TLS-Attacker icon indicating copy to clipboard operation
TLS-Attacker copied to clipboard

Published 20 hours ago verified publisher icon tls-attacker

Is it possible to send SSL records in different tcp segments

Open sajualways opened this issue 4 years ago • 10 comments

I am looking for something like this

CKE handshake message in one tcp packet CCS handshake message in one tcp packet FIN handshake message in one tcp packet

sajualways avatar Aug 17 '20 09:08 sajualways

This is fairly easy, you can just send the Messages in distinct actions, this will also send them in different TCP packets. If you want more complicated mixing it gets harder...

ic0ns avatar Aug 17 '20 09:08 ic0ns

Got it......and what about if i need to send small record bytes i.e splitting the bytes across tcp segments or records

sajualways avatar Aug 17 '20 09:08 sajualways

Splitting across records is also fairly easy, as you can also define the records in the workflow trace. This would look like this:

<Send>
        <messages>
            <ClientHello>
                <extensions>
                    <ECPointFormat/>
                    <EllipticCurves/>
                    <SignatureAndHashAlgorithmsExtension/>
                    <RenegotiationInfoExtension/>
                </extensions>
            </ClientHello>
        </messages>
        <records>
            <Record>
                <contentMessageType>HANDSHAKE</contentMessageType>
                <maxRecordLengthConfig>16</maxRecordLengthConfig>
                <computations/>
            </Record>
            <Record>
                <contentMessageType>HANDSHAKE</contentMessageType>
                <maxRecordLengthConfig>32</maxRecordLengthConfig>
                <computations/>
            </Record>
            <Record>
                <contentMessageType>HANDSHAKE</contentMessageType>
                <maxRecordLengthConfig>10000</maxRecordLengthConfig>
                <computations/>
            </Record>
        </records>
</Send>

This would send the client hello in 3 records, with 16,32 and the rest of the handshake bytes each. There are also flags in the config which change the default behavior of how tls-attacker fragments. Fragmenting on the TCP layer is harder, as we do not have a good interface for that. If you really want to do more complex tcp fragmetation you will probably need to write some code for it.

ic0ns avatar Aug 17 '20 09:08 ic0ns

thanks......but what i was looking is for something like this----Client hello message Record header which is of 5 bytes header. Out of this 5 bytes header, 3 bytes should go in one tcp packet and remaining 2 bytes header + client hello() message in second tcp packet

sajualways avatar Aug 17 '20 10:08 sajualways

Ah i see, i dont think we have a flag or a good interface for that as of yet, but i think it can be easly added. You would need adjust the SendMessageHelper for this. It is not trivial to do - but also not super hard. It appears useful to me, so if you want I can put it on the todo-pile

ic0ns avatar Aug 17 '20 10:08 ic0ns

yeah sure...it will be good if we have this feature enhancement.

sajualways avatar Aug 17 '20 10:08 sajualways

what about this plainRecordBytes

Whether this can be used here?

sajualways avatar Aug 17 '20 10:08 sajualways

With plainRecordBytes you can manually hack this together, but its not really useable. You could theoretically send the same message twice and use a byteArrayDeleteModification to first strip the end of the message and then strip the beginning of the message in the next record.

ic0ns avatar Aug 17 '20 10:08 ic0ns

Ok fine...will wait for the proper Enhancement then.

Let me know once it is checked in.

sajualways avatar Aug 17 '20 11:08 sajualways

We decided to put this into TLS-Attacker 4.0, which is a complete rework of the framework to properly implement this feature - will take some more time

ic0ns avatar Jun 08 '22 11:06 ic0ns