Sunday, January 28, 2024

TERMINOLOGIES OF ETHICAL HACKING

What is the terminologies in ethical hacking?

Here are a few key terms that you will hear in discussion about hackers and what they do:


1-Backdoor-A secret pathway a hacker uses to gain entry to a computer system.


2-Adware-It is the softw-are designed to force pre-chosen ads to display on your system.


3-Attack-That action performs by a attacker on a system to gain unauthorized access.


4-Buffer Overflow-It is the process of attack where the hacker delivers malicious commands to a system by overrunning an application buffer.


5-Denial-of-Service attack (DOS)-A attack designed to cripple the victim's system by preventing it from handling its normal traffic,usally by flooding it with false traffic.


6-Email Warm-A virus-laden script or mini-program sent to an unsuspecting victim through a normal-looking email message.


7-Bruteforce Attack-It is an automated and simplest kind of method to gain access to a system or website. It tries different combination of usernames and passwords,again & again until it gets in from bruteforce dictionary.


8-Root Access-The highest level of access to a computer system,which can give them complete control over the system.


9-Root Kit-A set of tools used by an intruder to expand and disguise his control of the system.It is the stealthy type of software used for gain access to a computer system.


10-Session Hijacking- When a hacker is able to insert malicious data packets right into an actual data transmission over the internet connection.


11-Phreaker-Phreakers are considered the original computer hackers who break into the telephone network illegally, typically to make free longdistance phone calls or to tap lines.


12-Trojan Horse-It is a malicious program that tricks the computer user into opening it.There designed with an intention to destroy files,alter information,steal password or other information.


13-Virus-It is piece of code or malicious program which is capable of copying itself has a detrimental effect such as corrupting the system od destroying data. Antivirus is used to protect the system from viruses.


14-Worms-It is a self reflicating virus that does not alter  files but resides in the active memory and duplicate itself.


15-Vulnerability-It is a weakness which allows a hacker to compromise the security of a computer or network system to gain unauthorized access.


16-Threat-A threat is a possible danger that can exploit an existing bug or vulnerability to comprise the security of a computer or network system. Threat is of two types-physical & non physical.


17-Cross-site Scripting-(XSS) It is a type of computer security vulnerability found in web application.It enables attacker to inject client side script into web pages viwed by other users.


18-Botnet-It is also known as Zombie Army is a group of computers controlled without their owner's knowledge.It is used to send spam or make denial of service attacks.


19-Bot- A bot is a program that automates an action so that it can be done repeatedly at a much higher rate for a period than a human operator could do it.Example-Sending HTTP, FTP oe Telnet at a higer rate or calling script to creat objects at a higher rate.


20-Firewall-It is a designed to keep unwanted intruder outside a computer system or network for safe communication b/w system and users on the inside of the firewall.


21-Spam-A spam is unsolicited email or junk email sent to a large numbers of receipients without their consent.


22-Zombie Drone-It is defined as a hi-jacked computer that is being used anonymously as a soldier or drone for malicious activity.ExDistributing Unwanted Spam Emails.


23-Logic Bomb-It is a type of virus upload in to a system that triggers a malicious action when certain conditions are met.The most common version is Time Bomb.


24-Shrink Wrap code-The process of attack for exploiting the holes in unpatched or poorly configured software.


25-Malware-It is an umbrella term used to refer a variety of intrusive software, including computer viruses,worms,Trojan Horses,Ransomeware,spyware,adware, scareware and other malicious program.


Follow me on instagram-anoymous_adi

Related links

Memoryze


"MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis." read more...

Download: http://fred.mandiant.com/MemoryzeSetup.msi

Related posts
  1. Hack Tools Github
  2. Hack Tools For Ubuntu
  3. Kik Hack Tools
  4. Hacker Tools Software
  5. Growth Hacker Tools
  6. Pentest Tools Apk
  7. Pentest Tools Linux
  8. Hacking Tools Hardware
  9. Hacking Tools Usb
  10. Hacker Tools List
  11. Github Hacking Tools
  12. Hacking Tools For Pc
  13. Pentest Recon Tools
  14. Hack Tools Pc
  15. Hacking Tools Github
  16. Pentest Tools Download
  17. Easy Hack Tools
  18. Easy Hack Tools
  19. Hack Tools
  20. Kik Hack Tools
  21. Hacker Techniques Tools And Incident Handling
  22. Hack Tools Github
  23. Hacker
  24. Pentest Recon Tools
  25. How To Install Pentest Tools In Ubuntu
  26. Hack Tool Apk No Root
  27. Pentest Tools Free
  28. Hacker Tools Free Download
  29. Hack Tools For Pc
  30. Hacker Search Tools
  31. Hacker Hardware Tools
  32. Hack Tools Online
  33. Hacking Tools Name
  34. Hacking Tools Mac
  35. Hacking Tools Download
  36. Pentest Tools Windows
  37. Hacker Tools Online
  38. Hacking Apps
  39. Hacks And Tools
  40. Pentest Reporting Tools
  41. Hack App
  42. Hack And Tools
  43. Nsa Hacker Tools
  44. Pentest Tools Website Vulnerability
  45. Github Hacking Tools
  46. Hacker Tools 2020
  47. Game Hacking
  48. Hacking Tools Download
  49. Hak5 Tools
  50. Hacking Tools Software
  51. Hacking Tools
  52. Pentest Tools List
  53. Hacker Tools List
  54. Hacker Tools Mac
  55. Pentest Tools Download
  56. What Are Hacking Tools
  57. Hacking App
  58. Pentest Tools Kali Linux
  59. Pentest Tools Download
  60. Tools Used For Hacking
  61. Hack Tool Apk No Root
  62. Hacker Tools For Ios
  63. Pentest Tools Bluekeep
  64. Pentest Recon Tools
  65. Hacker Tools For Windows
  66. Pentest Tools Kali Linux
  67. Hacker Tools 2019
  68. Pentest Automation Tools
  69. Github Hacking Tools
  70. What Is Hacking Tools
  71. Hack Tools Pc
  72. Hacking Tools For Windows
  73. Hacking Tools
  74. Growth Hacker Tools
  75. Hacker Tools
  76. Blackhat Hacker Tools
  77. Hacker Hardware Tools
  78. Hack Tools For Games
  79. Hacker Tools Apk Download
  80. Hack Tools For Ubuntu
  81. How To Make Hacking Tools
  82. Pentest Tools Online
  83. Hacking Tools Kit
  84. World No 1 Hacker Software
  85. Pentest Tools Android
  86. Pentest Tools Website
  87. Pentest Tools Github
  88. Ethical Hacker Tools
  89. Hacker Tools For Ios
  90. Hacking Tools For Mac
  91. Hacker Tools Online
  92. Game Hacking
  93. Pentest Box Tools Download
  94. Install Pentest Tools Ubuntu
  95. Hacking Tools Windows 10
  96. Black Hat Hacker Tools
  97. Easy Hack Tools
  98. Hacking Tools Download
  99. Pentest Reporting Tools
  100. What Are Hacking Tools
  101. New Hack Tools
  102. Hacking Tools Pc
  103. Pentest Tools Website
  104. Pentest Tools List
  105. Pentest Tools Port Scanner
  106. Pentest Tools Website Vulnerability
  107. Termux Hacking Tools 2019
  108. Pentest Tools Kali Linux
  109. Hacking Tools Online
  110. Hacker Tools Free
  111. Hacking Tools Windows
  112. Wifi Hacker Tools For Windows
  113. Hacker Tools For Ios
  114. Hack App
  115. Hacker Tools For Windows
  116. Hacking Tools Download
  117. Pentest Tools Free
  118. Hacker Tools Linux
  119. Pentest Tools Online
  120. Hacking Tools Windows 10
  121. Pentest Tools Review
  122. Hacking Tools For Games
  123. Hacking Tools Kit
  124. Pentest Tools Nmap
  125. Hacker Tools Windows
  126. Github Hacking Tools
  127. Hacker Tools For Pc
  128. Hacker Tools Online

Saturday, January 27, 2024

Hackerhubb.blogspot.com

Hackerhubb.blogspot.com

More information


  1. Black Hat Hacker Tools
  2. Pentest Tools Subdomain
  3. Hacking Tools Windows
  4. Android Hack Tools Github
  5. Hacker Tools For Ios
  6. Hacker Tools Github
  7. Pentest Tools Github
  8. Hack Tools Github
  9. Hacking Tools Pc
  10. Game Hacking
  11. Pentest Tools Url Fuzzer
  12. Tools Used For Hacking
  13. How To Install Pentest Tools In Ubuntu
  14. Beginner Hacker Tools
  15. Hacker Security Tools
  16. Pentest Recon Tools
  17. Hacking Tools Online
  18. Pentest Tools For Android
  19. Android Hack Tools Github
  20. Pentest Tools Github
  21. Pentest Tools Kali Linux
  22. Hacking Tools For Windows
  23. Hackers Toolbox
  24. Hacking Tools Name
  25. Pentest Tools For Ubuntu
  26. Hacking Tools Free Download
  27. Hacking Tools Free Download
  28. Hacks And Tools
  29. Hack Tools
  30. Hak5 Tools
  31. Hacker Tools Hardware
  32. Pentest Tools Port Scanner
  33. Hacking Tools Mac
  34. Hacking Tools Mac
  35. Pentest Recon Tools
  36. Black Hat Hacker Tools
  37. Hacker Tools 2020
  38. Pentest Tools Open Source
  39. Hacking Apps
  40. Hacker Tools Github
  41. Hack Tools For Ubuntu
  42. Pentest Tools Github
  43. Hacking Tools Windows
  44. Computer Hacker
  45. Hacker Tools 2019
  46. Hak5 Tools
  47. Hacking Tools For Windows Free Download
  48. Hacker Search Tools
  49. Hacking Tools For Games
  50. Hackers Toolbox
  51. Nsa Hacker Tools
  52. Hack Tools For Games
  53. Hacking Tools Kit
  54. Pentest Recon Tools
  55. Pentest Tools Android
  56. Pentest Tools List
  57. Hack Tools Pc
  58. Termux Hacking Tools 2019
  59. Hacking Tools Name
  60. Hacking Tools Windows
  61. Tools Used For Hacking
  62. Hack App
  63. Pentest Tools Windows
  64. Hacker Tools Software
  65. Pentest Tools Nmap
  66. Pentest Tools For Ubuntu
  67. Hacker Tools Software
  68. Github Hacking Tools
  69. Pentest Tools Find Subdomains
  70. Pentest Tools Nmap
  71. Pentest Tools For Windows
  72. Pentest Tools Tcp Port Scanner
  73. Hacker Tools Mac
  74. Tools 4 Hack
  75. Pentest Tools Framework
  76. Hacker Search Tools
  77. Hack Tools Download
  78. Hack Website Online Tool
  79. Hacker Tools List
  80. Kik Hack Tools
  81. Hacking Tools 2019
  82. Hacking Tools Usb
  83. Pentest Tools Alternative
  84. Hacking Tools For Windows Free Download
  85. Hacking Tools Windows
  86. Hack Rom Tools
  87. Hack Tools
  88. Hacking Tools For Windows 7
  89. Hacking Tools For Windows
  90. Hacking Tools For Games
  91. Pentest Tools For Mac
  92. Hacking Tools Download
  93. Hacker Tools For Ios
  94. Hackers Toolbox
  95. Best Hacking Tools 2019
  96. Pentest Tools For Mac
  97. Hacker Tools Windows
  98. Hacking Tools Download
  99. Hacking Tools Mac
  100. Blackhat Hacker Tools
  101. Growth Hacker Tools
  102. Nsa Hack Tools
  103. Pentest Tools Website
  104. Hacker Tools For Mac
  105. Usb Pentest Tools
  106. Pentest Tools Subdomain
  107. Hacking Tools Name
  108. Hack Tools 2019
  109. Pentest Tools Linux
  110. Pentest Reporting Tools
  111. Hacker Tool Kit
  112. Hacker Tools
  113. Hacker Security Tools
  114. Hack Tools
  115. Hacker Tools 2019
  116. Hacking Tools For Beginners
  117. Best Hacking Tools 2019
  118. Hack Tools Download
  119. Pentest Tools Android
  120. Hacker Tools Windows
  121. Hacking Tools Windows 10
  122. Hacker Tools 2020
  123. Usb Pentest Tools
  124. Hacker Search Tools
  125. Hacking Tools And Software
  126. Hacking Tools 2019
  127. Hack Tools Pc
  128. Pentest Tools For Windows
  129. Hacker Search Tools
  130. Tools For Hacker
  131. Hack Tools Pc
  132. Pentest Tools Windows
  133. Free Pentest Tools For Windows
  134. Hacking Tools Kit
  135. Pentest Tools For Windows
  136. Physical Pentest Tools
  137. What Are Hacking Tools
  138. Hacking Tools For Kali Linux
  139. Hack Tools For Mac
  140. Hacking Tools Hardware
  141. Hacker Tools Mac
  142. Blackhat Hacker Tools
  143. Computer Hacker
  144. Tools Used For Hacking
  145. Hack Tools For Pc
  146. Hacking Tools For Windows Free Download
  147. Pentest Tools Review
  148. Hacking Tools For Windows Free Download
  149. Hacker
  150. Install Pentest Tools Ubuntu
  151. Hack Rom Tools
  152. Pentest Tools Kali Linux
  153. Kik Hack Tools
  154. Hacking Tools Free Download
  155. Hack Tool Apk
  156. Pentest Tools
  157. Hacker Tool Kit
  158. Physical Pentest Tools
  159. Ethical Hacker Tools
  160. Github Hacking Tools
  161. Pentest Tools For Ubuntu
  162. Hack Tools
  163. How To Hack
  164. Pentest Tools Tcp Port Scanner
  165. Termux Hacking Tools 2019
  166. Best Hacking Tools 2019
  167. How To Hack
  168. Tools 4 Hack
  169. Pentest Tools Github
  170. Pentest Automation Tools

Playing With TLS-Attacker

In the last two years, we changed the TLS-Attacker Project quite a lot but kept silent about most changes we implemented. Since we do not have so much time to keep up with the documentation (we are researchers and not developers in the end), we thought about creating a small series on some of our recent changes to the project on this blog.


We hope this gives you an idea on how to use the most recent version (TLS-Attacker 2.8). If you feel like you found a bug, don't hesitate to contact me via GitHub/Mail/Twitter. This post assumes that you have some idea what this is all about. If you have no idea, checkout the original paper from Juraj or our project on GitHub.

TLDR: TLS-Attacker is a framework which allows you to send arbitrary protocol flows.


Quickstart:
# Install & Use Java JDK 8
$ sudo apt-get install maven
$ git clone https://github.com/RUB-NDS/TLS-Attacker
$ cd TLS-Attacker
$ mvn clean package

So, what changed since the release of the original paper in 2016? Quite a lot! We discovered that we could make the framework much more powerful by adding some new concepts to the code which I want to show you now.

Action System

In the first Version of TLS-Attacker (1.x), WorkflowTraces looked like this:
Although this design looks straight forward, it lacks flexibility. In this design, a WorkflowTrace is basically a list of messages. Each message is annotated with a <messageIssuer>, to tell TLS-Attacker that it should either try to receive this message or send it itself. If you now want to support more advanced workflows, for example for renegotiation or session resumption, TLS-Attacker will soon reach its limits. There is also a missing angle for fuzzing purposes. TLS-Attacker will by default try to use the correct parameters for the message creation, and then apply the modifications afterward. But what if we want to manipulate parameters of the connection which influence the creation of messages? This was not possible in the old version, therefore, we created our action system. With this action system, a WorkflowTrace does not only consist of a list of messages but a list of actions. The most basic actions are the Send- and ReceiveAction. These actions allow you to basically recreate the previous behavior of TLS-Attacker 1.x . Here is an example to show how the same workflow would look like in the newest TLS-Attacker version:


As you can see, the <messageIssuer> tags are gone. Instead, you now indicate with the type of action how you want to deal with the message. Another important thing: TLS-Attacker uses WorkflowTraces as an input as well as an output format. In the old version, once a WorkflowTrace was executed it was hard to see what actually happened. Especially, if you specify what messages you expect to receive. In the old version, your WorkflowTrace could change during execution. This was very confusing and we, therefore, changed the way the receiving of messages works. The ReceiveAction has a list of <expectedMessages>. You can specify what you expect the other party to do. This is mostly interesting for performance tricks (more on that in another post), but can also be used to validate that your workflow executedAsPlanned. Once you execute your ReceiveAction an additional <messages> tag will pop up in the ReceiveAction to show you what has actually been observed. Your original WorkflowTrace stays intact.


During the execution, TLS-Attacker will execute the actions one after the other. There are specific configuration options with which you can control what TLS-Attacker should do in the case of an error. By default, TLS-Attacker will never stop, and just execute whatever is next.

Configs

As you might have seen the <messageIssuer> tags are not the only thing which is missing. Additionally, the cipher suites, compression algorithms, point formats, and supported curves are missing. This is no coincidence. A big change in TLS-Attacker 2.x is the separation of the WorkflowTrace from the parameter configuration and the context. To explain how this works I have to talk about how the new TLS-Attacker version creates messages. Per default, the WorkflowTrace does not contain the actual contents of the messages. But let us step into TLS-Attackers point of view. For example, what should TLS-Attacker do with the following WorkflowTrace:

Usually, the RSAClientKeyExchange message is constructed with the public key from the received certificate message. But in this WorkflowTrace, we did not receive a certificate message yet. So what public key are we supposed to use? The previous version had "some" key hardcoded. The new version does not have these default values hardcoded but allows you as the user to define the default values for missing values, or how our own messages should be created. For this purpose, we introduced the new concept of Configs. A Config is a file/class which you can provide to TLS-Attacker in addition to a WorkflowTrace, to define how TLS-Attacker should behave, and how TLS-Attacker should create its messages (even in the absence of needed parameters). For this purpose, TLS-Attacker has a default Config, with all the known hardcoded values. It is basically a long list of possible parameters and configuration options. We chose sane values for most things, but you might have other ideas on how to do things. You can execute a WorkflowTrace with a specific config. The provided Config will then overwrite all existing default values with your specified values. If you do not specify a certain value, the default value will be used. I will get back to how Configs work, once we played a little bit with TLS-Attacker.

TLS-Attacker ships with a few example applications (found in the "apps/" folder after you built the project). While TLS-Attacker 1.x was mostly a standalone tool, we currently see TLS-Attacker more as a library which we can use by our more sophisticated projects. The current example applications are:
  • TLS-Client (A TLS-Client to execute WorkflowTraces with)
  • TLS-Server (A TLS-Server to execute WorkflowTraces with)
  • Attacks (We'll talk about this in another blog post)
  • TLS-Forensics (We'll talk about this in another blog post)
  • TLS-Mitm (We'll talk about this in another blog post)
  • TraceTool (We'll talk about this in another blog post) 

TLS-Client

The TLS-Client is a simple TLS-Client. Per default, it executes a handshake for the default selected cipher suite (RSA). The only mandatory parameter is the server you want to connect to (-connect).

The most trivial command you can start it with is:

Note: The example tool does not like "https://" or other protocol information. Just provide a hostname and port

Depending on the host you chose your output might look like this:

or like this:

So what is going on here? Let's start with the first execution. As I already mentioned. TLS-Attacker constructs the default WorkflowTrace based on the default selected cipher suite. When you run the client, the WorkflowExecutor (part of TLS-Attacker which is responsible for the execution of a WorkflowTrace) will try to execute the handshake. For this purpose, it will first start the TCP connection.
This is what you see here:

After that, it will execute the actions specified in the default WorkflowTrace. The default WorkflowTrace looks something like this:
This is basically what you see in the console output. The first action which gets executed is the SendAction with the ClientHello.

Then, we expect to receive messages. Since we want to be an RSA handshake, we do not expect a ServerKeyExchange message, but only want a ServerHello, Certificate and a ServerHelloDone message.

We then execute the second SendAction:

and finally, we want to receive a ChangeCipherSpec and Finished Message:

In the first execution, these steps all seem to have worked. But why did they fail in the second execution? The reason is that our default Config does not only allow specify RSA cipher suites but creates ClientHello messages which also contain elliptic curve cipher suites. Depending on the server you are testing with, the server will either select and RSA cipher suite, or an elliptic curve one. This means, that the WorkflowTrace will not executeAsPlanned. The server will send an additional ECDHEServerKeyExchange. If we would look at the details of the ServerHello message we would also see that an (ephemeral) elliptic curve cipher suite is selected:

Since our WorkflowTrace is configured to send an RSAClientKeyExchange message next, it will just do that:

Note: ClientKeyExchangeMessage all have the same type field, but are implemented inside of TLS-Attacker as different messages

Since this RSAClientKeyExchange does not make a lot of sense for the server, it rejects this message with a DECODE_ERROR alert:

If we would change the Config of TLS-Attacker, we could change the way our ClientHello is constructed. If we specify only RSA cipher suites, the server has no choice but to select an RSA one (or immediately terminate the connection). We added command line flags for the most common Config changes. Let's try to change the default cipher suite to TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:

As you can see, we now executed a complete ephemeral elliptic curve handshake. This is, because the -cipher flag changed the <defaultSelectedCiphersuite> parameter (among others) in the Config. Based on this parameter the default WorkflowTrace is constructed. If you want, you can specify multiple cipher suites at once, by seperating them with a comma.

We can do the same change by supplying TLS-Attacker with a custom Config via XML. To this we need to create a new file (I will name it config.xml) like this:

You can then load the Config with the -config flag:

For a complete reference of the supported Config options, you can check out the default_config.xml. Most Config options should be self-explanatory, for others, you might want to check where and how they are used in the code (sorry).

Now let's try to execute an arbitrary WorkflowTrace. To do this, we need to store our WorkflowTrace in a file and load it with the -workflow_input parameter. I just created the following WorkflowTrace:


As you can see I just send a ServerHello message instead of a ClientHello message at the beginning of the handshake. This should obviously never happen but let's see how the tested server reacts to this.
We can execute the workflow with the following command:

The server (correctly) responded with an UNEXPECTED_MESSAGE alert. Great!

Output parameters & Modifications

You are now familiar with the most basic concepts of TLS-Attacker, so let's dive into other things TLS-Attacker can do for you. As a TLS-Attacker user, you are sometimes interested in the actual values which are used during a WorkflowTrace execution. For this purpose, we introduced the -workflow_output flag. With this parameter, you can ask TLS-Attacker to store the executed WorkflowTrace with all its values in a file.
Let's try to execute our last created WorkflowTrace, and store the output WorkflowTrace in the file out.xml:


The resulting WorkflowTrace looks like this:

As you can see, although the input WorkflowTrace was very short, the output trace is quite noisy. TLS-Attacker will display all its intermediate values and modification points (this is where the modifiable variable concept becomes interesting). You can also execute the output workflow again.


Note that at this point there is a common misunderstanding: TLS-Attacker will reset the WorkflowTrace before it executes it again. This means, it will delete all intermediate values you see in the WorkflowTrace and recompute them dynamically. This means that if you change a value within <originalValue> tags, your changes will just be ignored. If you want to influence the values TLS-Attacker uses, you either have to manipulate the Config (as already shown) or apply modifications to TLS-Attackers ModifiableVariables. The concept of ModifiableVariables is mostly unchanged to the previous version, but we will show you how to do this real quick anyway.

So let us imagine we want to manipulate a value in the WorkflowTrace using a ModifiableVariable via XML. First, we have to select a field which we want to manipulate. I will choose the protocol version field in the ServerHello message we sent. In the WorkflowTrace this looked like this:

For historical reasons, 0x0303 means TLS 1.2. 0x0300 was SSL 3. When they introduced TLS 1.0 they chose 0x0301 and since then they just upgraded the minor version.

In order to manipulate this ModifiableVariable, we first need to know its type. In some cases it is currently non-trivial to determine the exact type, this is mostly undocumented (sorry). If you don't know the exact type of a field you currently have to look at the code. The following types and modifications are defined:
  • ModifiableBigInteger: add, explicitValue, shiftLeft, shiftRight, subtract, xor
  • ModifiableBoolean: explicitValue, toggle
  • ModifiableByteArray: delete, duplicate, explicitValue, insert, shuffle, xor
  • ModifiableInteger: add, explicitValue, shiftLeft, shiftRight, subtract, xor
  • ModifiableLong: add, explicitValue, subtract, xor
  • ModifiableByte: add, explicitValue, subtract, xor
  • ModifiableString: explicitValue
As a rule of thumb: If the value is only up to 1 byte of length we use a ModifiableByte. If the value is up to 4 bytes of length, but the values are used as a normal number (for example in length fields) it is a ModifiableInteger. Fields which are used as a number which are bigger than 4 bytes (for example a modulus) is usually a ModifiableBigInteger. Most other types are encoded as ModifiableByteArrays. The other types are very rare (we are currently working on making this whole process more transparent).
Once you have found your type you have to select a modification to apply to it. For manual analysis, the most common modifications are the XOR modification and the explicit value modification. However, during fuzzing other modifications might be useful as well. Often times you just want to flip a bit and see how the server responds, or you want to directly overwrite a value. In this example, we want to overwrite a value.
Let us force TLS-Attacker to send the version 0x3A3A. To do this I consult the ModifiableVariable README.md for the exact syntax. Since <protocolVersion> is a ModifiableByteArray I search in the ByteArray section.

I find the following snippet:

If I now want to change the value to 0x3A3A I modify my WorkflowTrace like this:

You can then execute the WorkflowTrace with:

With Wireshark you can now observe  that the protocol version got actually changed. You would also see the change if you would specify a -workflow_output or if you start the TLS-Client with the -debug flag.

More Actions

As I already hinted, TLS-Attacker has more actions to offer than just a basic Send- and ReceiveAction (50+ in total). The most useful, and easiest to understand actions are now introduced:

ActivateEncryptionAction

This action does basically what the CCS message does. It activates the currently "negotiated" parameters. If necessary values are missing in the context of the connection, they are drawn from the Config.


DeactivateEncryptionAction

This action does the opposite. If the encryption was active, we now send unencrypted again.


PrintLastHandledApplicationDataAction

Prints the last application data message either sent or received.


PrintProposedExtensionsAction

Prints the proposed extensions (from the client)


PrintSecretsAction

Prints the secrets (RSA) from the current connection. This includes the nonces, cipher suite, public key, modulus, premaster secret, master secret and verify data.


RenegotiationAction

Resets the message digest. This is usually done if you want to perform a renegotiation.


ResetConnectionAction

Closes and reopens the connection. This can be useful if you want to analyze session resumption or similar things which involve more than one handshake.


SendDynamicClientKeyExchangeAction

Send a ClientKeyExchange message, and always chooses the correct one (depending on the current connection state). This is useful if you just don't care about the actual cipher suite and just want the handshake done.


SendDynamicServerKeyExchangeAction

(Maybe) sends a ServerKeyExchange message. This depends on the currently selected cipher suite. If the cipher suite requires the transmission of a ServerKeyExchange message, then a ServerKeyExchange message will be sent, otherwise, nothing is done. This is useful if you just don't care about the actual cipher suite and just want the handshake done.


WaitAction

This lets TLS-Attacker sleep for a specified amount of time (in ms).





As you might have already seen there is so much more to talk about in TLS-Attacker. But this should give you a rough idea of what is going on.

If you have any research ideas or need support feel free to contact us on Twitter (@ic0nz1, @jurajsomorovsky ) or at https://www.hackmanit.de/.

If TLS-Attacker helps you to find a bug in a TLS implementation, please acknowledge our tool(s). If you want to learn more about TLS, Juraj and I are also giving a Training about TLS at Ruhrsec (27.05.2019).
Related posts