HTTPs/TLS Attacks

Downgrade Attacks

Instead of attacking the more secure later versions of TLS, the target of downgrade attacks is to force a victim to use insecure configurations of TLS. That can either be an older, potentially weaker version of TLS or a flawed cipher suite. After successfully conducting a downgrade attack, an attacker can then focus on breaking the weaker configuration forced upon the client in a second attack step.

More specifically, downgrade vulnerabilities arise when TLS servers support multiple TLS versions to enable older clients that do not support the latest TLS version to communicate with the server as well. This can potentially be exploited by an attacker to force even clients that do support the latest TLS version to downgrade to an older, more insecure TLS version.

Cipher Suite Rollback

Cipher suite rollback attacks target SSL 2.0. That is because the list of cipher suites transmitted by the client and server during the handshake is not integrity protected with a MAC. It is therefore possible for a MitM attacker to intercept the ClientHello message and alter the list of cipher suites in such a way that a weak cipher suite is chosen, for instance by providing only export cipher suites. He can then forward the handshake message along and the handshake will proceed as normal. The connection established between the client and server will then use a weak cipher suite that can be broken by the attacker. SSL 3.0 and all TLS versions protect against cipher suite rollback attacks by including the list of cipher suites in the MAC of the final message of the handshake, thereby providing integrity protection. That way, changes made by a MitM attacker are detected before the handshake is concluded, leading to an alert and a failed connection establishment.

TLS Downgrade Attacks

The target of TLS downgrade attacks is to force the client into using an older and potentially weak TLS version for the connection with a server. A MitM attacker can achieve downgrade attacks by continuously interfering in the TLS handshake and dropping packets, resulting in a handshake failure. After a few failed handshake attempts for TLS 1.2, browsers may fall back to TLS 1.1 for connection establishment. The attacker can repeat this process until the victim's browser attempts to establish a connection using the desired TLS version. Interestingly, this is undocumented behavior of web browsers, though it was found to work in the past.

Exploits for attacks like POODLE and FREAK utilize a downgrade attack as part of their attack chain to target servers running secure TLS versions that still support older, vulnerable TLS versions such as SSL 3.0. To prevent downgrade attacks entirely, support for old TLS versions should be removed completely.

Note: TLS downgrade attacks are different from HTTP downgrading.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

+ 2 Download the attached file and open the pcap file in Wireshark. Answer the following questions. What TLS version does the client try to negotiate for the session?

+10 Streak pts

downgrade.zip

+ 2 What version do the client and server end up using for the session?

+10 Streak pts

Previous Next

Go to Questions

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

OpenSSL

Command	Description
`openssl genrsa -out key.pem 2048`	Generate 2048 Bit RSA key
`openssl s_client -connect hackthebox.com:443 \| openssl x509 > hackthebox.pem`	Download certificate of web server
`openssl x509 -outform der -in hackthebox.pem -out hackthebox.der`	Convert PEM certificate to DER format
`openssl crl2pkcs7 -nocrl -certfile hackthebox.pem -out hackthebox.p7`	Convert PEM certificate to PKCS#7 format
`openssl req -x509 -newkey rsa:4096 -keyout key.pem -out selfsigned.pem -sha256 -days 365`	Create self-signed certificate
`openssl rsa -in rsa.pem -pubout > rsa_pub.pem`	Extract public key from RSA key-pair
`openssl rsautl -encrypt -inkey rsa_pub.pem -pubin -in msg.txt -out msg.enc`	Encrypt file with RSA public key
`openssl rsautl -decrypt -inkey rsa.pem -in msg.enc > decrypted.txt`	Decrypt file with RSA private key

TLS 1.2 Handshake

Message	Description
ClientHello	Contains ClientRandom, Cipher Suites supported by client
ServerHello	Contains TLS version, Cipher Suite for session, ServerRandom
Certificate	Contains server certificate
ServerKeyExchange	Contains server key share (only for PFS cipher suites)
ServerHelloDone	Tells client that the ServerHello is complete
ClientKeyExchange	Contains client key share
ChangeCipherSpec	Concludes handshake, all subsequent messages are protected

TLS 1.3 Handshake

Message	Description
ClientHello	Contains ClientRandom, Cipher Suites supported by client, client key share
ServerHello	Contains TLS version, Cipher Suite for session, ServerRandom, server key share
Finished	Concludes handshake

Padding Oracles

Command	Description
`padbuster http://127.0.0.1:4000/admin "AAAAAAAAAAAAAAAAAAAAAJQB/nhNEuPuNC8ox7cN1z0=" 16 -encoding 0 -cookies "user=AAAAAAAAAAAAAAAAAAAAAJQB/nhNEuPuNC8ox7cN1z0="`	Run padbuster with an encrypted sample with block size 16

Parameters:

specify block length
specify encoding with -encoding flag
specify location of ciphertext with -cookies or -post flags
specify plaintext to encrypt with -plaintext flag
specify -usebody flag to analyze response content

POODLE

SSL 3.0 padding:

arbitrary padding bytes
last byte is the length of padding excluding the length itself
Example for block size 8: DEADBEEF -> DEADBEEF00000003

Bleichenbacher

Command	Description
`java -jar bleichenbacher-1.0.0.jar -pcap ./bleichenbacher.pcap -executeAttack`	Run Bleichenbacher attack from pcap file
`java -jar bleichenbacher-1.0.0.jar -executeAttack -connect 127.0.0.1:443 -encrypted_premaster_secret <SNIP>`	Run Bleichenbacher attack against server with encrypted premaster secret
`echo -n 214[...]3a8 \| awk -F '0303' '{print "0303"$2}'`	Extract unpadded premaster secret from padded premaster secret
`PMS_CLIENT_RANDOM <client_random> <premaster_secret>`	Wireshark Key file syntax

Heartbleed

Command	Description
`java -jar heartbleed-1.0.0.jar -connect 127.0.0.1:443 -executeAttack -heartbeats 10`	Run Heartbleed attack

SSL Stripping

Command	Description
`sudo arpspoof -i docker0 172.17.0.5`	Run ARP spoofing attack on interface `docker0` targeting `172.17.0.5`
`Strict-Transport-Security: max-age=31536000`	HSTS header syntax

Testing TLS Configuration

Command	Description
`bash testssl.sh https://hackthebox.com`	Test TLS configuration of a website

TLS Best Practices:

do not offer SSL 2.0 or SSL 3.0
do not offer TLS 1.0 or TLS 1.1
no NULL cipher suites
no EXPORT cipher suites
prefer PFS cipher suites
prefer GCM mode over CBC mode

HTTPs/TLS Attacks

Downgrade Attacks

Cipher Suite Rollback

TLS Downgrade Attacks

Questions

Table of Contents

Introduction to HTTPs/TLS

Padding Oracle Attacks

TLS Compression

Heartbleed

Further Attacks

TLS Best Practices

Skills Assessment

My Workstation