Visitante gnoo Postado Julho 10, 2019 em 21:43 Compartilhar Postado Julho 10, 2019 em 21:43 Saudações, O intuito de fazer este script foi para ter uma ideia muito superficial de como funciona um TLS handshake, é de fazer notar que este script apenas analisa: TLS Record Handshake Client Hello Server Hello Application data Tudo o que envolve mensagens com certificados, necessita que seja dedicado um bom tempo de estudo, alguma dedicação ao assunto e eu não tenho esse tempo para dedicar a este tipo de assunto, e a vontade também não é muita. Dito isto digamos que o interesse aqui é ter um primeiro contato com TLS para tentar perceber como é feita a conversação entre o cliente e o servidor... As fontes de informação para iniciantes numa primeira abordagem não são muitas, no entanto encontrei uma página em que o jovem que escreveu o artigo tentou fazer uma explicação que numa fase inicial é interessante, talvez haja outras fontes eu é que não encontrei. Outra ferramenta que deve ser usada para complementar é o wireshark. Traffic Analysis of an SSL/TLS Session Pode ser encontrado aqui: http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session A informação que segue foi a que eu usei para criar o script, no link do site tem informação sobre outro tipo de mensagens. NOTA Outros Links que podem ajudar: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/TLS_Cipher_String_Cheat_Sheet.md https://www.ntu.edu.sg/home/ehchua/programming/webprogramming/http_ssl.html https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-socket-layer-ssl/116181-technote-product-00.html OUTRA NOTA: As cipher suites que estão no script que são usadas na negociação do Cliente Hello e Server Hello, algumas não são usadas mas qualquer das formas eu deixei lá, antes a mais do que a menos. SCRIPT PYTHON #coding:utf-8 #!/usr/bin/env python3 from socket import * import struct import binascii TIPO_RECORD = {22: "Handshake (22, 0x16)", 20: "Change Cipher Spec (20, 0x14)", 21: "Alert (21, 0x15)", 23: "Application Data (23, 0x17)"} TLS_VERSAO = {768: "SSL 3.0 (0x0300)", 769: "TLS 1.0 (0x0301)", 770: "TLS 1.1 (0x0302)", 771: "TLS 1.2 (0x0303)"} TIPO_HANDSHAKE = {0: "HELLO_REQUEST (0) 0x00", 1: "CLIENT_HELLO (1) 0x01", 2: "SERVER_HELLO (2) 0x02", 11: "CERTIFICATE (11) 0x0b", 12: "SERVER_KEY_EXCHANGE (12) 0x0c", 13: "CERTIFICATE_REQUEST (13) 0x0d", 14: "SERVER_DONE (14) 0x0e", 15: "CERTIFICATE_VERIFY (15) 0x0f", 16: "CLIENT_KEY_EXCHANGE (16) 0x10", 20: "FINISHED (20) 0x14"} # https://tools.ietf.org/html/rfc5246#page-75 # The following CipherSuite definitions require that the server provide # an RSA certificate that can be used for key exchange. The server may # request any signature-capable certificate in the certificate request # message. TIPO_CIPHER_SUITE = {1: 'CipherSuite: TLS_RSA_WITH_NULL_MD5 (0x0001)', 2: 'CipherSuite: TLS_RSA_WITH_NULL_SHA (0x0002)', 59: 'CipherSuite: TLS_RSA_WITH_NULL_SHA256 (0x003B)', 4: 'CipherSuite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)', 5: 'CipherSuite: TLS_RSA_WITH_RC4_128_SHA (0x0005)', 10: 'CipherSuite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000A)', 47: 'CipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002F)', 53: 'CipherSuite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)', 60: 'CipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C)', 61: 'CipherSuite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D)', # https://tools.ietf.org/html/rfc5246#page-75 # The following cipher suite definitions are used for server- # authenticated (and optionally client-authenticated) Diffie-Hellman. # DH denotes cipher suites in which the server's certificate contains # the Diffie-Hellman parameters signed by the certificate authority # (CA). DHE denotes ephemeral Diffie-Hellman, where the Diffie-Hellman # parameters are signed by a signature-capable certificate, which has # been signed by the CA. The signing algorithm used by the server is # specified after the DHE component of the CipherSuite name. The # server can request any signature-capable certificate from the client # for client authentication, or it may request a Diffie-Hellman # certificate. Any Diffie-Hellman certificate provided by the client # must use the parameters (group and generator) described by the # server. 13: 'CipherSuite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000D)', 16: 'CipherSuite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)', 19: 'CipherSuite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)', 22: 'CipherSuite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)', 48: 'CipherSuite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)', 50: 'CipherSuite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)', 51: 'CipherSuite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)', 54: 'CipherSuite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)', 55: 'CipherSuite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)', 56: 'CipherSuite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)', 57: 'CipherSuite:TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)', 62: 'CipherSuite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003E)', 63: 'CipherSuite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003F)', 64: 'CipherSuite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)', 103: 'CipherSuite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)', 104: 'CipherSuite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068)', 105: 'CipherSuite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069)', 106: 'CipherSuite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006A)', 107: 'CipherSuite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006B)', # https://tools.ietf.org/html/rfc5246#page-75 # The following cipher suites are used for completely anonymous # Diffie-Hellman communications in which neither party is # authenticated. Note that this mode is vulnerable to man-in-the- # middle attacks. Using this mode therefore is of limited use: These # cipher suites MUST NOT be used by TLS 1.2 implementations unless the # application layer has specifically requested to allow anonymous key # exchange. (Anonymous key exchange may sometimes be acceptable, for # example, to support opportunistic encryption when no set-up for # authentication is in place, or when TLS is used as part of more # complex security protocols that have other means to ensure # authentication.) 24: 'CipherSuite: TLS_DH_anon_WITH_RC4_128_MD5 (0x0018)', 27: 'CipherSuite: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001B)', 52: 'CipherSuite: TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034)', 58: 'CipherSuite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003A)', 108: 'CipherSuite: TLS_DH_anon_WITH_AES_128_CBC_SHA256 (0x006C)', 109: 'CipherSuite: TLS_DH_anon_WITH_AES_256_CBC_SHA256 (0x006D)', # https://tools.ietf.org/html/rfc8446#page-133 # This specification defines the following cipher suites for use with TLS 1.3 4865: 'CipherSuite: TLS_AES_128_GCM_SHA256 (0x1301)', 4866: 'CipherSuite: TLS_AES_256_GCM_SHA384 (0x1302)', 4867: 'CipherSuite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)', 4868: 'CipherSuite: TLS_AES_128_CCM_SHA256 (0x1304)', 4869: 'CipherSuite: TLS_AES_128_CCM_8_SHA256 (0x1305)', # https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table # Cipher preference: server chooses # 0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD # 0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD # 0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD # 0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD # 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD # 0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD # 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD # 0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD # 0xCC,0xA8 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD # 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD # 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD # 0xCC,0xAA - DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD # 0xC0,0x23 - ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 # 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 # 0xC0,0x09 - ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 # 0xC0,0x13 - ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 # 0xC0,0x24 - ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 # 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 # 0xC0,0x0A - ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 # 0xC0,0x14 - ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 # 0x00,0x67 - DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 # 0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 # 0x00,0x9C - AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD # 0x00,0x9D - AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD # 0x00,0x3C - AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 # 0x00,0x3D - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) #Cipher preference: client chooses # 0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD # 0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD # 0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD # 0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD # 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD # 0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD # 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD # 0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD # 0xCC,0xA8 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD # 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD # 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD 49195: 'CipherSuite: ECDHE-ECDSA-AES128-GCM-SHA256 (0xc02B)', 49199: 'CipherSuite: ECDHE-RSA-AES128-GCM-SHA256 (0xc02f)', 49196: 'CipherSuite: ECDHE-ECDSA-AES256-GCM-SHA384 (0xc02c)', 49200: 'CipherSuite: ECDHE-RSA-AES256-GCM-SHA384 (0xc030)', 52393: 'CipherSuite: ECDHE-ECDSA-CHACHA20-POLY1305 (0xccA9)', 52392: 'CipherSuite: ECDHE-RSA-CHACHA20-POLY1305 (0xcca8)', 158: 'CipherSuite: DHE-RSA-AES128-GCM-SHA256 (0x009e)', 159: 'CipherSuite: DHE-RSA-AES256-GCM-SHA384 (0x009f)', 52394: 'CipherSuite: DHE-RSA-CHACHA20-POLY1305 (0xccaa)', 49187: 'CipherSuite: ECDHE-ECDSA-AES128-SHA256 (0xc023)', 49191: 'CipherSuite: ECDHE-RSA-AES128-SHA256 (0xc027)', 49161: 'CipherSuite: ECDHE-ECDSA-AES128-SHA (0xc009)', 49188: 'CipherSuite: ECDHE-ECDSA-AES256-SHA384 (0xc024)', 49171: 'CipherSuite: ECDHE-RSA-AES128-SHA (0xc013)', 49192: 'CipherSuite: ECDHE-RSA-AES256-SHA384 (0xc028)', 49162: 'CipherSuite: ECDHE-ECDSA-AES256-SHA (0xc00a)', 49172: 'CipherSuite: ECDHE-RSA-AES256-SHA (0xc014)', 156: 'CipherSuite: AES128-GCM-SHA256 (0x009c)', 157: 'CipherSuite: AES256-GCM-SHA384 (0x009d)', # https://tools.ietf.org/html/draft-davidben-tls-grease-00 #GREASE Values # This document reserves a number of TLS protocol values, referred to # as GREASE values. These values were allocated sparsely to discourage # server implementations from conditioning on them. For convenience, # they were also chosen so all types share a number scheme with a # consistent pattern while avoiding collisions with any existing # applicable registries in TLS. #The following values are reserved as both GREASE extension values and #GREASE named group values: # 2570 (0x0A0A) # 6682 (0x1A1A) # 10794 (0x2A2A) # 14906 (0x3A3A) # 19018 (0x4A4A) # 23130 (0x5A5A) # 27242 (0x6A6A) # 31354 (0x7A7A) # 35466 (0x8A8A) # 39578 (0x9A9A) # 43690 (0xAAAA) # 47802 (0xBABA) # 51914 (0xCACA) # 56026 (0xDADA) # 60138 (0xEAEA) # 64250 (0xFAFA) 23130: 'CipherSuite: Reserved (GREASE) (0x5a5a)', 2570: 'CipherSuite: Reserved (GREASE) (0x0a0a)', 6682: 'CipherSuite: Reserved (GREASE) (0x1a1a)', 10794: 'CipherSuite: Reserved (GREASE) (0x2a2a)', 14906: 'CipherSuite: Reserved (GREASE) (0x3a3a)', 19018: 'CipherSuite: Reserved (GREASE) (0x4a4a)', 23130: 'CipherSuite: Reserved (GREASE) (0x5a5a)', 27242: 'CipherSuite: Reserved (GREASE) (0x6a6a)', 31354: 'CipherSuite: Reserved (GREASE) (0x7a7a)', 35466: 'CipherSuite: Reserved (GREASE) (0x8a8a)', 39578: 'CipherSuite: Reserved (GREASE) (0x9a9a)', 43690: 'CipherSuite: Reserved (GREASE) (0xaaaa)', 47802: 'CipherSuite: Reserved (GREASE) (0xbaba)', 51914: 'CipherSuite: Reserved (GREASE) (0xcaca)', 56026: 'CipherSuite: Reserved (GREASE) (0xdada)', 60138: 'CipherSuite: Reserved (GREASE) (0xeaea)', 64250: 'CipherSuite: Reserved (GREASE) (0xfafa)'} def ethernet_frame(raw_dados): mac_destino, mac_fonte, protocolo = struct.unpack('! 6s 6s H', raw_dados[:14]) return byte_to_hex_mac(mac_destino), byte_to_hex_mac(mac_fonte), htons(protocolo), raw_dados[14:] def byte_to_hex_mac(mac_em_bytes): endereco = binascii.hexlify(mac_em_bytes).decode("ascii") return ":".join([endereco[i:i+2] for i in range(0,12,2)]) def dados_pacote_ipv4(payload_frame): tupla_dados_ipv4 = struct.unpack("!BBHHHBBH4s4s", payload_frame[:20]) versao_e_HLEN = tupla_dados_ipv4[0] tamanho_header = (versao_e_HLEN & 15) * 4 versao = versao_e_HLEN >> 4 tipo_servico = tupla_dados_ipv4[1] tamanho_total = tupla_dados_ipv4[2] identificacao = tupla_dados_ipv4[3] offset_fragmento = tupla_dados_ipv4[4] tempo_vida_ttl = tupla_dados_ipv4[5] protocolos = tupla_dados_ipv4[6] checksum_cabecalho = tupla_dados_ipv4[7] ip_origem = inet_ntoa(tupla_dados_ipv4[8]) ip_destino = inet_ntoa(tupla_dados_ipv4[9]) dados_ipv4_header = {'IPv4 Orivgem':ip_origem, 'IPv4 Destino':ip_destino, 'Protocolo': protocolos, 'Payload_ipv4': payload_frame[20:]} return dados_ipv4_header def dados_pacote_tcp(payload_ipv4): tupla_dados_tcp = struct.unpack('! HHLLBBHHH', payload_ipv4[:20]) porta_fonte = tupla_dados_tcp[0] porta_destino = tupla_dados_tcp[1] numero_sequencia = tupla_dados_tcp[2] numero_confirmacao = tupla_dados_tcp[3] # recebe dois campos do cabeçalho ( HLEN & RESERVADO ) hlen_e_reservado = tupla_dados_tcp[4] # recebe campo HLEN header_len = (hlen_e_reservado >> 4) * 4 flags = tupla_dados_tcp[5] flag_FIN = flags & 1 flag_SYN = (flags >> 1) & 1 flag_RST = (flags >> 2) & 1 flag_PSH = (flags >> 3) & 1 flag_ACK = (flags >> 4) & 1 flag_URG = (flags >> 5) & 1 flag_ECE = (flags >> 6) & 1 flag_CWR = (flags >> 7) & 1 window_size = tupla_dados_tcp[6] checksum = tupla_dados_tcp[7] urgent_pointer = tupla_dados_tcp[8] dados_tcp_header = {'Porta_Fonte':porta_fonte, 'Porta_Destino':porta_destino, 'checksum':checksum,'Payload_TCP': payload_ipv4[20:]} return dados_tcp_header def formato_tls_record(dados_tcp_payload): """ http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session """ TLS_RECORD_TYPE, TLS_VERSION, TLS_LENGTH, TESTE_HANDSHAKE_TYPE = struct.unpack('!BHHB', dados_tcp_payload[:6]) return TLS_RECORD_TYPE, TLS_VERSION, TLS_LENGTH, TESTE_HANDSHAKE_TYPE def formato_tls_hello_client(dados_tcp_payload): """ int.from_bytes(LENGTH_OBJ_BYTES, byteorder='big'), faz type casting ( conversão do tipo de dados), byte object para decimal, é necessário usar este método uma vez que o tamanho do campo Length são 3 bytes e o unpack não consegue desempacotar esse tamanho. Ver documentação: https://docs.python.org/3/library/stdtypes.htmler """ lista_cipher_suites = [] HandshakeType = dados_tcp_payload[5:] HANDSHAKE_TYPE, = struct.unpack("!B", HandshakeType[:1]) LENGTH_OBJ_BYTES = HandshakeType[1:4] LENGHT_DECIMAL = int.from_bytes(LENGTH_OBJ_BYTES, byteorder='big') VERSION, = struct.unpack('!H', HandshakeType[4:6]) RANDOM_32BITS = HandshakeType[6:38] HEX_RANDOM_32BITS = binascii.hexlify(RANDOM_32BITS).decode() SESSION_ID_LENGTH, = struct.unpack("!B",HandshakeType[38:39]) SESSION_ID = HandshakeType[39: 39 + SESSION_ID_LENGTH] HEX_SESSION_ID = binascii.hexlify(SESSION_ID).decode() CIPHER_SUITES_LENGTH, = struct.unpack("!H", HandshakeType[39 + SESSION_ID_LENGTH : 39 + SESSION_ID_LENGTH + 2]) ARRAY_OBJETO_BYTES_CIPHER_SUITES = HandshakeType[39 + SESSION_ID_LENGTH + 2 : 39 + SESSION_ID_LENGTH + 2 + CIPHER_SUITES_LENGTH] index = 2 while len(ARRAY_OBJETO_BYTES_CIPHER_SUITES) != 0: cipher_suite, = struct.unpack('!H', ARRAY_OBJETO_BYTES_CIPHER_SUITES[:index]) lista_cipher_suites.append(cipher_suite) ARRAY_OBJETO_BYTES_CIPHER_SUITES = ARRAY_OBJETO_BYTES_CIPHER_SUITES[index:] return HANDSHAKE_TYPE, LENGHT_DECIMAL, VERSION, HEX_RANDOM_32BITS, SESSION_ID_LENGTH, HEX_SESSION_ID, + \ CIPHER_SUITES_LENGTH, ARRAY_OBJETO_BYTES_CIPHER_SUITES, lista_cipher_suites def formato_tls_hello_server(dados_tcp_payload): """ int.from_bytes(LENGTH_OBJ_BYTES, byteorder='big'), faz type casting ( conversão do tipo de dados), byte object para decimal, é necessário usar este método uma vez que o tamanho do campo Length são 3 bytes e o unpack não consegue desempacotar esse tamanho. Ver documentação: https://docs.python.org/3/library/stdtypes.htmler """ HandshakeType = dados_tcp_payload[5:] HANDSHAKE_TYPE, = struct.unpack("!B", HandshakeType[:1]) LENGTH_OBJ_BYTES = HandshakeType[1:4] LENGHT_DECIMAL = int.from_bytes(LENGTH_OBJ_BYTES, byteorder='big') VERSION, = struct.unpack('!H', HandshakeType[4:6]) RANDOM_32BITS = HandshakeType[6:38] HEX_RANDOM_32BITS = binascii.hexlify(RANDOM_32BITS).decode() SESSION_ID_LENGTH, = struct.unpack("!B",HandshakeType[38:39]) if SESSION_ID_LENGTH > 0: SESSION_ID = HandshakeType[39: 39 + SESSION_ID_LENGTH] HEX_SESSION_ID = binascii.hexlify(SESSION_ID).decode() # Cipher suites só contém apenas uma ( analisar 2 bytes) #OBJETO_BYTES_CIPHER_SUITES = HandshakeType[39 + SESSION_ID_LENGTH : 39 + SESSION_ID_LENGTH + 2] CIPHER_SUITE, = struct.unpack('!H', HandshakeType[39 + SESSION_ID_LENGTH : 39 + SESSION_ID_LENGTH + 2]) return HANDSHAKE_TYPE, LENGHT_DECIMAL, VERSION, HEX_RANDOM_32BITS, SESSION_ID_LENGTH, HEX_SESSION_ID, CIPHER_SUITE else: pass def formato_application_data(dados_tcp_payload): TYPE, VERSION, LENGTH = struct.unpack('!BHH', dados_tcp_payload[:5]) BYTES_OBJ_ENCRYPTED_APPLICATION_DATA = dados_tcp_payload [5: 5 + LENGTH] HEX_ENCRYPTED_APPLICATION_DATA = binascii.hexlify(BYTES_OBJ_ENCRYPTED_APPLICATION_DATA) return TYPE, VERSION, LENGTH, HEX_ENCRYPTED_APPLICATION_DATA sock = socket(AF_PACKET, SOCK_RAW, ntohs(0x0003)) while True: raw_dados, addr = sock.recvfrom(65536) mac_destino, mac_fonte, ethernet_type, payload = ethernet_frame(raw_dados) # Se for 8 vem ai pacote IP \0/ if ethernet_type == 8: dados_ipv4_header = dados_pacote_ipv4(payload) if dados_ipv4_header['Protocolo'] == 6: dados_tcp_header = dados_pacote_tcp(dados_ipv4_header['Payload_ipv4']) if dados_tcp_header['Porta_Fonte'] == 443 or dados_tcp_header['Porta_Destino'] == 443: if dados_tcp_header['Payload_TCP']: tls_record_type, tls_version, tls_length, teste_handshake_type = formato_tls_record(dados_tcp_header['Payload_TCP']) if tls_record_type in TIPO_RECORD.keys() and tls_version in TLS_VERSAO.keys(): if tls_record_type == 22: print("##### TCP PAYLOAD (TLS) #####\n") print("TCP Checksum: {}".format(dados_tcp_header['checksum'])) print("TIPO: {}".format(TIPO_RECORD[tls_record_type])) print("VERSÃO: {}".format(TLS_VERSAO[tls_version])) print("LENGTH: {}".format(tls_length)) if teste_handshake_type == 1: (HShake_type, HShake_length, HShake_version, HShake_random_32bit, HShake_session_id_length, HShake_session_id, HShake_cipher_suites_length, HShake_array_ob_bytes_cipher_suites, HShake_lista_cipher_suites) = formato_tls_hello_client(dados_tcp_header['Payload_TCP']) print("#####(TLS) HANDSHAKE PROTOCOL #####") print("TIPO: {}".format(TIPO_HANDSHAKE[HShake_type])) print("LENGTH: {}".format(HShake_length)) print("VERSÃO: {}".format(TLS_VERSAO[HShake_version])) print("32-bit Random: {}".format((HShake_random_32bit))) print("Session id length: {}".format(HShake_session_id_length)) print("session id: {}".format(HShake_session_id)) print("Cipher suites length: {}".format(HShake_cipher_suites_length)) print("Cipher Suites({})".format(len(HShake_lista_cipher_suites))) for C_Suite in HShake_lista_cipher_suites: if C_Suite in TIPO_CIPHER_SUITE.keys(): print(TIPO_CIPHER_SUITE[C_Suite]) else: print(C_Suite) elif teste_handshake_type == 2: (HShake_type, HShake_length, HShake_version, HShake_random_32bit, HShake_session_id_length, HShake_session_id, HShake_cipher_suite) = formato_tls_hello_server(dados_tcp_header['Payload_TCP']) print("#####(TLS) HANDSHAKE PROTOCOL #####") print("TIPO: {}".format(TIPO_HANDSHAKE[HShake_type])) print("LENGTH: {}".format(HShake_length)) print("VERSÃO: {}".format(TLS_VERSAO[HShake_version])) print("32-bit Random: {}".format((HShake_random_32bit))) print("Session id length: {}".format(HShake_session_id_length)) print("session id: {}".format(HShake_session_id)) print("{}".format(TIPO_CIPHER_SUITE[HShake_cipher_suite])) elif tls_record_type == 23: print("#### APPLICATION DATA ####") (application_data_type, application_data_version, application_data_length, hex_application_data_encripted)=formato_application_data(dados_tcp_header['Payload_TCP']) print("Type: {}".format(application_data_type)) print("Version: {}".format(TLS_VERSAO[application_data_version])) print("Length: {}".format(application_data_length)) print("Encrypted Application Data: {}".format(hex_application_data_encripted)) Link para o comentário Compartilhar em outros sites More sharing options...
Posts Recomendados
Arquivado
Este tópico foi arquivado e está fechado para novas respostas.