FLUSH
March 28th, 2010, 16:06
Hi,
I'm currently trying to reverse the SSL protocol to create a server emulator. As cracking the Servers private key is nearly impossible i thought about the following:
1. On handshake ClientHello the Client generates a random value which is transfered to the Server.
2. The Server sends the certificate and a random value
3. The Client calculates the pre-master-key and encrypts his public key -> sends to server.
4. The server decrypts the message via his private key
...
When emulating a ssl-server the only challenge seems to be the random value calculated in ClientHello. If the value is always the same, you can use pre calculated (or dumped) server data for authentication.
I've hooked secur32.dll -> initializesecuritycontext to read pOutput on ClientHello:
Now to my question: how is the random value for ClientHello in secur32.dll computed? Is it possible to overwrite the value? Maybe via hooking the function secur32 calls to compute the value?
And please excuse the above source code... my coding expirience with c is now 2 weeks...
I'm currently trying to reverse the SSL protocol to create a server emulator. As cracking the Servers private key is nearly impossible i thought about the following:
1. On handshake ClientHello the Client generates a random value which is transfered to the Server.
2. The Server sends the certificate and a random value
3. The Client calculates the pre-master-key and encrypts his public key -> sends to server.
4. The server decrypts the message via his private key
...
When emulating a ssl-server the only challenge seems to be the random value calculated in ClientHello. If the value is always the same, you can use pre calculated (or dumped) server data for authentication.
I've hooked secur32.dll -> initializesecuritycontext to read pOutput on ClientHello:
Code:
SECURITY_STATUS WINAPI _InitializeSecurityContextA(PCredHandle phCredential, PCtxtHandle phContext, SEC_WCHAR* pszTargetName, ULONG fContextReq, ULONG Reserved1, ULONG TargetDataRep, PSecBufferDesc pInput, ULONG Reserved2, PCtxtHandle phNewContext, PSecBufferDesc pOutput, PULONG pfContextAttr, PTimeStamp ptsExpiry)
{
HMODULE mod = GetModuleHandle(TEXT("secur32.dll");
OrigInitializeSecurityContext = (InitializeSecurityContext_t)GetProcAddress(mod, "InitializeSecurityContextA";
SECURITY_STATUS stat;
WaitForSingleObject(mutex, INFINITE);
if(pInput) {
unsigned i;
for(i = 0; i < pInput->cBuffers; i++) {
DumpSecBuffer(&pInput->pBuffers[I]);
}
}
stat = OrigInitializeSecurityContext(phCredential, phContext, pszTargetName, fContextReq, Reserved1, TargetDataRep, pInput, Reserved2, phNewContext, pOutput, pfContextAttr, ptsExpiry);
if(pOutput) {
unsigned i;
for(i = 0; i < pOutput->cBuffers; i++) {
DumpSecBuffer(&pOutput->pBuffers[I]);
}
}
ReleaseMutex(mutex);
return stat;
}
Now to my question: how is the random value for ClientHello in secur32.dll computed? Is it possible to overwrite the value? Maybe via hooking the function secur32 calls to compute the value?
And please excuse the above source code... my coding expirience with c is now 2 weeks...