我正在尝试运行一个概念验证脚本,该脚本演示了一个中间人TLS协商漏洞。麻烦的是,脚本是用Python编写的,我对Python没有经验。
脚本在这里:http://www.redteam-pentesting.de/files/tls-renegotiation-poc.py
我收到的第一个错误是关于导入tlslite。我下载了这个模块:
http://trevp.net/tlslite/tlslite-0.3.8.tar.gz
Tlslite附带了一个需要Python 2.4的安装程序,因此我安装了该版本。之后我能够执行脚本甚至调试。但是,我现在被困住了。我跑这个:
python.exe tls-renegotiation-poc.py -l 80 -b 127.0.0.1 -t encrypted.google.com:443 -i test
然后我在FireFox中转到127.0.0.1。我认为在Python中得到这个错误:
Traceback (most recent call last):
File "E:\Python24\lib\threading.py", line 442, in __bootstrap
self.run()
File "E:\Python24\lib\threading.py", line 422, in run
self.__target(*self.__args, **self.__kwargs)
File "C:\tls-renegotiation-poc.py", line 210, in handle_victim
sslsock.handshakeClientCert(settings = handshake_settings)
File "E:\Python24\Lib\site-packages\tlslite\TLSConnection.py", line 207, in handshakeClientCert
for result in handshaker:
File "E:\Python24\Lib\site-packages\tlslite\TLSConnection.py", line 369, in _handshakeClientAsync
for result in self._handshakeWrapperAsync(handshaker, checker):
File "E:\Python24\Lib\site-packages\tlslite\TLSConnection.py", line 1537, in _handshakeWrapperAsync
for result in handshaker:
File "E:\Python24\Lib\site-packages\tlslite\TLSConnection.py", line 399, in _handshakeClientAsyncHelper
settings = settings._filter()
File "E:\Python24\lib\site-packages\tlslite\HandshakeSettings.py", line 143, in _filter
raise ValueError("minVersion set incorrectly")
ValueError: minVersion set incorrectly
这是我的HandshakeSettings.py文件(如果它有帮助):
"""Class for setting handshake parameters."""
from constants import CertificateType
from utils import cryptomath
from utils import cipherfactory
class HandshakeSettings:
"""This class encapsulates various parameters that can be used with
a TLS handshake.
@sort: minKeySize, maxKeySize, cipherNames, certificateTypes,
minVersion, maxVersion
@type minKeySize: int
@ivar minKeySize: The minimum bit length for asymmetric keys.
If the other party tries to use SRP, RSA, or Diffie-Hellman
parameters smaller than this length, an alert will be
signalled. The default is 1023.
@type maxKeySize: int
@ivar maxKeySize: The maximum bit length for asymmetric keys.
If the other party tries to use SRP, RSA, or Diffie-Hellman
parameters larger than this length, an alert will be signalled.
The default is 8193.
@type cipherNames: list
@ivar cipherNames: The allowed ciphers, in order of preference.
The allowed values in this list are 'aes256', 'aes128', '3des', and
'rc4'. If these settings are used with a client handshake, they
determine the order of the ciphersuites offered in the ClientHello
message.
If these settings are used with a server handshake, the server will
choose whichever ciphersuite matches the earliest entry in this
list.
NOTE: If '3des' is used in this list, but TLS Lite can't find an
add-on library that supports 3DES, then '3des' will be silently
removed.
The default value is ['aes256', 'aes128', '3des', 'rc4'].
@type certificateTypes: list
@ivar certificateTypes: The allowed certificate types, in order of
preference.
The allowed values in this list are 'x509' and 'cryptoID'. This
list is only used with a client handshake. The client will
advertise to the server which certificate types are supported, and
will check that the server uses one of the appropriate types.
NOTE: If 'cryptoID' is used in this list, but cryptoIDlib is not
installed, then 'cryptoID' will be silently removed.
@type minVersion: tuple
@ivar minVersion: The minimum allowed SSL/TLS version.
This variable can be set to (3,0) for SSL 3.0, (3,1) for
TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to
use a lower version, a protocol_version alert will be signalled.
The default is (3,0).
@type maxVersion: tuple
@ivar maxVersion: The maximum allowed SSL/TLS version.
This variable can be set to (3,0) for SSL 3.0, (3,1) for
TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to
use a higher version, a protocol_version alert will be signalled.
The default is (3,2). (WARNING: Some servers may (improperly)
reject clients which offer support for TLS 1.1. In this case,
try lowering maxVersion to (3,1)).
"""
def __init__(self):
self.minKeySize = 1023
self.maxKeySize = 8193
self.cipherNames = ["aes256", "aes128", "3des", "rc4"]
self.cipherImplementations = ["cryptlib", "openssl", "pycrypto",
"python"]
self.certificateTypes = ["x509", "cryptoID"]
self.minVersion = (3,0)
self.maxVersion = (3,2)
#Filters out options that are not supported
def _filter(self):
other = HandshakeSettings()
other.minKeySize = self.minKeySize
other.maxKeySize = self.maxKeySize
other.cipherNames = self.cipherNames
other.cipherImplementations = self.cipherImplementations
other.certificateTypes = self.certificateTypes
other.minVersion = self.minVersion
other.maxVersion = self.maxVersion
if not cipherfactory.tripleDESPresent:
other.cipherNames = [e for e in self.cipherNames if e != "3des"]
if len(other.cipherNames)==0:
raise ValueError("No supported ciphers")
try:
import cryptoIDlib
except ImportError:
other.certificateTypes = [e for e in self.certificateTypes \
if e != "cryptoID"]
if len(other.certificateTypes)==0:
raise ValueError("No supported certificate types")
if not cryptomath.cryptlibpyLoaded:
other.cipherImplementations = [e for e in \
self.cipherImplementations if e != "cryptlib"]
if not cryptomath.m2cryptoLoaded:
other.cipherImplementations = [e for e in \
other.cipherImplementations if e != "openssl"]
if not cryptomath.pycryptoLoaded:
other.cipherImplementations = [e for e in \
other.cipherImplementations if e != "pycrypto"]
if len(other.cipherImplementations)==0:
raise ValueError("No supported cipher implementations")
if other.minKeySize<512:
raise ValueError("minKeySize too small")
if other.minKeySize>16384:
raise ValueError("minKeySize too large")
if other.maxKeySize<512:
raise ValueError("maxKeySize too small")
if other.maxKeySize>16384:
raise ValueError("maxKeySize too large")
for s in other.cipherNames:
if s not in ("aes256", "aes128", "rc4", "3des"):
raise ValueError("Unknown cipher name: '%s'" % s)
for s in other.cipherImplementations:
if s not in ("cryptlib", "openssl", "python", "pycrypto"):
raise ValueError("Unknown cipher implementation: '%s'" % s)
for s in other.certificateTypes:
if s not in ("x509", "cryptoID"):
raise ValueError("Unknown certificate type: '%s'" % s)
if other.minVersion > other.maxVersion:
raise ValueError("Versions set incorrectly")
if not other.minVersion in ((3,0), (3,1), (3,2)):
raise ValueError("minVersion set incorrectly")
if not other.maxVersion in ((3,0), (3,1), (3,2)):
raise ValueError("maxVersion set incorrectly")
return other
def _getCertificateTypes(self):
l = []
for ct in self.certificateTypes:
if ct == "x509":
l.append(CertificateType.x509)
elif ct == "cryptoID":
l.append(CertificateType.cryptoID)
else:
raise AssertionError()
return l
任何想法可能出错?我觉得这可能是一个简单的答案,但我对Python的不熟悉使我很难。谢谢。
UPDATE:将异常更改为:
raise ValueError("minversion set incorrectly (%s)" % repr(other.minVersion))
我现在知道了:
ValueError: minversion set incorrectly ((69, 84))
答案 0 :(得分:1)
在print中尝试other.minVersion filter:看起来输入不是您所期望的(即您期望三个元组之一`[(3,0),( 3,1),(3,2)] - 但这不是你所接受的。
我经常发现,当您在某个范围之外抛出一个类似错误的错误时,最好在邮件中包含违规值。这会为你得到的错误添加更多信息!