Merge pull request #411 from RUB-NDS/SSL2ClientMasterKey

Ssl2 client master key

Author: ic0ns

.gitignore

@@ -6,4 +6,38 @@ pom.xml.next
 release.properties
 /apps/
 nbproject/
-nbactions.xml
+nbactions.xml.project
+.settings/org.eclipse.core.resources.prefs
+Attacks/.classpath
+Attacks/.project
+Attacks/.settings/org.eclipse.core.resources.prefs
+Attacks/.settings/org.eclipse.jdt.core.prefs
+TLS-Client/.classpath
+TLS-Client/.project
+TLS-Client/.settings/org.eclipse.core.resources.prefs
+TLS-Client/.settings/org.eclipse.jdt.core.prefs
+TLS-Core/.classpath
+TLS-Core/.project
+TLS-Core/.settings/org.eclipse.core.resources.prefs
+TLS-Core/.settings/org.eclipse.jdt.core.prefs
+TLS-Mitm/.classpath
+TLS-Mitm/.project
+TLS-Mitm/.settings/org.eclipse.core.resources.prefs
+TLS-Mitm/.settings/org.eclipse.jdt.core.prefs
+TLS-Server/.classpath
+TLS-Server/.project
+TLS-Server/.settings/org.eclipse.core.resources.prefs
+TLS-Server/.settings/org.eclipse.jdt.core.prefs
+TraceTool/.classpath
+TraceTool/.project
+TraceTool/.settings/org.eclipse.core.resources.prefs
+TraceTool/.settings/org.eclipse.jdt.core.prefs
+Transport/.classpath
+Transport/.project
+Transport/.settings/org.eclipse.core.resources.prefs
+Transport/.settings/org.eclipse.jdt.core.prefs
+Utils/.classpath
+Utils/.project
+Utils/.settings/org.eclipse.core.resources.prefs
+Utils/.settings/org.eclipse.jdt.core.prefs
+.project

Attacks/early_finished.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<workflowTrace>
+    <Send>
+        <messages>
+            <ClientHello>
+                <extensions>
+                    <ECPointFormat/>
+                    <EllipticCurves/>
+                    <RenegotiationInfoExtension/>
+                </extensions>
+            </ClientHello>
+        </messages>
+    </Send>
+    <Receive>
+        <expectedMessages>
+            <ServerHello>
+                <extensions>
+                    <ECPointFormat/>
+                    <RenegotiationInfoExtension/>
+                </extensions>
+            </ServerHello>
+            <Certificate/>
+            <ServerHelloDone/>
+        </expectedMessages>
+    </Receive>
+    <Send>
+        <messages>
+            <RSAClientKeyExchange/>
+            <ChangeCipherSpec/>
+        </messages>
+    </Send>
+    <Receive>
+        <expectedMessages>
+            <ChangeCipherSpec/>
+            <Finished/>
+        </expectedMessages>
+    </Receive>
+</workflowTrace>

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/Main.java

@@ -13,6 +13,7 @@
 import de.rub.nds.tlsattacker.attacks.config.PskBruteForcerAttackServerCommandConfig;
 import de.rub.nds.tlsattacker.attacks.config.PskBruteForcerAttackClientCommandConfig;
 import de.rub.nds.tlsattacker.attacks.config.Cve20162107CommandConfig;
+import de.rub.nds.tlsattacker.attacks.config.DrownCommandConfig;
 import de.rub.nds.tlsattacker.attacks.config.EarlyCCSCommandConfig;
 import de.rub.nds.tlsattacker.attacks.config.HeartbleedCommandConfig;
 import de.rub.nds.tlsattacker.attacks.config.InvalidCurveAttackConfig;
@@ -28,6 +29,7 @@
 import de.rub.nds.tlsattacker.attacks.impl.PskBruteForcerAttackServer;
 import de.rub.nds.tlsattacker.attacks.impl.PskBruteForcerAttackClient;
 import de.rub.nds.tlsattacker.attacks.impl.Cve20162107Attacker;
+import de.rub.nds.tlsattacker.attacks.impl.DrownAttacker;
 import de.rub.nds.tlsattacker.attacks.impl.EarlyCCSAttacker;
 import de.rub.nds.tlsattacker.attacks.impl.HeartbleedAttacker;
 import de.rub.nds.tlsattacker.attacks.impl.InvalidCurveAttacker;
@@ -88,6 +90,8 @@ public static void main(String[] args) {
         jc.addCommand(SimpleMitmProxyCommandConfig.ATTACK_COMMAND, simpleMitmProxy);
         TooManyAlgorithmsAttackConfig tooManyAlgorithms = new TooManyAlgorithmsAttackConfig(generalDelegate);
         jc.addCommand(TooManyAlgorithmsAttackConfig.ATTACK_COMMAND, tooManyAlgorithms);
+        DrownCommandConfig drownConfig = new DrownCommandConfig(generalDelegate);
+        jc.addCommand(DrownCommandConfig.COMMAND, drownConfig);
         // TokenBindingMitmCommandConfig tokenBindingMitm = new
         // TokenBindingMitmCommandConfig(generalDelegate);
         // jc.addCommand(TokenBindingMitmCommandConfig.ATTACK_COMMAND,
@@ -149,7 +153,9 @@ public static void main(String[] args) {
             case PskBruteForcerAttackServerCommandConfig.ATTACK_COMMAND:
                 attacker = new PskBruteForcerAttackServer(pskBruteForcerAttackServerTest);
                 break;
-
+            case DrownCommandConfig.COMMAND:
+                attacker = new DrownAttacker(drownConfig);
+                break;
             // case TokenBindingMitmCommandConfig.ATTACK_COMMAND:
             // attacker = new TokenBindingMitm(tokenBindingMitm);
             // break;

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/config/DrownCommandConfig.java

@@ -0,0 +1,45 @@
+/**
+ * TLS-Attacker - A Modular Penetration Testing Framework for TLS
+ *
+ * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ *
+ * Licensed under Apache License 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ */
+package de.rub.nds.tlsattacker.attacks.config;
+
+import com.beust.jcommander.ParametersDelegate;
+import de.rub.nds.tlsattacker.core.config.Config;
+import de.rub.nds.tlsattacker.core.config.delegate.ClientDelegate;
+import de.rub.nds.tlsattacker.core.config.delegate.GeneralDelegate;
+import de.rub.nds.tlsattacker.core.constants.HeartbeatMode;
+import de.rub.nds.tlsattacker.core.constants.ProtocolVersion;
+import de.rub.nds.tlsattacker.core.record.layer.RecordLayerType;
+import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
+
+public class DrownCommandConfig extends AttackConfig {
+
+    public static final String COMMAND = "drown";
+
+    @ParametersDelegate
+    private ClientDelegate clientDelegate;
+
+    public DrownCommandConfig(GeneralDelegate delegate) {
+        super(delegate);
+        clientDelegate = new ClientDelegate();
+        addDelegate(clientDelegate);
+    }
+
+    @Override
+    public boolean isExecuteAttack() {
+        return false;
+    }
+
+    @Override
+    public Config createConfig() {
+        Config config = super.createConfig();
+        config.setRecordLayerType(RecordLayerType.BLOB);
+        config.setHighestProtocolVersion(ProtocolVersion.SSL2);
+        return config;
+    }
+}

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/constants/DrownVulnerabilityType.java

@@ -0,0 +1,20 @@
+/**
+ * TLS-Attacker - A Modular Penetration Testing Framework for TLS
+ *
+ * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ *
+ * Licensed under Apache License 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ */
+package de.rub.nds.tlsattacker.attacks.constants;
+
+/**
+ *
+ * @author Robert Merget <robert.merget@rub.de>
+ */
+public enum DrownVulnerabilityType {
+    FULL,
+    SSL2,
+    NONE,
+    UNKNOWN
+}

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/Attacker.java

@@ -52,6 +52,8 @@ public Boolean checkVulnerability() {
             if (!canConnect()) {
                 LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Cannot reach Server. Is the server online?");
                 return null;
+            } else {
+                LOGGER.debug("Can connect to server. Running vulnerability scan");
             }
         }
         return isVulnerable();

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/DrownAttacker.java

@@ -0,0 +1,158 @@
+/**
+ * TLS-Attacker - A Modular Penetration Testing Framework for TLS
+ *
+ * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ *
+ * Licensed under Apache License 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ */
+package de.rub.nds.tlsattacker.attacks.impl;
+
+import de.rub.nds.modifiablevariable.bytearray.ByteArrayModificationFactory;
+import de.rub.nds.modifiablevariable.bytearray.ModifiableByteArray;
+import de.rub.nds.modifiablevariable.integer.IntegerModificationFactory;
+import de.rub.nds.modifiablevariable.integer.ModifiableInteger;
+import de.rub.nds.modifiablevariable.singlebyte.ModifiableByte;
+import de.rub.nds.tlsattacker.attacks.config.DrownCommandConfig;
+import de.rub.nds.tlsattacker.attacks.config.HeartbleedCommandConfig;
+import de.rub.nds.tlsattacker.attacks.constants.DrownVulnerabilityType;
+import static de.rub.nds.tlsattacker.attacks.impl.Attacker.LOGGER;
+import de.rub.nds.tlsattacker.core.config.Config;
+import de.rub.nds.tlsattacker.core.constants.HandshakeMessageType;
+import de.rub.nds.tlsattacker.core.constants.ProtocolMessageType;
+import de.rub.nds.tlsattacker.core.constants.RunningModeType;
+import de.rub.nds.tlsattacker.core.constants.SSL2CipherSuite;
+import de.rub.nds.tlsattacker.core.exceptions.WorkflowExecutionException;
+import de.rub.nds.tlsattacker.core.protocol.message.HeartbeatMessage;
+import de.rub.nds.tlsattacker.core.protocol.message.SSL2ClientMasterKeyMessage;
+import de.rub.nds.tlsattacker.core.protocol.message.SSL2ServerHelloMessage;
+import de.rub.nds.tlsattacker.core.protocol.message.SSL2ServerVerifyMessage;
+import de.rub.nds.tlsattacker.core.protocol.preparator.SSL2ClientMasterKeyPreparator;
+import de.rub.nds.tlsattacker.core.state.State;
+import de.rub.nds.tlsattacker.core.state.TlsContext;
+import de.rub.nds.tlsattacker.core.util.LogLevel;
+import de.rub.nds.tlsattacker.core.workflow.WorkflowExecutor;
+import de.rub.nds.tlsattacker.core.workflow.WorkflowExecutorFactory;
+import de.rub.nds.tlsattacker.core.workflow.WorkflowTrace;
+import de.rub.nds.tlsattacker.core.workflow.WorkflowTraceUtil;
+import de.rub.nds.tlsattacker.core.workflow.action.GenericReceiveAction;
+import de.rub.nds.tlsattacker.core.workflow.action.ReceiveAction;
+import de.rub.nds.tlsattacker.core.workflow.action.SendAction;
+import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowConfigurationFactory;
+import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
+import java.util.Arrays;
+import java.util.List;
+
+import org.bouncycastle.crypto.digests.MD5Digest;
+import org.bouncycastle.crypto.engines.RC4Engine;
+import org.bouncycastle.crypto.params.KeyParameter;
+
+public class DrownAttacker extends Attacker<DrownCommandConfig> {
+
+    public DrownAttacker(DrownCommandConfig config) {
+        super(config);
+    }
+
+    @Override
+    public void executeAttack() {
+        throw new UnsupportedOperationException("Not implemented yet");
+    }
+
+    @Override
+    public Boolean isVulnerable() {
+        DrownVulnerabilityType type = getDrownVulnerabilityType();
+        switch (type) {
+            case FULL:
+                LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Server is vulnerable to the full DROWN attack");
+                return true;
+            case NONE:
+                return false;
+            case SSL2:
+                LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Server supports SSL2, but not any weak ciphersuites, "
+                        + "so is not vulnerable to DROWN");
+                return false;
+            case UNKNOWN:
+                LOGGER.warn("Could not execute Workflow - something went wrong. Check the Debug output to be certain");
+                return null;
+        }
+        return null;
+    }
+
+    public DrownVulnerabilityType getDrownVulnerabilityType() {
+        Config tlsConfig = config.createConfig();
+        WorkflowTrace trace = new WorkflowConfigurationFactory(tlsConfig).createWorkflowTrace(
+                WorkflowTraceType.SSL2_HELLO, RunningModeType.CLIENT);
+        trace.addTlsAction(new SendAction(new SSL2ClientMasterKeyMessage()));
+        trace.addTlsAction(new ReceiveAction(new SSL2ServerVerifyMessage()));
+        State state = new State(tlsConfig, trace);
+        try {
+            WorkflowExecutor workflowExecutor = WorkflowExecutorFactory.createWorkflowExecutor(
+                    tlsConfig.getWorkflowExecutorType(), state);
+            workflowExecutor.executeWorkflow();
+        } catch (WorkflowExecutionException ex) {
+            LOGGER.info("The TLS protocol flow was not executed completely, follow the debug messages for more information.");
+            LOGGER.debug(ex);
+            return DrownVulnerabilityType.UNKNOWN;
+        }
+
+        if (!WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.SSL2_SERVER_HELLO, trace)) {
+            return DrownVulnerabilityType.NONE;
+        }
+
+        SSL2ServerHelloMessage serverHello = (SSL2ServerHelloMessage) WorkflowTraceUtil.getFirstReceivedMessage(
+                HandshakeMessageType.SSL2_SERVER_HELLO, trace);
+        List<SSL2CipherSuite> serverCipherSuites = SSL2CipherSuite.getCiphersuites(serverHello.getCipherSuites()
+                .getValue());
+        for (SSL2CipherSuite cipherSuite : serverCipherSuites) {
+            if (cipherSuite.isWeak()) {
+                LOGGER.debug("Declaring host as vulnerable based on weak ciphersuite in ServerHello.");
+                return DrownVulnerabilityType.FULL;
+            }
+        }
+        SSL2ServerVerifyMessage message = (SSL2ServerVerifyMessage) WorkflowTraceUtil.getFirstReceivedMessage(
+                HandshakeMessageType.SSL2_SERVER_VERIFY, trace);
+        if (message != null && checkServerVerifyMessage(message, state.getTlsContext())) {
+            LOGGER.debug("Declaring host as vulnerable based on ServerVerify.");
+            return DrownVulnerabilityType.FULL;
+        }
+        return DrownVulnerabilityType.SSL2;
+    }
+
+    private boolean checkServerVerifyMessage(SSL2ServerVerifyMessage message, TlsContext context) {
+        byte[] md5Output = getMD5Output(context);
+
+        RC4Engine rc4 = new RC4Engine();
+        rc4.init(false, new KeyParameter(md5Output));
+        byte[] encrypted = message.getEncryptedPart().getValue();
+        int len = encrypted.length;
+        if (len < 16) {
+            return false;
+        }
+
+        byte[] decrypted = new byte[len];
+        rc4.processBytes(encrypted, 0, len, decrypted, 0);
+
+        if (Arrays.equals(Arrays.copyOfRange(decrypted, len - 16, len), context.getClientRandom())) {
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    private byte[] getMD5Output(TlsContext tlsContext) {
+        MD5Digest md5 = new MD5Digest();
+        byte[] clearKey = new byte[SSL2ClientMasterKeyPreparator.EXPORT_RC4_NUM_OF_CLEAR_KEY_BYTES];
+        md5Update(md5, clearKey);
+        md5Update(md5, tlsContext.getPreMasterSecret());
+        md5.update((byte) '0');
+        md5Update(md5, tlsContext.getClientRandom());
+        md5Update(md5, tlsContext.getServerRandom());
+        byte[] md5Output = new byte[md5.getDigestSize()];
+        md5.doFinal(md5Output, 0);
+        return md5Output;
+    }
+
+    private static void md5Update(MD5Digest md5, byte[] bytes) {
+        md5.update(bytes, 0, bytes.length);
+    }
+}

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/HandshakeMessageType.java

@@ -19,10 +19,14 @@ public enum HandshakeMessageType {
     UNKNOWN((byte) 255),
     HELLO_REQUEST((byte) 0),
     CLIENT_HELLO((byte) 1),
+    SSL2_CLIENT_HELLO((byte) 1),
     SERVER_HELLO((byte) 2),
+    SSL2_CLIENT_MASTER_KEY((byte) 2),
     HELLO_VERIFY_REQUEST((byte) 3),
     NEW_SESSION_TICKET((byte) 4),
+    SSL2_SERVER_HELLO((byte) 4),
     END_OF_EARLY_DATA((byte) 5),
+    SSL2_SERVER_VERIFY((byte) 5),
     HELLO_RETRY_REQUEST((byte) 6),
     ENCRYPTED_EXTENSIONS((byte) 8),
     CERTIFICATE((byte) 11),