如何使用 scapy 和 python 提取 SSL/TLS 消息? [英] How to extract an SSL/TLS message using scapy and python?
问题描述
我正在尝试读取 TLS 消息.具体来说,具有证书详细信息的那个 (handshake_type = 11).我正在做的是首先检查消息是否包含 Raw.如果是这样,我将像这样提取有效负载:b = bytes(pkt[Raw].load).接下来,我检查第一个字节是0x16,接下来的两个字节需要是正确的TLS版本.
问题是这条消息没有通过这些条件.WireShark 向我展示了 \x16\x03\x03 是位置 0000 处的字节(附上图片),但我想这是为了方便起见.
那么我认为有效载荷必须以 0x16 开头的假设是错误的吗?
附注
我不想使用 scapy-ssl_tls 库.
编辑
这是代码:
def handle_tls_packet(pkt):如果 pkt.haslayer(Raw):b = 字节(pkt[Raw].load)如果 b[0] == 0x16:version = int.from_bytes(b[1:3], 'big')message_len = int.from_bytes(b[3:5], 'big')握手类型 = b[5]握手长度 = int.from_bytes(b[6:9], 'big')打印(v =",版本,len =",message_len,htype =",handshake_type, "hlen =",handshake_length)如果握手类型 == 11:# 永远不会发生 - 为什么?certs_len = int.from_bytes(b[7:11], 'big')
正如 Cukic0d 所建议的,我使用了 load_layer("ssl").
显然,pkt[TLS].msg 是一个列表(在一个数据包中保存多个 TLS 消息?).无论如何,我像这样打印了每个此类消息的类型:
def handle_tls_packet(pkt):对于 pkt[TLS].msg 中的 tls_msg:打印(类型(tls_msg))我希望看到一个 TLSCertificate 对象,但从未见过这样的对象.为什么?
如果可以让生活更轻松,我愿意使用 scapy-ssl_tls.
如果你想玩 TLS 握手,在 scapy 上使用 load_layer("tls") 启用 TLS.
启用支持握手的 TLS 模块(需要 scapy >= 2.4.0).然后 Scapy 将正确剖析 TLS 握手/密钥...数据包
你应该先试试
load_layer("tls")数据包 = 嗅探(prn=lambda x:x.summary(), lfilter=lambda x: x 中的 TLS)如果您使用的是 Scapy 2.4.4+,为了更好的一致性,您甚至可以使用
嗅探([...], session=TLSSession)看看数据包是如何构建的:
示例:
这里还有一个很花哨的指南:
使用load_layer("tls")时,您会找到每个数据包.
注意有很多包,TLSCertificate只会出现一次.msg 是一个列表,因为单个 TLS 数据包中可以包含许多信息
I'm trying to read a TLS message. Specifically, the one with the certificate details (handshake_type = 11). What I'm doing is first checking that the message contains Raw. If so, I'm extracting the payload like so: b = bytes(pkt[Raw].load). Next, I'm checking that the first byte is 0x16 and the following two bytes need to be a proper TLS version.
The problem is that this message doesn't pass these conditions. WireShark is showing me that \x16\x03\x03 are the bytes at position 0000 (picture is attached), but I guess it is done for convenience.
So is my assumption that the payload MUST start with 0x16 wrong?
P.S
I don't want to use scapy-ssl_tls library.
EDIT
This is the code:
def handle_tls_packet(pkt):
if pkt.haslayer(Raw):
b = bytes(pkt[Raw].load)
if b[0] == 0x16:
version = int.from_bytes(b[1:3], 'big')
message_len = int.from_bytes(b[3:5], 'big')
handshake_type = b[5]
handshake_length = int.from_bytes(b[6:9], 'big')
print("v = ", version, " len = ", message_len, " htype =", handshake_type
, "hlen =", handshake_length)
if handshake_type == 11:
# never happens - Why?
certs_len = int.from_bytes(b[7:11], 'big')
EDIT2:
As suggested by Cukic0d, I used load_layer("ssl").
Apparently, pkt[TLS].msg is a list (to hold multiple TLS messages in one packet?). Anyways, I printed the type of every such message like so:
def handle_tls_packet(pkt):
for tls_msg in pkt[TLS].msg:
print(type(tls_msg))
I expected to see a TLSCertificate object, yet such object is never seen.
Why?
EDIT3:
I'm willing to use scapy-ssl_tls if that would make life easier.
If you want to play with TLS handshake, enable TLS on scapy using load_layer("tls").
That enables the TLS module, which supports handshake (requires scapy >= 2.4.0). Scapy will then correctly dissect TLS handshake/key... packets
You should first try
load_layer("tls")
packets = sniff(prn=lambda x:x.summary(), lfilter=lambda x: TLS in x)
And if you're using Scapy 2.4.4+, for better consistency you can even use
sniff([...], session=TLSSession)
Have a look on how the packets are built:
Example:
There is also a quite fancy guide here: https://github.com/secdev/scapy/blob/master/doc/notebooks/tls/notebook2_tls_protected.ipynb
So summarize:
You will find each packet when using load_layer("tls").
Note that there are a lot of packets and that TLSCertificate will only appear once. msg is a list because many informations can be contained in a single TLS packet
这篇关于如何使用 scapy 和 python 提取 SSL/TLS 消息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
