Detecting Sweet32 vulnerability in a Web-Application
Introduction:
Protocols like TLS and OpenVPN commonly use block cipher algorithms, such as AES, Triple-DES or 3DES or Blowfish, to encrypt data between clients and servers.Ciphers such as Triple-DES and Blowfish use a block size of 64 bits, whereas AES uses a block size of 128 bits. These short block ciphers are vulnerable to Birthday Attacks (A birthday attack is a type of cryptographic attack that exploits the mathematics behind the birthday problem in probability theory.).
Triple-DES is the second most widely supported cipher (after AES). In HTTPS servers around 87% of servers support it. Furthermore, all popular web browsers(firefox, chrome, Edge browser) support Triple-DES. The cipher that is actually negotiated for a TLS connection is chosen by the server, based on its local preference order and on the order in which the client advertises its ciphersuites.
Detecting if the application is vulnerable:
Nmap script: nmap -p <port> –script ssl-enum-ciphers <host>
Host: The ip address to test the vulnerability on.
Port: The port of the host, to test vulnerability on.
Output:
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) — A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) — A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) — A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) — A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) — A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) — A
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) — C
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) — C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) — C
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) — C
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) — C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) — C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) — C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| Weak certificate signature: SHA1
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) — A
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) — A
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) — A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) — A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) — A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) — A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) — A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) — A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) — A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) — A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) — A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) — A
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) — C
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) — C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) — C
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) — C
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) — C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) — C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) — C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| _ least strength: C
In the above output, the 3DES ciphers(highlighted ones) are the ones, that are vulnerable and it shows that the server is vulnerable to Sweet32 Attack.
For further confirmation we can use:
SSL labs tool for ssl vulnerabilities: https://www.ssllabs.com/ssltest/index.html
Sweet32 birthday attack:
The DES ciphers (and triple-DES) only have a 64-bit block size. This enables an attacker to run malicious JavaScript in a browser and send large amounts of traffic during the same TLS connection, creating a collision. With this collision, the attacker is able to retrieve information from a session cookie.
This vulnerability could be used by a MITM(man-in-the-middle) attacker to recover some plain-text data. The attacker is able to intercept and receive vast volumes of encrypted traffic between the client and the TLS/SSL server.
Thanks
Referene:
- Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN https://sweet32.info/
Connect with me via : https://www.i-vk.co.in