Creating a PCAP with old TLS/SSL

I need a pcap that we can use to test scripts which discover insecure protocols.  I tried using pcapr.net, but the site seems to be functionally offline at this point.  I tried a few different strategies for generating the packets.  Others may want to build on this.

First- I tried to create an python client & server- but I found that it is difficult to select which protocol version you’re using for your SSL connections. You might find this page interesting, but I found it to be a dead end. The python team is working so hard to make it easy to do security right, I can’t figure out how to force a client to downgrade to, for example, SSLV2. Looks like it might be covered here though:

https://docs.python.org/3/library/ssl.html

Next, I tried to create the packets directly in scapy- it got me a little closer, but not as far as I’d like:
First: create an ssl key:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Now we have two important files:  a key.pem and a certificate.pem file.
Next- open a TLS server via python by opening a terminal & typing “Python3”

import socket import ssl
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) context.load_cert_chain('certificate.pem', 'key.pem')
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock:     sock.bind(('0.0.0.0', 8443)) # this allows connections from outside localhost     sock.listen(5)     with context.wrap_socket(sock, server_side=True) as ssock:         conn, addr = ssock.accept()

Now, from your machine with scapy, you’ll want to launch it without sudo.

scapy

And your next step is to go ahead and setup your connections:

from scapy_ssl_tls.ssl_tls import *
target = ('192.168.0.5',8443) #this was the IP of the machine running the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(target)

This gets you a connection to the server.  Now we need to set up our SSL connection:

p = SSLv2Record() / SSLv2ClientHello(cipher_suites=SSLv2_CIPHER_SUITES.keys(),challenge='a' * 16,session_id='a' * 16) #sslv2 

p = TLSRecord(version="SSL_3_0") / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #SSLV3 

p = TLSRecord(version="TLS_1_0") / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #TLS1.0

p = TLSRecord(version="TLS_1_1") / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #TLS1.1 

p = TLSRecord(version="TLS_1_2") / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #TLS1.2

p = TLSRecord() / TLSHandshakes(handshakes=[TLSHandshake() / TLSClientHello(compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff)))]) #Better TLS 1.2

You can use https://github.com/tintinweb/scapy-ssl_tls/blob/master/scapy_ssl_tls/ssl_tls.py#L247 to find appropriate version values. Now you’re ready to fire your packet for each of the different packet objects. I did this manually- if you try to use all the code above, it’ll only give you a packet for the “Better TLS 1.2” implementaiton.

s.sendall(str(p))

Now, you can go cruise on over to wireshark and put some appropriate filters on & capture traffic. I needed this pcap to build some tests for confirming I catch traffic with insecure connection properties. Here’s a bespoke pcap with crummy SSL/TLS client Hellos for SSLv2, SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2: https://www.amazon.com/clouddrive/share/jYAtRHbGN6pLqy8xRuTmZP3WJOq0oyVEazpTc9E2nVb

Mission complete- you can tinker with the pcap directly- but perhaps you want to also generate some bad traffic. Knock yourself out.

Protip:

This page looked like a great learning site for folks doing their first bits of tinkering with SSL & wireshark: https://realpython.com/python-https/