search

hatching / httpreplay

Replay HTTP and HTTPS requests from a PCAP based on TLS Master Secrets.
Other
95 stars 35 forks source link

Error decoding RC4 sessions #9

Closed dfirbuddy closed 7 years ago

dfirbuddy commented 7 years ago

Hi Jurriaan, i found a strange error decoding some sessions. I added the pcap. The error "AttributeError: 'str' object has no attribute 'name'" that you see if running without debugging is not correct. Inside the debugger you get a assert because it is not a block cipher (see attachment) I just connected to https://www.heise.de. The error occurs inside tlslite-ng. There seems to be the same error with version 0.7-alpha2.
screenshot from 2017-01-04 19-01-46 screenshot from 2017-01-04 19-01-18 tlsmaster.txt

dump.zip

dfirbuddy commented 7 years ago

Hi Jurriaan, i found a workaround to decode the pcap file. Perhaps it would be an option to use tshark for decoding ssl with cuckoo as an alternative as long as the bug in httpreplay/tlslite-ng isn't resolved. I posted 3 scripts as an example. Use ssl_decode_http.sh as a poc. Format is variable.

Regards Willy

ssl_tshark.tar.zip

jbremer commented 7 years ago

@dfirbuddy I've just fixed the issue and pushed out a new version (0.1.18), naturally I'll be updating the version numbers in the Cuckoo branches as well. Although your idea is nice, the tshark stuff, I'm not sure if it'd be suitable here ;-) Because then we'd have to run tshark and parse its text output etc. Closing this issue as fixed. Thanks for your feedback!

dfirbuddy commented 7 years ago

Hi Jurriaan, tsharks offers to create a csv file (incl. field headers if you wish). You only need to define the fields you are interested in. The other (more interesting way) would be to use the new xml output format. Now you can use bs4 and lxml and xpath to parse the infos. If you let me know the fields you are interested in I will create a prototype for you. The only disadvantage I see is that tshark is not available on all platforms. Regards Willy

jbremer commented 7 years ago

Well, I mean, from a httpreplay point of view we want all the fields. That is, on a tcp, http, or https level based on the type of stream. You're more than welcome to play around with tshark to see how far you can push it, but keep in mind that the current approach of httpreplay is working just fine and as such me merging it is not that likely. Especially since currently httpreplay works on "all" operating systems (Linux, Mac OS X, Windows). Well, Mac OS X isn't unit tested right now, but Linux and Windows are.