExchange	Contains client key share
ChangeCipherSpec	Concludes handshake, all subsequent messages are protected

TLS 1.3 Handshake

Message	Description
ClientHello	Contains ClientRandom, Cipher Suites supported by client, client key share
ServerHello	Contains TLS version, Cipher Suite for session, ServerRandom, server key share
Finished	Concludes handshake

Padding Oracles

Command	Description
`padbuster http://127.0.0.1:4000/admin "AAAAAAAAAAAAAAAAAAAAAJQB/nhNEuPuNC8ox7cN1z0=" 16 -encoding 0 -cookies "user=AAAAAAAAAAAAAAAAAAAAAJQB/nhNEuPuNC8ox7cN1z0="`	Run padbuster with an encrypted sample with block size 16

Parameters:

specify block length
specify encoding with -encoding flag
specify location of ciphertext with -cookies or -post flags
specify plaintext to encrypt with -plaintext flag
specify -usebody flag to analyze response content

POODLE

SSL 3.0 padding:

arbitrary padding bytes
last byte is the length of padding excluding the length itself
Example for block size 8: DEADBEEF -> DEADBEEF00000003

Bleichenbacher

Command	Description
`java -jar bleichenbacher-1.0.0.jar -pcap ./bleichenbacher.pcap -executeAttack`	Run Bleichenbacher attack from pcap file
`java -jar bleichenbacher-1.0.0.jar -executeAttack -connect 127.0.0.1:443 -encrypted_premaster_secret <SNIP>`	Run Bleichenbacher attack against server with encrypted premaster secret
`echo -n 214[...]3a8 \| awk -F '0303' '{print "0303"$2}'`	Extract unpadded premaster secret from padded premaster secret
`PMS_CLIENT_RANDOM <client_random> <premaster_secret>`	Wireshark Key file syntax

Heartbleed

Command	Description
`java -jar heartbleed-1.0.0.jar -connect 127.0.0.1:443 -executeAttack -heartbeats 10`	Run Heartbleed attack

SSL Stripping

Command	Description
`sudo arpspoof -i docker0 172.17.0.5`	Run ARP spoofing attack on interface `docker0` targeting `172.17.0.5`
`Strict-Transport-Security: max-age=31536000`	HSTS header syntax

Testing TLS Configuration

Command	Description
`bash testssl.sh https://hackthebox.com`	Test TLS configuration of a website

TLS Best Practices:

do not offer SSL 2.0 or SSL 3.0
do not offer TLS 1.0 or TLS 1.1
no NULL cipher suites
no EXPORT cipher suites
prefer PFS cipher suites
prefer GCM mode over CBC mode

HTTPs/TLS Attacks

CRIME & BREACH

CRIME

BREACH

Tools & Prevention

Table of Contents

Introduction to HTTPs/TLS

Padding Oracle Attacks

TLS Compression

Heartbleed

Further Attacks

TLS Best Practices

Skills Assessment

My Workstation