I need a pcap that we can use to test scripts which discover insecure protocols. I tried using pcapr.net, but the site seems to be functionally offline at this point. I tried a few different strategies for generating the packets. Others may want to build on this.
First- I tried to create an python client & server- but I found that it is difficult to select which protocol version you’re using for your SSL connections. You might find this page interesting, but I found it to be a dead end. The python team is working so hard to make it easy to do security right, I can’t figure out how to force a client to downgrade to, for example, SSLV2. Looks like it might be covered here though:
https://docs.python.org/3/library/ssl.html
Next, I tried to create the packets directly in scapy- it got me a little closer, but not as far as I’d like:
First: create an ssl key:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Now we have two important files: a key.pem and a certificate.pem file.
Next- open a TLS server via python by opening a terminal & typing “Python3”
import socket import ssl
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) context.load_cert_chain('certificate.pem', 'key.pem')
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock: sock.bind(('0.0.0.0', 8443)) # this allows connections from outside localhost sock.listen(5) with context.wrap_socket(sock, server_side=True) as ssock: conn, addr = ssock.accept()
Now, from your machine with scapy, you’ll want to launch it without sudo.
scapy
And your next step is to go ahead and setup your connections:
from scapy_ssl_tls.ssl_tls import *
target = ('192.168.0.5',8443) #this was the IP of the machine running the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(target)
This gets you a connection to the server. Now we need to set up our SSL connection:
p = SSLv2Record() / SSLv2ClientHello(cipher_suites=SSLv2_CIPHER_SUITES.keys(),challenge='a' * 16,session_id='a' * 16) #sslv2 p = TLSRecord(version="SSL_3_0") / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #SSLV3 p = TLSRecord(version="TLS_1_0") / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #TLS1.0 p = TLSRecord(version="TLS_1_1") / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #TLS1.1 p = TLSRecord(version="TLS_1_2") / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #TLS1.2 p = TLSRecord() / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #Better TLS 1.2
You can use https://github.com/tintinweb/scapy-ssl_tls/blob/master/scapy_ssl_tls/ssl_tls.py#L247 to find appropriate version values. Now you’re ready to fire your packet for each of the different packet objects. I did this manually- if you try to use all the code above, it’ll only give you a packet for the “Better TLS 1.2” implementaiton.
s.sendall(str(p))
Now, you can go cruise on over to wireshark and put some appropriate filters on & capture traffic. I needed this pcap to build some tests for confirming I catch traffic with insecure connection properties. Here’s a bespoke pcap with crummy SSL/TLS client Hellos for SSLv2, SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2: https://www.amazon.com/clouddrive/share/jYAtRHbGN6pLqy8xRuTmZP3WJOq0oyVEazpTc9E2nVb
Mission complete- you can tinker with the pcap directly- but perhaps you want to also generate some bad traffic. Knock yourself out.
Protip:
This page looked like a great learning site for folks doing their first bits of tinkering with SSL & wireshark: https://realpython.com/python-https/