Comments (4)
Hi @AviDor,
While the tlsrecord.size
field (short) can be up to 65k, rfc2246 6.2.1 Fragmentation recommends a maximum records size of 16k. Our implementation of TLSRecord currently enforces this limit and if you exceed TLSRecord.MAX_LEN
a TLSFragmentationError
will be thrown. However, you're free to override TLSRecord.MAX_LEN
to fit your needs but be aware, this is a class attribute and your change will be shared with all other instances of TLSRecord
. Note that you cannot exceed 65k as this is the maximum value the records size field can hold (remember, its a short int).
Also note that TLSClientHello.gmt_unix_time is not a good candidate for adding random data as it is a fixed length 4 byte integer field and adding 10m 'a' will likely just result in creating an invalid hello message. Your best bet would be planting your payload as valid extensions to the hello message.
Here's a modification to client_hello_valid.py that will build a 'valid structured' 65k client hello by adding a lot of garbage padding extensions.
# note - this example is based off master
# create TLS Handhsake / Client Hello packet
TLSRecord.MAX_LEN = 2**16
p = TLSRecord() / TLSHandshakes(handshakes=[TLSHandshake() /
TLSClientHello(compression_methods=range(0xff)[::-1],
cipher_suites=range(0xff),
extensions=[TLSExtension() / TLSExtPadding("a"*100)]*622)])
print(len(str(p)))
# 65502
let me know if that answers your questions.
cheers,
tin
from scapy-ssl_tls.
Hi @tintinweb
Thanks for the reply.
It does answer my question but this is a limitation when it comes to fuzzing. If the TLSRecord size is 65k MAX it will not be able to provide sufficient fuzzing. Some SSL implementation will only fail on very large overflow values.
As for gmt_unix_time, the test was inspired by Codenomicon Defensics TLS fuzzing suite. It sends a long string (10 million bytes) instead of the proper unix time. On scapy_tls I edited gmt_unix_time to be a variable length string and attempted to send a 10 million bytes string and that obviously failed.
from scapy-ssl_tls.
Hi @AviDor,
scapy-ssl_tls
does not limit you in any way to produce invalid tls records.
The rfc specifies TLSRecord.length
to be an unsigned short (max=2^16). However, that does not mean you cannot override it or hint any record size you want.
The following (scapy-ssl_tls 1.2.3.2 compatible) example builds a 91k TLSClientHello
by adding garbage TLSServerNameExtensions and setting all the length fields to max to prevent scapy from autocalculating the length. You have to manually set the length fields as scapy will likely complain that the length exceeds the maximum possible value for the record length (remember, 2**16-1).
TLSRecord.MAX_LEN = 2**64-1 # satisfy the fragmentation size check.. any high int.
# create TLS Handhsake / Client Hello packet
# note that we set all length fields to ushort max as we're going to exceed that anyway.
p = TLSRecord(length=2**16-1)/TLSHandshake(length=2**16-1)/TLSClientHello(compression_methods=range(0xff)[::-1],
cipher_suites=range(0xff),
extensions_length=2**16-1,
extensions=[TLSExtension() / TLSExtServerNameIndication(server_names=[TLSServerName(data="www.dummysite.com")])]*3500)
p.show()
print(len(str(p)))
#91814
Codenomicon gmt_unix_time
overflow leaves some questions as they're overflowing a fixed size 4 byte field and therefore garbling the next fields with non tls compliant stuff. Thats kind of the crowbar way to do things and a decent stack is likely going to abort the connection once you provide something non-tls-ish :) Would probably be similar to something like TLSRecord()/TLSHandshake()/RandString()
in scapy-ssl_tls.
Hope that makes sense :)
cheers
tin
from scapy-ssl_tls.
thanks @tintinweb that's what I was looking for.
from scapy-ssl_tls.
Related Issues (20)
- Does the security_scanner.py still work? HOT 1
- I need a help for Encrypt the communication of the Modbus protocol using AES and SSL Socket programming in python. HOT 2
- how can i control the condition to count how much TLS protocol packages HOT 1
- Trying to Encrypt and Decrypt the communication between Client and Server using Modbus/TCP protocol.
- How to send raw data in tls? HOT 3
- Bad record mac when using ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher
- Missing os import
- How to create the Certificate Status message from the server? Any examples would be appreciated. HOT 1
- 2.0.0 server_rsa.py quit with error HOT 1
- TLSSessionCtx support for DTLS
- how to generate completely arbitrary messages HOT 1
- TLS 1.3 support HOT 2
- Pip Install Error HOT 4
- Feature: How to analyse statemachines using scapy-ssl_tls?
- UserWarning: Verification of GCM tag failed: MAC check failed HOT 1
- Documentation is sparse HOT 1
- Feature request: Implement please SSLKEYLOG decryption HOT 5
- Handling of curve25519 and curve448 ServerKeyExchange
- Pip Install Error HOT 2
- any guide for gmtls?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scapy-ssl_tls.