search

tintinweb / scapy-ssl_tls

SSL/TLS layers for scapy the interactive packet manipulation tool
GNU General Public License v2.0
419 stars 156 forks source link

Length fields in packet not being set ? #96

Closed ahsan-tariq closed 7 years ago

ahsan-tariq commented 7 years ago

Hi, While scanning a site for sslv2 support I am seeing the following issue:

pkt = SSLv2Record()/SSLv2ClientHello(cipher_suites=cipherlist,
                                                           challenge='A'\*16)
t = socket.socket()
t.connect(target)  #target=("clani.taborniki.si",443)
ts = TLSSocket(t,client=True)
ts.sendall(pkt)
resp = ts.recv(8192\*4)
resp = SSL(''.join(resp))
resp.show()

The TLS/SSL records in response are empty:

###[ SSL/TLS ]###
  \records   \

However, when I manually set the lengths of pkt like this:

pkt = SSLv2Record(length=(25+3\*len(cipherlist)))/SSLv2ClientHello(cipher_suites=cipherlist,
                                                       challenge='A'\*16,
                                                       challenge_length=16,
                                                       cipher_suites_length=3\*len(cipherlist)
                                                       )

The sslv2 connection is successful. The response (pasted partial) I get is:

###[ SSL/TLS ]###
  \records   \
   |###[ SSLv2 Record ]###
   |  length    = 0x580
   |  content_type= server_hello
   |###[ SSLv2 Server Hello ]###
   |     session_id_hit= false
   |     certificate_type= x509
   |     version   = SSL_2_0
   |     certificates_length= 0x55f
   |     cipher_suites_length= 0x6
   |     connection_id_length= 0x10
.........

Are the length fields in packet being set correctly ? Because when I do pkt.show(), the length fields in all layers are None. I thought this would be set by scapy before packet is transmitted but this does not appear to be the case ? Also, this maybe happening with other protocols as well. This does not result in dropped connections always, but only in some site cases and not others. Is their a way to set the lenghts in different layers dynamically ?

Thanks

alexmgr commented 7 years ago

Hi @ahsan-tariq,

The lenghts are set automatically. If you need to view them before sending the packet, you need to use show2() (which exactly reflects what is sent on the wire). show() shows the packet pre-serialization, before all dynamic fields are updated. It's a scapy thing, we just follow along ;):

>>> (SSLv2Record()/SSLv2ClientHello(challenge='A'*16)).show2()
###[ SSLv2 Record ]###
  length= 0x18
  content_type= client_hello
###[ SSLv2 Client Hello ]###
     version= SSL_2_0
     cipher_suites_length= 0x0
     session_id_length= 0x0
     challenge_length= 0x10
     cipher_suites= []
     session_id= ''
     challenge= 'AAAAAAAAAAAAAAAA'