search

tls-attacker / TLS-Attacker

TLS-Attacker is a Java-based framework for analyzing TLS libraries. It can be used to manually test TLS clients and servers or as as a software library for more advanced tools.
Apache License 2.0
789 stars 136 forks source link

how to fuzz #58

Closed kkkkkkkk97 closed 5 years ago

kkkkkkkk97 commented 5 years ago

TLS-attcaker is a very powerful software, I want to use it for fuzzing, but I encountered a lot of problems when I tried to modify the WorkflowTrace. Could you please tell me how to modify the supported cipher suite, record length and some other values ​​in the WorkflowTrace or a better strategy. Also, I have tried the old version, but I also encountered some problems.I'm a beginner.

ic0ns commented 5 years ago

Hey, we removed fuzzing capabilities from the TLS-Attacker project and outsourced them to a more powerful tool which we are currently working on behind the curtains. The Fuzzer was deprecated after Version 1.2. If you want to modify the parameters of the messages an easy way to go is to load an xml Config file with the values contained. I recently wrote a tutorial on how to do this on our blog: https://web-in-security.blogspot.com/2019/03/playing-with-tls-attacker.html

kkkkkkkk97 commented 5 years ago

Thanks a lot,I got it. And what should I do if I want to modify the Record header or the ClientHello header of the message?

ic0ns commented 5 years ago

Hey, This has to be done with a custom WorkflowTrace. You can do this like this:

<workflowTrace>
    <Send>
        <messages>
            <ClientHello/>
        </messages>
        <records>
            <Record>
                <contentType>
            <byteExplicitValueModification>
                <explicitValue>
                    0
                </explicitValue>
            </byteExplicitValueModification>
                </contentType>
                <length>
                    <integerExplicitValueModification>
            <explicitValue>255</explicitValue>
                    </integerExplicitValueModification>
                </length>
                <protocolVersion>
                    <byteArrayExplicitValueModification>
            <explicitValue>
                12 34
            </explicitValue>
              </byteArrayExplicitValueModification>
                </protocolVersion>
            </Record>
        </records>
    </Send>
</workflowTrace>
kkkkkkkk97 commented 5 years ago

Thanks a lot ,how about client authentication?

ic0ns commented 5 years ago

It should be enough to send the correct messages in the workflowtrace.

kkkkkkkk97 commented 5 years ago

Can I use the attacker to generate a client certificate to achieve a mutual authentication of SSL/TLS?

ic0ns commented 5 years ago

TLS-Attacker itself cannot generated certificates. However it is shipped with a script which can do so in the resources folder and has alot of different certificates already preconfigured which can do client authentication