From: seantywork Date: Tue, 17 Jun 2025 06:32:19 +0000 (+0900) Subject: bgp material X-Git-Url: https://git.feebdaed.xyz/?a=commitdiff_plain;h=a48350e0915ab403ee4af3a4a9c1ea895e0e779b;p=linuxyz.git bgp material --- diff --git a/bgp/2506-02.xyz.md b/bgp/2506-02.xyz.md new file mode 100644 index 0000000..6fc9d4c --- /dev/null +++ b/bgp/2506-02.xyz.md @@ -0,0 +1,345 @@ + +# 00 + +```shell + ---------------------------------------- + | bridge | + | (NAT) | + | 192.168.122.1/24 | + --------------|---------------|--------- + | | +--------------------------|----- -----|------------------------- +| router0 | | router1 | +| (ubuntu24-server VM) | | (ubuntu-24-2 VM) | +| 192.168.122.204/24 | | 192.168.122.200/24 | +| | | | | +| ------------------|------- | | -------------------------- | +| | network0 | | | | network1 | | +| | (net1 namespace) | | | | (net1 namespace) | | +| | 10.0.10.2/24 | | | | 10.0.11.2/24 | | +-------------------------------- ------------------------------ + +``` + + +# 01 + +```shell +thy@ubuntu24-server:~/box$ sudo ip a +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host noprefixroute + valid_lft forever preferred_lft forever +2: enp1s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 + link/ether 52:54:00:e2:07:25 brd ff:ff:ff:ff:ff:ff + inet 192.168.122.204/24 metric 100 brd 192.168.122.255 scope global dynamic enp1s0 + valid_lft 2074sec preferred_lft 2074sec + inet6 fe80::5054:ff:fee2:725/64 scope link + valid_lft forever preferred_lft forever + + +``` + +# 02 + +```shell + +thy@ubuntu-24-2:~/box$ sudo ip a +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host noprefixroute + valid_lft forever preferred_lft forever +2: enp1s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 + link/ether 52:54:00:e2:07:21 brd ff:ff:ff:ff:ff:ff + inet 192.168.122.200/24 metric 100 brd 192.168.122.255 scope global dynamic enp1s0 + valid_lft 2102sec preferred_lft 2102sec + inet6 fe80::5054:ff:fee2:721/64 scope link + valid_lft forever preferred_lft forever + +``` +# 03 + +```shell + +thy@ubuntu-24-2:~/box$ nc -l 192.168.122.200 9999 + +``` + +```shell +thy@ubuntu24-server:~/box$ nc 192.168.122.200 9999 +qwer + + +``` + +# 04 + +```shell + +sudo apt update +sudo apt install bird tshark + +sudo systemctl stop bird +``` + +# 05 + +```shell + +./on0.sh + +``` + +```shell + +./on1.sh + +``` + +# 06 + +```shell + +thy@ubuntu24-server:~/box$ ip a +... +4: veth1@if2: mtu 1500 qdisc noqueue state UP group default qlen 1000 + link/ether 86:59:90:1a:4a:60 brd ff:ff:ff:ff:ff:ff link-netns net1 + inet 10.0.10.1/24 scope global veth1 + valid_lft forever preferred_lft forever + inet6 fe80::8459:90ff:fe1a:4a60/64 scope link + valid_lft forever preferred_lft forever + +``` + +# 07 + +```shell + +thy@ubuntu24-server:~/box$ sudo ip netns exec net1 ip a +1: lo: mtu 65536 qdisc noop state DOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 +2: veth2@if4: mtu 1500 qdisc noqueue state UP group default qlen 1000 + link/ether 9a:45:f6:36:e8:cb brd ff:ff:ff:ff:ff:ff link-netnsid 0 + inet 10.0.10.2/24 scope global veth2 + valid_lft forever preferred_lft forever + inet6 fe80::9845:f6ff:fe36:e8cb/64 scope link + valid_lft forever preferred_lft forever + + + +``` + + +# 08 + +```shell +thy@ubuntu-24-2:~$ sudo tshark -i veth1 +Running as user "root" and group "root". This could be dangerous. +Capturing on 'veth1' + + +``` + +# 09 + +```shell +thy@ubuntu-24-2:~/box$ sudo ip netns exec net1 nc -l 10.0.11.2 9999 + + +``` +```shell + +thy@ubuntu24-server:~/box$ sudo ip netns exec net1 nc 10.0.11.2 9999 + + +``` + +# 10 + +```shell +thy@ubuntu24-server:~/box$ sudo ip route add 192.168.122.200 dev enp1s0 +thy@ubuntu24-server:~/box$ sudo ip route add 10.0.11.0/24 via 192.168.122.200 dev enp1s0 +``` + +```shell +thy@ubuntu-24-2:~/box$ sudo ip route add 192.168.122.204 dev enp1s0 +thy@ubuntu-24-2:~/box$ sudo ip route add 10.0.10.0/24 via 192.168.122.204 dev enp1s0 +``` + +# 11 + +```shell +thy@ubuntu-24-2:~/box$ sudo ip netns exec net1 nc -l 10.0.11.2 9999 + +``` + +```shell +thy@ubuntu24-server:~/box$ sudo ip netns exec net1 nc 10.0.11.2 9999 +asdf +``` +# 12 + +```shell + + 7 209.216657001 10.0.10.2 → 10.0.11.2 TCP 74 54346 → 9999 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2153550491 TSecr=0 WS=128 + 8 209.216718956 10.0.11.2 → 10.0.10.2 TCP 74 9999 → 54346 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1584711764 TSecr=2153550491 WS=128 + 9 209.217147388 10.0.10.2 → 10.0.11.2 TCP 66 54346 → 9999 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2153550492 TSecr=1584711764 + 10 211.003022696 10.0.10.2 → 10.0.11.2 TCP 71 54346 → 9999 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=5 TSval=2153552277 TSecr=1584711764 + 11 211.003087706 10.0.11.2 → 10.0.10.2 TCP 66 9999 → 54346 [ACK] Seq=1 Ack=6 Win=65280 Len=0 TSval=1584713551 TSecr=2153552277 + +``` + +# 13 + +```shell +thy@ubuntu24-server:~/box$ sudo ip route del 192.168.122.200 dev enp1s0 +thy@ubuntu24-server:~/box$ sudo ip route del 10.0.11.0/24 via 192.168.122.200 dev enp1s0 + +``` +```shell +thy@ubuntu-24-2:~/box$ sudo ip route del 192.168.122.204 dev enp1s0 +thy@ubuntu-24-2:~/box$ sudo ip route del 10.0.10.0/24 via 192.168.122.204 dev enp1s0 + +``` + +# 14 + +```shell +vim /etc/bird/bird.conf + +``` + + +# 15 + +```shell +sudo systemctl restart bird +``` + +# 16 + +```shell +thy@ubuntu24-server:~/box$ sudo birdc show protocols +BIRD 1.6.8 ready. +name proto table state since info +kernel1 Kernel master up 23:45:55 +device1 Device master up 23:45:55 +direct1 Direct master up 23:45:55 +b0 BGP master up 23:45:59 Established + +thy@ubuntu24-server:~/box$ sudo birdc show route +BIRD 1.6.8 ready. +10.0.10.0/24 dev veth1 [direct1 23:45:55] * (240) +10.0.11.0/24 via 192.168.122.200 on enp1s0 [b0 23:45:59] * (100) [AS64521i] +192.168.122.0/24 dev enp1s0 [direct1 23:45:55] * (240) + via 192.168.122.200 on enp1s0 [b0 23:45:59] (100) [AS64521i] + + +``` +```shell +thy@ubuntu-24-2:~/box$ sudo birdc show protocols +BIRD 1.6.8 ready. +name proto table state since info +kernel1 Kernel master up 23:45:59 +device1 Device master up 23:45:59 +direct1 Direct master up 23:45:59 +b1 BGP master up 23:45:59 Established + +thy@ubuntu-24-2:~/box$ sudo birdc show route +BIRD 1.6.8 ready. +10.0.10.0/24 via 192.168.122.204 on enp1s0 [b1 23:45:59] * (100) [AS64520i] +10.0.11.0/24 dev veth1 [direct1 23:45:59] * (240) +192.168.122.0/24 dev enp1s0 [direct1 23:45:59] * (240) + via 192.168.122.204 on enp1s0 [b1 23:45:59] (100) [AS64520i] + + +``` + +# 17 + +```shell +thy@ubuntu24-server:~/box$ sudo ip route +default via 192.168.122.1 dev enp1s0 proto dhcp src 192.168.122.204 metric 100 +10.0.10.0/24 dev veth1 proto kernel scope link src 10.0.10.1 +10.0.11.0/24 via 192.168.122.200 dev enp1s0 proto bird +192.168.122.0/24 dev enp1s0 proto kernel scope link src 192.168.122.204 metric 100 +192.168.122.1 dev enp1s0 proto dhcp scope link src 192.168.122.204 metric 100 +``` +```shell +thy@ubuntu-24-2:~/box$ sudo ip route +default via 192.168.122.1 dev enp1s0 proto dhcp src 192.168.122.200 metric 100 +10.0.10.0/24 via 192.168.122.204 dev enp1s0 proto bird +10.0.11.0/24 dev veth1 proto kernel scope link src 10.0.11.1 +192.168.122.0/24 dev enp1s0 proto kernel scope link src 192.168.122.200 metric 100 +192.168.122.1 dev enp1s0 proto dhcp scope link src 192.168.122.200 metric 100 + +``` + +# 18 + +```shell +thy@ubuntu24-server:~$ sudo tshark -i veth1 +Running as user "root" and group "root". This could be dangerous. +Capturing on 'veth1' + +``` +```shell +thy@ubuntu-24-2:~$ sudo tshark -i veth1 +Running as user "root" and group "root". This could be dangerous. +Capturing on 'veth1' + +``` + +# 19 + +```shell + +thy@ubuntu-24-2:~/box$ sudo ip netns exec net1 nc -l 10.0.11.2 9999 +``` + +```shell + +thy@ubuntu24-server:~/box$ sudo ip netns exec net1 nc 10.0.11.2 9999 +bgp helloo!!!! + +``` + +# 20 + +```shell +thy@ubuntu24-server:~$ sudo tshark -i veth1 +Running as user "root" and group "root". This could be dangerous. +Capturing on 'veth1' + 1 0.000000000 10.0.10.2 → 10.0.11.2 TCP 74 53488 → 9999 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2154111861 TSecr=0 WS=128 + 2 0.000337346 10.0.11.2 → 10.0.10.2 TCP 74 9999 → 53488 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1585273134 TSecr=2154111861 WS=128 + 3 0.000354149 10.0.10.2 → 10.0.11.2 TCP 66 53488 → 9999 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2154111861 TSecr=1585273134 + 4 5.292822389 86:59:90:1a:4a:60 → 9a:45:f6:36:e8:cb ARP 42 Who has 10.0.10.2? Tell 10.0.10.1 + 5 5.292843243 9a:45:f6:36:e8:cb → 86:59:90:1a:4a:60 ARP 42 Who has 10.0.10.1? Tell 10.0.10.2 + 6 5.293009682 86:59:90:1a:4a:60 → 9a:45:f6:36:e8:cb ARP 42 10.0.10.1 is at 86:59:90:1a:4a:60 + 7 5.292981525 9a:45:f6:36:e8:cb → 86:59:90:1a:4a:60 ARP 42 10.0.10.2 is at 9a:45:f6:36:e8:cb + 8 8.448817263 10.0.10.2 → 10.0.11.2 TCP 81 53488 → 9999 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=15 TSval=2154120310 TSecr=1585273134 + 9 8.449367387 10.0.11.2 → 10.0.10.2 TCP 66 9999 → 53488 [ACK] Seq=1 Ack=16 Win=65152 Len=0 TSval=1585281583 TSecr=2154120310 + + +``` + +```shell +thy@ubuntu-24-2:~$ sudo tshark -i veth1 +Running as user "root" and group "root". This could be dangerous. +Capturing on 'veth1' + 1 0.000000000 10.0.10.2 → 10.0.11.2 TCP 74 53488 → 9999 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2154111861 TSecr=0 WS=128 + 2 0.000056658 10.0.11.2 → 10.0.10.2 TCP 74 9999 → 53488 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1585273134 TSecr=2154111861 WS=128 + 3 0.000197636 10.0.10.2 → 10.0.11.2 TCP 66 53488 → 9999 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2154111861 TSecr=1585273134 + 4 5.093841101 06:63:34:0b:98:ef → 7e:9f:2d:eb:7c:33 ARP 42 Who has 10.0.11.2? Tell 10.0.11.1 + 5 5.093832531 7e:9f:2d:eb:7c:33 → 06:63:34:0b:98:ef ARP 42 Who has 10.0.11.1? Tell 10.0.11.2 + 6 5.093891327 06:63:34:0b:98:ef → 7e:9f:2d:eb:7c:33 ARP 42 10.0.11.1 is at 06:63:34:0b:98:ef + 7 5.093898882 7e:9f:2d:eb:7c:33 → 06:63:34:0b:98:ef ARP 42 10.0.11.2 is at 7e:9f:2d:eb:7c:33 + 8 8.448882261 10.0.10.2 → 10.0.11.2 TCP 81 53488 → 9999 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=15 TSval=2154120310 TSecr=1585273134 + 9 8.448965966 10.0.11.2 → 10.0.10.2 TCP 66 9999 → 53488 [ACK] Seq=1 Ack=16 Win=65152 Len=0 TSval=1585281583 TSecr=2154120310 + +``` + diff --git a/bgp/2506-03.xyz.md b/bgp/2506-03.xyz.md deleted file mode 100644 index 35344d6..0000000 --- a/bgp/2506-03.xyz.md +++ /dev/null @@ -1,322 +0,0 @@ - -# - -```shell -thy@ubuntu24-server:~/box$ sudo ip a -1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 - link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 - inet 127.0.0.1/8 scope host lo - valid_lft forever preferred_lft forever - inet6 ::1/128 scope host noprefixroute - valid_lft forever preferred_lft forever -2: enp1s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 - link/ether 52:54:00:e2:07:25 brd ff:ff:ff:ff:ff:ff - inet 192.168.122.204/24 metric 100 brd 192.168.122.255 scope global dynamic enp1s0 - valid_lft 2074sec preferred_lft 2074sec - inet6 fe80::5054:ff:fee2:725/64 scope link - valid_lft forever preferred_lft forever - - -``` - -# - -```shell - -thy@ubuntu-24-2:~/box$ sudo ip a -1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 - link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 - inet 127.0.0.1/8 scope host lo - valid_lft forever preferred_lft forever - inet6 ::1/128 scope host noprefixroute - valid_lft forever preferred_lft forever -2: enp1s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 - link/ether 52:54:00:e2:07:21 brd ff:ff:ff:ff:ff:ff - inet 192.168.122.200/24 metric 100 brd 192.168.122.255 scope global dynamic enp1s0 - valid_lft 2102sec preferred_lft 2102sec - inet6 fe80::5054:ff:fee2:721/64 scope link - valid_lft forever preferred_lft forever - -``` -# - -```shell - -thy@ubuntu-24-2:~/box$ nc -l 192.168.122.200 9999 - -``` - -```shell -thy@ubuntu24-server:~/box$ nc 192.168.122.200 9999 -qwer - - -``` - -# - -```shell - -sudo apt update -sudo apt install bird tshark - -sudo systemctl stop bird -``` - -# - -```shell - -./on0.sh - -``` - -```shell - -./on1.sh - -``` - -# - -```shell - -thy@ubuntu24-server:~/box$ ip a -... -4: veth1@if2: mtu 1500 qdisc noqueue state UP group default qlen 1000 - link/ether 86:59:90:1a:4a:60 brd ff:ff:ff:ff:ff:ff link-netns net1 - inet 10.0.10.1/24 scope global veth1 - valid_lft forever preferred_lft forever - inet6 fe80::8459:90ff:fe1a:4a60/64 scope link - valid_lft forever preferred_lft forever - -``` - -# - -```shell - -thy@ubuntu24-server:~/box$ sudo ip netns exec net1 ip a -1: lo: mtu 65536 qdisc noop state DOWN group default qlen 1000 - link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 -2: veth2@if4: mtu 1500 qdisc noqueue state UP group default qlen 1000 - link/ether 9a:45:f6:36:e8:cb brd ff:ff:ff:ff:ff:ff link-netnsid 0 - inet 10.0.10.2/24 scope global veth2 - valid_lft forever preferred_lft forever - inet6 fe80::9845:f6ff:fe36:e8cb/64 scope link - valid_lft forever preferred_lft forever - - - -``` - - -# - -```shell -thy@ubuntu-24-2:~$ sudo tshark -i veth1 -Running as user "root" and group "root". This could be dangerous. -Capturing on 'veth1' - - -``` - -# - -```shell -thy@ubuntu-24-2:~/box$ sudo ip netns exec net1 nc -l 10.0.11.2 9999 - - -``` -```shell - -thy@ubuntu24-server:~/box$ sudo ip netns exec net1 nc 10.0.11.2 9999 - - -``` - -# - -```shell -thy@ubuntu24-server:~/box$ sudo ip route add 192.168.122.200 dev enp1s0 -thy@ubuntu24-server:~/box$ sudo ip route add 10.0.11.0/24 via 192.168.122.200 dev enp1s0 -``` - -```shell -thy@ubuntu-24-2:~/box$ sudo ip route add 192.168.122.204 dev enp1s0 -thy@ubuntu-24-2:~/box$ sudo ip route add 10.0.10.0/24 via 192.168.122.204 dev enp1s0 -``` - -# - -```shell -thy@ubuntu-24-2:~/box$ sudo ip netns exec net1 nc -l 10.0.11.2 9999 - -``` - -```shell -thy@ubuntu24-server:~/box$ sudo ip netns exec net1 nc 10.0.11.2 9999 -asdf -``` -# - -```shell - - 7 209.216657001 10.0.10.2 → 10.0.11.2 TCP 74 54346 → 9999 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2153550491 TSecr=0 WS=128 - 8 209.216718956 10.0.11.2 → 10.0.10.2 TCP 74 9999 → 54346 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1584711764 TSecr=2153550491 WS=128 - 9 209.217147388 10.0.10.2 → 10.0.11.2 TCP 66 54346 → 9999 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2153550492 TSecr=1584711764 - 10 211.003022696 10.0.10.2 → 10.0.11.2 TCP 71 54346 → 9999 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=5 TSval=2153552277 TSecr=1584711764 - 11 211.003087706 10.0.11.2 → 10.0.10.2 TCP 66 9999 → 54346 [ACK] Seq=1 Ack=6 Win=65280 Len=0 TSval=1584713551 TSecr=2153552277 - -``` - -# - -```shell -thy@ubuntu24-server:~/box$ sudo ip route del 192.168.122.200 dev enp1s0 -thy@ubuntu24-server:~/box$ sudo ip route del 10.0.11.0/24 via 192.168.122.200 dev enp1s0 - -``` -```shell -thy@ubuntu-24-2:~/box$ sudo ip route del 192.168.122.204 dev enp1s0 -thy@ubuntu-24-2:~/box$ sudo ip route del 10.0.10.0/24 via 192.168.122.204 dev enp1s0 - -``` - -# - -```shell -vim /etc/bird/bird.conf - -``` - - -# - -```shell -sudo systemctl restart bird -``` - -# - -```shell -thy@ubuntu24-server:~/box$ sudo birdc show protocols -BIRD 1.6.8 ready. -name proto table state since info -kernel1 Kernel master up 23:45:55 -device1 Device master up 23:45:55 -direct1 Direct master up 23:45:55 -b0 BGP master up 23:45:59 Established - -thy@ubuntu24-server:~/box$ sudo birdc show route -BIRD 1.6.8 ready. -10.0.10.0/24 dev veth1 [direct1 23:45:55] * (240) -10.0.11.0/24 via 192.168.122.200 on enp1s0 [b0 23:45:59] * (100) [AS64521i] -192.168.122.0/24 dev enp1s0 [direct1 23:45:55] * (240) - via 192.168.122.200 on enp1s0 [b0 23:45:59] (100) [AS64521i] - - -``` -```shell -thy@ubuntu-24-2:~/box$ sudo birdc show protocols -BIRD 1.6.8 ready. -name proto table state since info -kernel1 Kernel master up 23:45:59 -device1 Device master up 23:45:59 -direct1 Direct master up 23:45:59 -b1 BGP master up 23:45:59 Established - -thy@ubuntu-24-2:~/box$ sudo birdc show route -BIRD 1.6.8 ready. -10.0.10.0/24 via 192.168.122.204 on enp1s0 [b1 23:45:59] * (100) [AS64520i] -10.0.11.0/24 dev veth1 [direct1 23:45:59] * (240) -192.168.122.0/24 dev enp1s0 [direct1 23:45:59] * (240) - via 192.168.122.204 on enp1s0 [b1 23:45:59] (100) [AS64520i] - - -``` - -# - -```shell -thy@ubuntu24-server:~/box$ sudo ip route -default via 192.168.122.1 dev enp1s0 proto dhcp src 192.168.122.204 metric 100 -10.0.10.0/24 dev veth1 proto kernel scope link src 10.0.10.1 -10.0.11.0/24 via 192.168.122.200 dev enp1s0 proto bird -192.168.122.0/24 dev enp1s0 proto kernel scope link src 192.168.122.204 metric 100 -192.168.122.1 dev enp1s0 proto dhcp scope link src 192.168.122.204 metric 100 -``` -```shell -thy@ubuntu-24-2:~/box$ sudo ip route -default via 192.168.122.1 dev enp1s0 proto dhcp src 192.168.122.200 metric 100 -10.0.10.0/24 via 192.168.122.204 dev enp1s0 proto bird -10.0.11.0/24 dev veth1 proto kernel scope link src 10.0.11.1 -192.168.122.0/24 dev enp1s0 proto kernel scope link src 192.168.122.200 metric 100 -192.168.122.1 dev enp1s0 proto dhcp scope link src 192.168.122.200 metric 100 - -``` - -# - -```shell -thy@ubuntu24-server:~$ sudo tshark -i veth1 -Running as user "root" and group "root". This could be dangerous. -Capturing on 'veth1' - -``` -```shell -thy@ubuntu-24-2:~$ sudo tshark -i veth1 -Running as user "root" and group "root". This could be dangerous. -Capturing on 'veth1' - -``` - -# - -```shell - -thy@ubuntu-24-2:~/box$ sudo ip netns exec net1 nc -l 10.0.11.2 9999 -``` - -```shell - -thy@ubuntu24-server:~/box$ sudo ip netns exec net1 nc 10.0.11.2 9999 -bgp helloo!!!! - -``` - -# - -```shell -thy@ubuntu24-server:~$ sudo tshark -i veth1 -Running as user "root" and group "root". This could be dangerous. -Capturing on 'veth1' - 1 0.000000000 10.0.10.2 → 10.0.11.2 TCP 74 53488 → 9999 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2154111861 TSecr=0 WS=128 - 2 0.000337346 10.0.11.2 → 10.0.10.2 TCP 74 9999 → 53488 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1585273134 TSecr=2154111861 WS=128 - 3 0.000354149 10.0.10.2 → 10.0.11.2 TCP 66 53488 → 9999 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2154111861 TSecr=1585273134 - 4 5.292822389 86:59:90:1a:4a:60 → 9a:45:f6:36:e8:cb ARP 42 Who has 10.0.10.2? Tell 10.0.10.1 - 5 5.292843243 9a:45:f6:36:e8:cb → 86:59:90:1a:4a:60 ARP 42 Who has 10.0.10.1? Tell 10.0.10.2 - 6 5.293009682 86:59:90:1a:4a:60 → 9a:45:f6:36:e8:cb ARP 42 10.0.10.1 is at 86:59:90:1a:4a:60 - 7 5.292981525 9a:45:f6:36:e8:cb → 86:59:90:1a:4a:60 ARP 42 10.0.10.2 is at 9a:45:f6:36:e8:cb - 8 8.448817263 10.0.10.2 → 10.0.11.2 TCP 81 53488 → 9999 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=15 TSval=2154120310 TSecr=1585273134 - 9 8.449367387 10.0.11.2 → 10.0.10.2 TCP 66 9999 → 53488 [ACK] Seq=1 Ack=16 Win=65152 Len=0 TSval=1585281583 TSecr=2154120310 - - -``` - -```shell -thy@ubuntu-24-2:~$ sudo tshark -i veth1 -Running as user "root" and group "root". This could be dangerous. -Capturing on 'veth1' - 1 0.000000000 10.0.10.2 → 10.0.11.2 TCP 74 53488 → 9999 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2154111861 TSecr=0 WS=128 - 2 0.000056658 10.0.11.2 → 10.0.10.2 TCP 74 9999 → 53488 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1585273134 TSecr=2154111861 WS=128 - 3 0.000197636 10.0.10.2 → 10.0.11.2 TCP 66 53488 → 9999 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2154111861 TSecr=1585273134 - 4 5.093841101 06:63:34:0b:98:ef → 7e:9f:2d:eb:7c:33 ARP 42 Who has 10.0.11.2? Tell 10.0.11.1 - 5 5.093832531 7e:9f:2d:eb:7c:33 → 06:63:34:0b:98:ef ARP 42 Who has 10.0.11.1? Tell 10.0.11.2 - 6 5.093891327 06:63:34:0b:98:ef → 7e:9f:2d:eb:7c:33 ARP 42 10.0.11.1 is at 06:63:34:0b:98:ef - 7 5.093898882 7e:9f:2d:eb:7c:33 → 06:63:34:0b:98:ef ARP 42 10.0.11.2 is at 7e:9f:2d:eb:7c:33 - 8 8.448882261 10.0.10.2 → 10.0.11.2 TCP 81 53488 → 9999 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=15 TSval=2154120310 TSecr=1585273134 - 9 8.448965966 10.0.11.2 → 10.0.10.2 TCP 66 9999 → 53488 [ACK] Seq=1 Ack=16 Win=65152 Len=0 TSval=1585281583 TSecr=2154120310 - -``` - diff --git a/mitm-tls/2506-01.xyz.md b/mitm-tls/2506-01.xyz.md new file mode 100644 index 0000000..120abcb --- /dev/null +++ b/mitm-tls/2506-01.xyz.md @@ -0,0 +1,411 @@ +# 01 + +```shell + +./setup.sh + +``` + +# 02 + + +```shell + +---------------------------------------------------- +| | +| hacker's router | +| | +| ----------------- ---------------- | +| | vet11 | | veth21 | | +| | 192.168.62.5 | | 192.168.64.5 | | +| | mitm'd 😈 | | | | +---------------------------------------------------- + | | + | | + | | + ----------------- ---------------- + | veth12 | | veth22 | + | 192.168.62.6 | | 192.168.64.6 | + | client | | server | + ----------------- ---------------- + + + +``` + +# 03 + +```shell + +./certs.sh + +``` + +# 04 + +```shell +sudo ip netns exec net2 openssl s_server -port 9999 -cert ./certs/server.pem -key ./certs/server_priv.pem -cipher AES256-SHA256:@SECLEVEL=0 -tls1_2 + +``` + + +```shell + +sudo ip netns exec net1 openssl s_client -connect 192.168.64.6:9999 -CAfile ./certs/ca.pem -cipher AES256-SHA256:@SECLEVEL=0 -tls1_2 +``` + +# 05 + +```shell +... +SSL-Session: + Protocol : TLSv1.2 + Cipher : AES256-SHA256 +... +``` + +# 06 + +```c + +int hijack_key(); + + +``` + +# 07 + +```c + int dec_len = RSA_private_decrypt( + data_len, + (unsigned char*)premaster_raw, + dec_msg, + rsa_priv_key, + RSA_PKCS1_PADDING + ); + + +``` + + +# 08 + +```shell +# https://datatracker.ietf.org/doc/html/rfc5246 + +... + To generate the key material, compute + + key_block = PRF(SecurityParameters.master_secret, + "key expansion", + SecurityParameters.server_random + + SecurityParameters.client_random); + + until enough output has been generated. Then, the key_block is + partitioned as follows: + + client_write_MAC_key[SecurityParameters.mac_key_length] + server_write_MAC_key[SecurityParameters.mac_key_length] + client_write_key[SecurityParameters.enc_key_length] + server_write_key[SecurityParameters.enc_key_length] + client_write_IV[SecurityParameters.fixed_iv_length] + server_write_IV[SecurityParameters.fixed_iv_length] + +... + + +``` + +# 09 + +```c +/* + * steal start + * https://github.com/openssl/openssl/blob/master/providers/implementations/kdfs/tls1_prf.c + * +*/ +static int tls1_prf_P_hash(EVP_MAC_CTX *ctx_init, + const unsigned char *sec, size_t sec_len, + const unsigned char *seed, size_t seed_len, + unsigned char *out, size_t olen) +{ + size_t chunk; + EVP_MAC_CTX *ctx = NULL, *ctx_Ai = NULL; + unsigned char Ai[EVP_MAX_MD_SIZE]; + size_t Ai_len; + int ret = 0; + + if (!EVP_MAC_init(ctx_init, sec, sec_len, NULL)) + goto err; + chunk = EVP_MAC_CTX_get_mac_size(ctx_init); + if (chunk == 0) + goto err; + /* A(0) = seed */ + ctx_Ai = EVP_MAC_CTX_dup(ctx_init); + if (ctx_Ai == NULL) + goto err; + if (seed != NULL && !EVP_MAC_update(ctx_Ai, seed, seed_len)) + goto err; + + for (;;) { + /* calc: A(i) = HMAC_(secret, A(i-1)) */ + if (!EVP_MAC_final(ctx_Ai, Ai, &Ai_len, sizeof(Ai))) + goto err; + EVP_MAC_CTX_free(ctx_Ai); + ctx_Ai = NULL; + + /* calc next chunk: HMAC_(secret, A(i) + seed) */ + ctx = EVP_MAC_CTX_dup(ctx_init); + if (ctx == NULL) + goto err; + if (!EVP_MAC_update(ctx, Ai, Ai_len)) + goto err; + /* save state for calculating next A(i) value */ + if (olen > chunk) { + ctx_Ai = EVP_MAC_CTX_dup(ctx); + if (ctx_Ai == NULL) + goto err; + } + if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len)) + goto err; + if (olen <= chunk) { + /* last chunk - use Ai as temp bounce buffer */ + if (!EVP_MAC_final(ctx, Ai, &Ai_len, sizeof(Ai))) + goto err; + memcpy(out, Ai, olen); + break; + } + if (!EVP_MAC_final(ctx, out, NULL, olen)) + goto err; + EVP_MAC_CTX_free(ctx); + ctx = NULL; + out += chunk; + olen -= chunk; + } + ret = 1; + + err: + EVP_MAC_CTX_free(ctx); + EVP_MAC_CTX_free(ctx_Ai); + OPENSSL_cleanse(Ai, sizeof(Ai)); + return ret; +} +/* + * steal end +*/ +``` + +# 10 + +```shell + +seclen: 48, seedlen: 54, olen: 48 +sec: +0303C50E21125FEC8635A168DA82BD7269D18B1AD4D5BEA6818527F55F4C2872AD6E4EBACA83BAC3B36E69E4ED15916F +seedstr: extended master secretW�SPeK^"�勘�0�U�n^��/��@&r� +seed: +657874656E646564206D61737465722073656372657457E5535065064B1F5E2286E58B981EE730E055C96E5EBA0FFA2FB3D0402672D7 +out: +4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A +seclen: 48, seedlen: 77, olen: 160 +sec: +4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A +seedstr: key expansion���n_ 'B��C񚌠e&Oqb� +}Oɉ�_H� +seed: +6B657920657870616E73696F6EB519C2E76E5F09274282CC43F19A8CA065264F716216D20A7D4FC98907FD5F48840800745893FFE3F025D356EBA71346456907FAB463E830A91CFF28EACF6268 +out: +ABAD28DAB7B616EB03B55B58E516B9B6A30FBF6283BE3372179C036F5A662D6CA86CAB7F0C17F5AA6C3FFAB275CA475834F024E6143E1B5AED0A58C720A35E9C7E8EC02569BFCCEECF6E7C5E6DA04008BD98803D346317D9D283C2B7BAB56CED237D9845D9C2B963A9D03FC8A39042A5398E9F15D280B8536485DB2093F5296FF5134EAE36A5B49C096A7C6D210A30EDBA2E61D143B965E6B4664C1E3F821EBD +seclen: 48, seedlen: 47, olen: 12 +sec: +4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A +seedstr: client finishedW�SPeK^"�勘�0�U�n^��/��@&r� +seed: +636C69656E742066696E697368656457E5535065064B1F5E2286E58B981EE730E055C96E5EBA0FFA2FB3D0402672D7 +out: +B16679F75903CDDED98F1410 +seclen: 48, seedlen: 47, olen: 12 +sec: +4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A +seedstr: server finished}g��+[��˶� +seed: +7365727665722066696E69736865647D67F8AA2B5B1799B3CBB6E3A700F587A8920B80D7E1848346DF829D5ADD4FE1 +out: +9EFC18B4D2A28F38DC3818B6 + +``` + +# 11 +```shell +# https://datatracker.ietf.org/doc/html/rfc7627 +... +The "session_hash" is intended to encompass all relevant session + information, including ciphersuite negotiation, key exchange + messages, and client and server identities. The hash is needed to + compute the extended master secret and hence must be available before + the Finished messages. + + This document sets the "session_hash" to cover all handshake messages + up to and including the ClientKeyExchange. +... +``` + + +# 12 + +```shell +# https://datatracker.ietf.org/doc/html/rfc7366 +... +3. Applying Encrypt-then-MAC + + Once the use of encrypt-then-MAC has been negotiated, processing of + TLS/DTLS packets switches from the standard: + + encrypt( data || MAC || pad ) + + to the new: + + encrypt( data || pad ) || MAC + + with the MAC covering the entire packet up to the start of the MAC + value. In TLS [2] notation, the MAC calculation for TLS 1.0 without + the explicit Initialization Vector (IV) is: + + MAC(MAC_write_key, seq_num + + TLSCipherText.type + + TLSCipherText.version + + TLSCipherText.length + + ENC(content + padding + padding_length)); +... + and for TLS 1.1 and greater with an explicit IV is: + + MAC(MAC_write_key, seq_num + + TLSCipherText.type + + TLSCipherText.version + + TLSCipherText.length + + IV + + ENC(content + padding + padding_length)); +... + +``` + +# 13-1 + +```c + // do serve listens from PF_PACKET socket +void do_serve(); + | + | // process rx actually captures the packet + | +void* process_rx(const int fd, char* rx_ring, int* len); + | + | // sniff packet lets sniff action handles the packet, + | // if it's TCP + | +void sniff_packet(void* packet); + | + | // by examining TLS flag, it gathers data from Client Hello, Server Hello, + | // etc untils it hits Client Key Exchange + | +void sniff_action(uint8_t* dataraw); + | + | // if it's Client Key Exchange, it runs the process of + | // hijacking master secret + ------> int hijack_key(); + | + | // if it successfully hijacked master secret + | // it's time to decrypt the client message! + ------> int cbc256_decrypt(uint8_t* enc_msg, int enclen, uint8_t* cbc_key, uint8_t* cbc_iv, uint8_t* plain_msg); + +``` + + +# 13 + +```shell + +./mitm.out + + +``` + +# 14 + +```shell + +packet RX: 7 +dst mac: 1a:fe:a2:8e:77:09 +dst address: 192.168.64.6 +handshake: client hello +slen: 116 + +packet RX: 8 +dst mac: 8e:ee:03:c8:56:22 +dst address: 192.168.62.6 + +packet RX: 9 +dst mac: 8e:ee:03:c8:56:22 +dst address: 192.168.62.6 +handshake: server hello + +packet RX: 10 +dst mac: 1a:fe:a2:8e:77:09 +dst address: 192.168.64.6 + +packet RX: 11 +dst mac: 1a:fe:a2:8e:77:09 +dst address: 192.168.64.6 +handshake: client key exchange +declen: 48 +session info len: 1998 +session_hash: 32 +1D85F4612C17261000958F5AB963D9D6FFE3E361800955246FB31D4B23A6ADB0 +extended master secret: label + seedlen: 54 +master: + 454A17BE7F52ACBBFF414EC635D541F0CA9F7054065EEB02D38012CF5703EEDB3B5D0CAD4726C823DFF72D00C50A269C +key expansion: label + seedlen: 77 +master keymat: + 6960D327538039F7E56D2B32D29BBC3E7C4752802E73867511D3AEBD092C1E8A9CA0860FC19CC0AD821C7C917A8695983EE7B42874B65894B8C2835AD03A60EE91D39235A4827881CA7CE057CC11244C78A2DA9DF111EFC53D45FFB3EFEC92182BD69CFAA449183E6BB01B622DF473F25D6F35707BA1923A57333FCEF37BB4FE8056C5E26F57BD043791713C844BCD7D003452E63B3FF51FCB0FA3EDF6A2861D + +packet RX: 12 +dst mac: 8e:ee:03:c8:56:22 +dst address: 192.168.62.6 +handshake: new session ticket + +``` + + +# 15 + +```shell + 0070 - 05 5f 50 8c ee 01 9b ac-31 58 dc c3 d6 a7 05 66 ._P.....1X.....f + 0080 - fc 58 3f 9f ac 0f b7 0f-0c 3e 1f e1 9b 8c 80 a6 .X?......>...... + 0090 - 49 7d 20 57 93 b7 8e 6a-9e 99 47 a6 61 41 f5 7e I} W...j..G.aA.~ + 00a0 - fb 1d 46 41 06 08 3f 2a-09 8a 70 7a 5d 37 5e 92 ..FA..?*..pz]7^. + + Start Time: 1748389568 + Timeout : 7200 (sec) + Verify return code: 0 (ok) + Extended master secret: yes +--- +i see dead people + + +``` + +# 16 +```shell +packet RX: 17 +dst mac: 1a:fe:a2:8e:77:09 +dst address: 192.168.64.6 +message: payloadlen: 80 + 😈 TLSv1.2 hijacked message 😈 + i see dead people + + +packet RX: 18 +dst mac: 8e:ee:03:c8:56:22 +dst address: 192.168.62.6 + + +``` \ No newline at end of file diff --git a/mitm-tls/2506-02.xyz.md b/mitm-tls/2506-02.xyz.md deleted file mode 100644 index 120abcb..0000000 --- a/mitm-tls/2506-02.xyz.md +++ /dev/null @@ -1,411 +0,0 @@ -# 01 - -```shell - -./setup.sh - -``` - -# 02 - - -```shell - ----------------------------------------------------- -| | -| hacker's router | -| | -| ----------------- ---------------- | -| | vet11 | | veth21 | | -| | 192.168.62.5 | | 192.168.64.5 | | -| | mitm'd 😈 | | | | ----------------------------------------------------- - | | - | | - | | - ----------------- ---------------- - | veth12 | | veth22 | - | 192.168.62.6 | | 192.168.64.6 | - | client | | server | - ----------------- ---------------- - - - -``` - -# 03 - -```shell - -./certs.sh - -``` - -# 04 - -```shell -sudo ip netns exec net2 openssl s_server -port 9999 -cert ./certs/server.pem -key ./certs/server_priv.pem -cipher AES256-SHA256:@SECLEVEL=0 -tls1_2 - -``` - - -```shell - -sudo ip netns exec net1 openssl s_client -connect 192.168.64.6:9999 -CAfile ./certs/ca.pem -cipher AES256-SHA256:@SECLEVEL=0 -tls1_2 -``` - -# 05 - -```shell -... -SSL-Session: - Protocol : TLSv1.2 - Cipher : AES256-SHA256 -... -``` - -# 06 - -```c - -int hijack_key(); - - -``` - -# 07 - -```c - int dec_len = RSA_private_decrypt( - data_len, - (unsigned char*)premaster_raw, - dec_msg, - rsa_priv_key, - RSA_PKCS1_PADDING - ); - - -``` - - -# 08 - -```shell -# https://datatracker.ietf.org/doc/html/rfc5246 - -... - To generate the key material, compute - - key_block = PRF(SecurityParameters.master_secret, - "key expansion", - SecurityParameters.server_random + - SecurityParameters.client_random); - - until enough output has been generated. Then, the key_block is - partitioned as follows: - - client_write_MAC_key[SecurityParameters.mac_key_length] - server_write_MAC_key[SecurityParameters.mac_key_length] - client_write_key[SecurityParameters.enc_key_length] - server_write_key[SecurityParameters.enc_key_length] - client_write_IV[SecurityParameters.fixed_iv_length] - server_write_IV[SecurityParameters.fixed_iv_length] - -... - - -``` - -# 09 - -```c -/* - * steal start - * https://github.com/openssl/openssl/blob/master/providers/implementations/kdfs/tls1_prf.c - * -*/ -static int tls1_prf_P_hash(EVP_MAC_CTX *ctx_init, - const unsigned char *sec, size_t sec_len, - const unsigned char *seed, size_t seed_len, - unsigned char *out, size_t olen) -{ - size_t chunk; - EVP_MAC_CTX *ctx = NULL, *ctx_Ai = NULL; - unsigned char Ai[EVP_MAX_MD_SIZE]; - size_t Ai_len; - int ret = 0; - - if (!EVP_MAC_init(ctx_init, sec, sec_len, NULL)) - goto err; - chunk = EVP_MAC_CTX_get_mac_size(ctx_init); - if (chunk == 0) - goto err; - /* A(0) = seed */ - ctx_Ai = EVP_MAC_CTX_dup(ctx_init); - if (ctx_Ai == NULL) - goto err; - if (seed != NULL && !EVP_MAC_update(ctx_Ai, seed, seed_len)) - goto err; - - for (;;) { - /* calc: A(i) = HMAC_(secret, A(i-1)) */ - if (!EVP_MAC_final(ctx_Ai, Ai, &Ai_len, sizeof(Ai))) - goto err; - EVP_MAC_CTX_free(ctx_Ai); - ctx_Ai = NULL; - - /* calc next chunk: HMAC_(secret, A(i) + seed) */ - ctx = EVP_MAC_CTX_dup(ctx_init); - if (ctx == NULL) - goto err; - if (!EVP_MAC_update(ctx, Ai, Ai_len)) - goto err; - /* save state for calculating next A(i) value */ - if (olen > chunk) { - ctx_Ai = EVP_MAC_CTX_dup(ctx); - if (ctx_Ai == NULL) - goto err; - } - if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len)) - goto err; - if (olen <= chunk) { - /* last chunk - use Ai as temp bounce buffer */ - if (!EVP_MAC_final(ctx, Ai, &Ai_len, sizeof(Ai))) - goto err; - memcpy(out, Ai, olen); - break; - } - if (!EVP_MAC_final(ctx, out, NULL, olen)) - goto err; - EVP_MAC_CTX_free(ctx); - ctx = NULL; - out += chunk; - olen -= chunk; - } - ret = 1; - - err: - EVP_MAC_CTX_free(ctx); - EVP_MAC_CTX_free(ctx_Ai); - OPENSSL_cleanse(Ai, sizeof(Ai)); - return ret; -} -/* - * steal end -*/ -``` - -# 10 - -```shell - -seclen: 48, seedlen: 54, olen: 48 -sec: -0303C50E21125FEC8635A168DA82BD7269D18B1AD4D5BEA6818527F55F4C2872AD6E4EBACA83BAC3B36E69E4ED15916F -seedstr: extended master secretW�SPeK^"�勘�0�U�n^��/��@&r� -seed: -657874656E646564206D61737465722073656372657457E5535065064B1F5E2286E58B981EE730E055C96E5EBA0FFA2FB3D0402672D7 -out: -4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A -seclen: 48, seedlen: 77, olen: 160 -sec: -4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A -seedstr: key expansion���n_ 'B��C񚌠e&Oqb� -}Oɉ�_H� -seed: -6B657920657870616E73696F6EB519C2E76E5F09274282CC43F19A8CA065264F716216D20A7D4FC98907FD5F48840800745893FFE3F025D356EBA71346456907FAB463E830A91CFF28EACF6268 -out: -ABAD28DAB7B616EB03B55B58E516B9B6A30FBF6283BE3372179C036F5A662D6CA86CAB7F0C17F5AA6C3FFAB275CA475834F024E6143E1B5AED0A58C720A35E9C7E8EC02569BFCCEECF6E7C5E6DA04008BD98803D346317D9D283C2B7BAB56CED237D9845D9C2B963A9D03FC8A39042A5398E9F15D280B8536485DB2093F5296FF5134EAE36A5B49C096A7C6D210A30EDBA2E61D143B965E6B4664C1E3F821EBD -seclen: 48, seedlen: 47, olen: 12 -sec: -4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A -seedstr: client finishedW�SPeK^"�勘�0�U�n^��/��@&r� -seed: -636C69656E742066696E697368656457E5535065064B1F5E2286E58B981EE730E055C96E5EBA0FFA2FB3D0402672D7 -out: -B16679F75903CDDED98F1410 -seclen: 48, seedlen: 47, olen: 12 -sec: -4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A -seedstr: server finished}g��+[��˶� -seed: -7365727665722066696E69736865647D67F8AA2B5B1799B3CBB6E3A700F587A8920B80D7E1848346DF829D5ADD4FE1 -out: -9EFC18B4D2A28F38DC3818B6 - -``` - -# 11 -```shell -# https://datatracker.ietf.org/doc/html/rfc7627 -... -The "session_hash" is intended to encompass all relevant session - information, including ciphersuite negotiation, key exchange - messages, and client and server identities. The hash is needed to - compute the extended master secret and hence must be available before - the Finished messages. - - This document sets the "session_hash" to cover all handshake messages - up to and including the ClientKeyExchange. -... -``` - - -# 12 - -```shell -# https://datatracker.ietf.org/doc/html/rfc7366 -... -3. Applying Encrypt-then-MAC - - Once the use of encrypt-then-MAC has been negotiated, processing of - TLS/DTLS packets switches from the standard: - - encrypt( data || MAC || pad ) - - to the new: - - encrypt( data || pad ) || MAC - - with the MAC covering the entire packet up to the start of the MAC - value. In TLS [2] notation, the MAC calculation for TLS 1.0 without - the explicit Initialization Vector (IV) is: - - MAC(MAC_write_key, seq_num + - TLSCipherText.type + - TLSCipherText.version + - TLSCipherText.length + - ENC(content + padding + padding_length)); -... - and for TLS 1.1 and greater with an explicit IV is: - - MAC(MAC_write_key, seq_num + - TLSCipherText.type + - TLSCipherText.version + - TLSCipherText.length + - IV + - ENC(content + padding + padding_length)); -... - -``` - -# 13-1 - -```c - // do serve listens from PF_PACKET socket -void do_serve(); - | - | // process rx actually captures the packet - | -void* process_rx(const int fd, char* rx_ring, int* len); - | - | // sniff packet lets sniff action handles the packet, - | // if it's TCP - | -void sniff_packet(void* packet); - | - | // by examining TLS flag, it gathers data from Client Hello, Server Hello, - | // etc untils it hits Client Key Exchange - | -void sniff_action(uint8_t* dataraw); - | - | // if it's Client Key Exchange, it runs the process of - | // hijacking master secret - ------> int hijack_key(); - | - | // if it successfully hijacked master secret - | // it's time to decrypt the client message! - ------> int cbc256_decrypt(uint8_t* enc_msg, int enclen, uint8_t* cbc_key, uint8_t* cbc_iv, uint8_t* plain_msg); - -``` - - -# 13 - -```shell - -./mitm.out - - -``` - -# 14 - -```shell - -packet RX: 7 -dst mac: 1a:fe:a2:8e:77:09 -dst address: 192.168.64.6 -handshake: client hello -slen: 116 - -packet RX: 8 -dst mac: 8e:ee:03:c8:56:22 -dst address: 192.168.62.6 - -packet RX: 9 -dst mac: 8e:ee:03:c8:56:22 -dst address: 192.168.62.6 -handshake: server hello - -packet RX: 10 -dst mac: 1a:fe:a2:8e:77:09 -dst address: 192.168.64.6 - -packet RX: 11 -dst mac: 1a:fe:a2:8e:77:09 -dst address: 192.168.64.6 -handshake: client key exchange -declen: 48 -session info len: 1998 -session_hash: 32 -1D85F4612C17261000958F5AB963D9D6FFE3E361800955246FB31D4B23A6ADB0 -extended master secret: label + seedlen: 54 -master: - 454A17BE7F52ACBBFF414EC635D541F0CA9F7054065EEB02D38012CF5703EEDB3B5D0CAD4726C823DFF72D00C50A269C -key expansion: label + seedlen: 77 -master keymat: - 6960D327538039F7E56D2B32D29BBC3E7C4752802E73867511D3AEBD092C1E8A9CA0860FC19CC0AD821C7C917A8695983EE7B42874B65894B8C2835AD03A60EE91D39235A4827881CA7CE057CC11244C78A2DA9DF111EFC53D45FFB3EFEC92182BD69CFAA449183E6BB01B622DF473F25D6F35707BA1923A57333FCEF37BB4FE8056C5E26F57BD043791713C844BCD7D003452E63B3FF51FCB0FA3EDF6A2861D - -packet RX: 12 -dst mac: 8e:ee:03:c8:56:22 -dst address: 192.168.62.6 -handshake: new session ticket - -``` - - -# 15 - -```shell - 0070 - 05 5f 50 8c ee 01 9b ac-31 58 dc c3 d6 a7 05 66 ._P.....1X.....f - 0080 - fc 58 3f 9f ac 0f b7 0f-0c 3e 1f e1 9b 8c 80 a6 .X?......>...... - 0090 - 49 7d 20 57 93 b7 8e 6a-9e 99 47 a6 61 41 f5 7e I} W...j..G.aA.~ - 00a0 - fb 1d 46 41 06 08 3f 2a-09 8a 70 7a 5d 37 5e 92 ..FA..?*..pz]7^. - - Start Time: 1748389568 - Timeout : 7200 (sec) - Verify return code: 0 (ok) - Extended master secret: yes ---- -i see dead people - - -``` - -# 16 -```shell -packet RX: 17 -dst mac: 1a:fe:a2:8e:77:09 -dst address: 192.168.64.6 -message: payloadlen: 80 - 😈 TLSv1.2 hijacked message 😈 - i see dead people - - -packet RX: 18 -dst mac: 8e:ee:03:c8:56:22 -dst address: 192.168.62.6 - - -``` \ No newline at end of file