[Bug]: Custom Cipher Suites doesn't seem to work

ghost commented 2 years ago

Version of the software

0.2.4

Operating system

Windows Server 2019

Browser / Native

Chrome

What happened?

According to https://github.com/salesforce/ja3

JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.

JA3 gathers the decimal values of the bytes for the following fields in the Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. It then concatenates those values together in order, using a "," to delimit each field and a "-" to delimit each value in each field.

You can view your tls fingerprint here: https://ja3er.com/ or here in JSON format: https://ja3er.com/json

I made a small project to get JA3 fingerprint of Openbullet2(code provided below).

After sending multiple requests, JA3 fingerprint hash was identical for all of them. Next, I changed Http Library to SystemNet and switched on Use Custom Cipher Suites, according to how JA3 fingerprinting works, the hash should change as one of five values is Accepted Ciphers, leaving only of the default listed chipers in OpenBullet2, the hash stayed identical to what I got previously. Proof: https://prnt.sc/D4LP4AEw4bsO and https://prnt.sc/gekBrmu8Mz13 So, my conclusion is: Custom Cipher Suites does not work as it should, giving various custom chipers should change TLS fingerprint to bypass WAF of such companies as Akamai, etc.

Article to better understand how spoofing JA3 works: https://medium.com/cu-cyber/impersonating-ja3-fingerprints-b9f555880e42

Relevant LoliCode if needed

BLOCK:HttpRequest
LABEL:ja3
  url = "https://ja3er.com/json"
  httpLibrary = SystemNet
  useCustomCipherSuites = True
  TYPE:STANDARD
  ""
  "application/x-www-form-urlencoded"
ENDBLOCK

BLOCK:Parse
LABEL:hash
  input = @data.SOURCE
  jToken = "ja3_hash"
  MODE:Json
  => VAR @hash
ENDBLOCK

openbullet commented 2 years ago

Hello, currently you cannot use this feature on Windows since by default it uses the SChannel TLS provider which does not allow to configure cipher suites on a per-request basis, unless you manually change them from your windows policies. You can only use this feature on macOS/Linux if you installed the latest openssl library.

There is already an issue where I mention this https://github.com/openbullet/OpenBullet2/issues/691

Also on macOS/Linux you need to use RuriLibHttp (which does not support HTTP 2.0) in order to use this feature, or you can use SystemNet (which supports HTTP 2.0) but I'm pretty sure it only works with socks4/4a/5 proxies (not with HTTP proxies, not without proxies).

To sum it up...

RuriLibHttp with latest openssl Does not support HTTP/2.0

OS	SOCKS 4/4a/5	Http	No proxy
Windows
Linux	✔️	✔️	✔️
macOS	✔️	✔️	✔️

SystemNet with latest openssl Supports HTTP/2.0

OS	SOCKS 4/4a/5	Http	No proxy
Windows
Linux	✔️
macOS	✔️

Explanation on why this is like it is https://stackoverflow.com/questions/72064030/how-to-use-openssl-with-tls-in-net-core-on-windows

Please try and let me know. I will leave this open as it's a bit more informative.

ghost commented 2 years ago

Thanks a lot for the reply. Didn't know it doesn't work on windows. I'll try use it on linux. For anyone wondering, how to randomize JA3 fingerprint on windows, I used CycleTLS library for NodeJS (https://github.com/Danny-Dasilva/CycleTLS)

const initCycleTLS = require('cycletls');
// Typescript: import initCycleTLS from 'cycletls';

(async () => {
  // Initiate CycleTLS
  const cycleTLS = await initCycleTLS();

  // Send request
  const response = await cycleTLS('https://ja3er.com/json', {
    body: '',
    ja3: '771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-51-57-47-53-10,0-23-65281-10-11-35-16-5-51-43-13-45-28-21,29-23-24-25-256-257,0',
    userAgent: 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0',
    proxy: 'http://username:password@hostname.com:443'
  }, 'get');

  console.log(response);

  // Cleanly exit CycleTLS
  cycleTLS.exit();

})();

You can also use this code with Openbullet2 nodejs interop block. You can create an array with JA3 fingerprints downloaded from here: https://ja3er.com/downloads.html and then just take random item from array. It worked perfectly for me on Windows 11 + OpenBullet2.

I also wish something like this could be implemented in OpenBullet, since randomizing only ciphers is kinda weak randomization. Thanks!

openbullet commented 2 years ago

I also wish something like this could be implemented in OpenBullet, since randomizing only ciphers is kinda weak randomization.

Yes this is something I intend to do, I just don't have much time to work on OB2 since I have another job that is taking up most of my time.

Also, thank you so much for the very helpful insight on ja3 and the nodejs library, I will definitely take a look at it as soon as I find some time!

openbullet commented 2 years ago

I also wanted to add that it's not necessary to install linux in a VM or buy a VPS or anything like that to try this, you can just install docker and spin up an openbullet2 container, it will already have openssl included and you will be able to try the custom cipher suites in a matter of minutes! You can find a tutorial for this here

miraserver commented 1 year ago

Thanks a lot for the reply. Didn't know it doesn't work on windows. I'll try use it on linux. For anyone wondering, how to randomize JA3 fingerprint on windows, I used CycleTLS library for NodeJS

hey? can u explain more install details about CycleTLS for windows +openbullet 2? thank u

orithecapper commented 11 months ago

bump

cr998 commented 3 months ago

At today there is an project made in c# https://github.com/mnickw/CycleTLS-dotnet,

You could add this proyect into openbullet2, or looking for a way to compile into DLL the go module inside the main project https://github.com/Danny-Dasilva/CycleTLS

openbullet / OpenBullet2