PoC: 协议探测风险 #30
Comments
|
If you don't know what you are doing, please close this issue. |
MTProto FakeTLS在TLS ClientHello中使用secret进行hmac,将hash值填充在tls.random字段中,服务器可以在clienthello中进行判断,验证客户端有效性,但是依旧被识别,这种方式已经过时了 |
感谢反馈! 没太仔细看 mtproto 的实现,是在 client hello 里携带签名信息吗? 我的一些想法可以参考这里: https://www.ihcblog.com/a-better-tls-obfs-proxy/ |
是的,签名中可以夹带时间戳,可以避免重放,MTProto也这样子做了 |
|
MTProto不仅在Server Side做数据包校验,Client Side也有数据包校验,避免中间盒探测客户端,MTProto FakeTLS的协议设计具有抗探测和抗重放的性质,对整包进行保护,如果中间盒进行重放,探测等操作,他会回落到真服务器,从而中间盒无法判断是否为代理服务器。 |
|
整包保护的好处就是,只要修改了一处,就会被发现。这点使中间盒无法破译TLS内流量,重放无法得到TLS内明文数据,探测会被回落。TLS 1.3对Server Hello后面全部加密保护,所以中间盒没有办法判断证书有效性,唯一的方法就是探测。 |
|
MTProto FakeTLS已经完全实现了伪装源服务器,且中间盒探测得到的证书为可信证书,从而可以绕过证书检测。 |
|
我很好奇开发者有没有研究过TLS的RFC?只有ClientHello去探测并不能得到什么有效数据吧,都没法发TLS 1.3的Encrypted Client Hello Done |
|
而且不说别的,MTG的FakeTLS实现,认证字段做了一次性处理的,只能用一次,然后会被记录,第二次相同的就会被回落 |
|
如果您有telegram的话,最好留一下,拿telegram交流更方便 |
|
大佬们,Shadow-TLS不用docker部署可以吗,求分享示例配置文件 |
时间戳并不能完全防御重放,多大的差异会被认为合理呢?如果是做类似以前ss的一次性认证的做法,在server侧记录状态保证每个包的唯一性,中间人完全可以做在线的攻击,即先行发送一次截获的client hello包。 Anyway,我认为你说的FakeTLS只是解决了流量认证和TLS包装的问题,它可以应付普通的流量分析,骗过wireshark,但缺乏对主动检测的应对方式。同时,模拟的TLS握手在实现细节上可能总会有点特征,直接转发可以低成本地避免这些潜在问题。 |
可以 |
MTProto确实有一个握手问题,不过足够防御主动探测了,中间盒拿到clienthello并没有办法验证证书有效性,这点已经足够。 |
|
已经有内鬼指出ShadowTLS已经被识别 |
There are no words that explicitly indicates that these connections are using ShadowTLS, but people inferred from the subsequent behavior that this is ShadowTLS. |
|
btw, this so-called "内鬼" is suspicious. |
If you don't believe it, fine, my advice is if it's true, then it's terrible. |
I believe it can find ShadowTLS v1, but there are too many mistakes in that picture, even typo problems. |
This picture was released at the end of August, and its authenticity is unknown, but we can confirm that shadow TLS only has a TLS handshake, and it also belongs to FakeTLS, which is different from the real TLS. |
|
Suggested Reference Paper “Parrot Is Dead” |
This picture is for ShadowTLS v1. Currently he hasn't published any picture about v2 so we can't know if v2 is also weak like v1. But we have confidence that v2 should work better than before. |
|
|
But in the other hand, ShadowTLS is designed to bypass SNI whitelist at the beginning. There are different problems encountered at this time, and there will always be trade-offs here. |
No problem, MTProto FakeTLS has also done this, I don't think it's necessary to continue to study this. |
|
The difference between shadow TLS and mtproto is that shadow TLS handshakes with the real server and supports tls 1.2 |
这个图在 v2 版本出来之前就有了。v1 版本确实很容易识别,只是一个可以私下小规模用用的简单 tls 封装。 |
ghost
reopened this
|
新鲜的报告和PoC 防火墙完全可以重定向TCP连接来精准识别客户端 从而对其封杀 |
|
甚至可以在家用路由器进行这个攻击,通过iptables 最简单的复现方法就是 直接使用ShadowTLS客户端对真服务器进行连接,直接抓包即可 |
嗯,不确定是不是可以 hack 一下 client 侧的 tls 实现。不过感觉可能性不大,因为 server 侧的行为还要能兼容正常 tls client。
实施这个攻击就是在主路上搞事情了,常规的分析都是旁路的;并且实施这个操作需要定制性地针对本协议做,套不上其他分析框架,所以我觉得可能成本会比较大。当然我也不知道中间人会不会这个干,以及它做这个事的代价。 |
防火墙已经具备在主路上进行攻击的能力,白名单IP的方法也已经失效了。防火墙是流量的必经之地,防火墙可以伪造ip,甚至可以调换数据包 |
现实的情况是 如果修改TLS的trafficSecret密钥计算方式,那么该PoC依然有效,如果要修改TLS数据包,则握手失败,而且主动探测也会TLS握手失败。 |
|
TLS的trafficSecret密钥计算方法是客户端和服务器收到的所有包进行hmac算法,如果修改必定客户端握手失败 |
|
我说的成本主要体现在:
|
是这样的,但是对比流量大数据就可以知道,当一个sni对着一个新ip发送tls流量,就有风险可以去探测 |
|
防火墙一旦结合历史流量数据和客户端探测,基本上可以实现精准封杀 |
那样子使用者成本会暴涨,我不确定中间盒是否会结合历史数据,如果结合了历史数据的话 我用Google DNS举例 而且我不能确定中间盒是否有网站IP对照表 比如说 deb.debian.org 就是 Fastly提供的 CDN |
发表一点个人的浅薄见解,如果上述方案一旦被启用,是不是可以用来攻击正常ip。比如我用shadowtls直接指向一个正常ip,然后服务器关闭此链接,然后就这个IP被墙盯上了,就失去了一个正常的网站? |
笑死,这波在大气层! |
不会啊,攻击的原理就是让服务器关闭,而真的shadow tls服务器是不会关闭的,会执行转发,这就是差异所在 |
|
浏览器到shadow tls服务器 正常握手 浏览器到真服务器 正常握手 |
|
@CoiaPrant233 |
|
This could be a general issue and might introduce higher collateral damage than we have expected. Please refer to our accepted work at FOCI'23: Chasing Shadows: A security analysis of the ShadowTLS proxy In appendix section, we have discussed the certain vulnerability and included some superficial evaluations. |
|
Initially, there seems to be no problem. |
Please add the source description to A.1, thank you. |
I have found some problems that I will consider disclosing publicly when gaukas completes the relevant sources in the paper. It is unrealistic to add or modify in the TLS handshake, and it should be abandoned. |
If you are inferring to that our discussion in the appendix could be based on your issue, unfortunately that's not the case. It is actually our independent work which is accidentally concurrent to yours. We have actually discussed this vulnerability and conducted experiments with the author of this project @ihciah way ahead of this issue in a private group. FYI, the deadline of FOCI'23 was Oct 15. And our paper has been finalized when you open this issue. We are also happy to publish our working repository after the FOCI event this year. |
Please do. The camera-ready has been finalized on Jan 15 and there will be no more change made. You may come to FOCI event on Feb 15 to discuss further if you would love to! |
How to participate? |
I'll post on restls issue. |
|
@CoiaPrant233 Please check out https://foci.community/ and there's a button for |
|
Ok
Gaukas Wang ***@***.***> 于 2023年2月12日周日 02:10写道:
… @CoiaPrant233 <https://github.com/CoiaPrant233> Please check out
https://foci.community/ and there's a button for Registration.
—
Reply to this email directly, view it on GitHub
<#30 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A22WZNPZSBBNT2LMAUWQ7C3WW7I3BANCNFSM6AAAAAARF6EOKI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
The form has already been submitted. Do you need anything else? |
|
restls current problems Bug has add in issue |
|
以我的经验来说,mtproto的faketls非常稳定,跑了两三年一点事都没有,所以这必须是一条非常promising的路线 |
|
shadow-tls的设计已经过时,Telegram MTProto FakeTLS已经采用过这种设计,而且更为完善
服务端参考代码
但是依然被GFW封锁,此方法已经过时了,开发者早日弃坑吧
The text was updated successfully, but these errors were encountered: