CODEWITHSUNDEEP
pythonsslscapy
FCo
FCo

Reputation: 505

Scapy Send/Sniff Packet with SSLv2Record not Parsed Correctly

I have a packet in scapy like this:

###[ IP ]###
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags=
  frag= 0
  ttl= 64
  proto= tcp
  chksum= None
  src= 127.0.0.1
  dst= 127.0.0.1
  \options\
###[ TCP ]###
 sport= 50034
 dport= https
 seq= 0
 ack= 0
 dataofs= None
 reserved= 0
 flags= S
 window= 8192
 chksum= None
 urgptr= 0
 options= {}
###[ SSL/TLS ]###
    \records\
     |###[ SSLv2 Record ]###
     |  length= 0x591
     |  content_type= 5
     |###[ Raw ]###
     |  load= '\xbf'

I do send(packet) and then in another terminal (on the same machine), I'm running 

 a = sniff(filter = "port https", prn = lambda x:x.summary())

When I print out the received packet, it looks like this:

###[ Ethernet ]###
  dst= ff:ff:ff:ff:ff:ff
  src= 00:00:00:00:00:00
  type= 0x800
###[ IP ]###
  version= 4L
  ihl= 5L
  tos= 0x0
  len= 44
  id= 1
  flags=
  frag= 0L
  ttl= 64
  proto= tcp
  chksum= 0x7cc9
  src= 127.0.0.1
  dst= 127.0.0.1
  \options\
###[ TCP ]###
    sport= 50034
    dport= https
    seq= 0
    ack= 0
    dataofs= 5L
    reserved= 0L
    flags= S
    window= 8192
    chksum= 0xc15e
    urgptr= 0
    options= []
###[ SSL/TLS ]###
       \records\
###[ Raw ]###
          load= '\x05\x91\x05\xbf'

The main issue is that the SSLv2Record is not showing up after the packet has been sniffed. The content of the records list in the SSL/TLS field is completely off. Has anyone seen this before? Please let me know if I need to add more detail.

I am 100% certain that the packet I am printing out after sniffing is the correct packet.

I believe I am using the right send (just send, not sendp, etc.) for this type of packet. I have been able to send and sniff other packets without the SSLv2Record field without issue.

Does it appear I am sending or receiving this packet incorrectly?

Upvotes: 0

Views: 636

Answers (1)

tintin
tintin

Reputation: 3356

This is actually a bug in scapy-ssl_tls resolved with PR#76 where the SSLv2Record layer failed to properly serialize the object. Your packet got serialized as \x05\x91\x05\xbf whereas it should be \x85\x91\x05\xbf. The difference is that for a valid SSLv2 Record the MSB of the length must be set.

>>> SSL('\x05\x91\x05\xbf')
<SSL  records=[] |<Raw  load='\x05\x91\x05\xbf' |>>
>>> SSL('\x85\x91\x05\xbf')
<SSL  records=[<SSLv2Record  length=0x591 content_type=5 |<Raw  load='\xbf' |>>] |>

here's a quick test to check re-deserialization:

wrong:

>>> SSL(str(SSL(records=[SSLv2Record(length=0x591, content_type=5)/"\xbf"])))
<SSL  records=[] |<Raw  load='\x05\x91\x05\xbf' |>>

correct:

>>> SSL(str(SSL(records=[SSLv2Record(length=0x591, content_type=5)/"\xbf"])))
<SSL  records=[<SSLv2Record  length=0x591 content_type=5 |<Raw  load='\xbf' |>>] |>

Upvotes: 1

Related Questions