Detecting Sweet32 vulnerability in a Web-Application

Introduction:

Protocols like TLS and OpenVPN commonly use block cipher algorithms, such as AES, Triple-DES or 3DES or Blowfish, to encrypt data between clients and servers.Ciphers such as Triple-DES and Blowfish use a block size of 64 bits, whereas AES uses a block size of 128 bits. These short block ciphers are vulnerable to Birthday Attacks (A birthday attack is a type of cryptographic attack that exploits the mathematics behind the birthday problem in probability theory.).

Triple-DES is the second most widely supported cipher (after AES). In HTTPS servers around 87% of servers support it. Furthermore, all popular web browsers(firefox, chrome, Edge browser) support Triple-DES. The cipher that is actually negotiated for a TLS connection is chosen by the server, based on its local preference order and on the order in which the client advertises its ciphersuites.

Sweet-32 Detection

Detecting if the application is vulnerable:

Nmap script: nmap -p <port> –script ssl-enum-ciphers <host>

Host: The ip address to test the vulnerability on.

Port: The port of the host, to test vulnerability on.

Output:

PORT STATE SERVICE

443/tcp open https

| ssl-enum-ciphers:

| TLSv1.0:

| ciphers:

| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) — A

| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) — A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) — A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) — A

| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) — A

| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) — A

| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) — C

| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) — C

| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) — C

| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) — C

| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) — C

| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) — C

| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) — C

| compressors:

| NULL

| cipher preference: server

| warnings:

| 64-bit block cipher 3DES vulnerable to SWEET32 attack

| Broken cipher RC4 is deprecated by RFC 7465

| Ciphersuite uses MD5 for message integrity

| Weak certificate signature: SHA1

| TLSv1.2:

| ciphers:

| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) — A

| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) — A

| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) — A

| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) — A

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) — A

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) — A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) — A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) — A

| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) — A

| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) — A

| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) — A

| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) — A

| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (secp256r1) — C

| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) — C

| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) — C

| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (secp256r1) — C

| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) — C

| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) — C

| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) — C

| compressors:

| NULL

| cipher preference: server

| warnings:

| 64-bit block cipher 3DES vulnerable to SWEET32 attack

| Broken cipher RC4 is deprecated by RFC 7465

| Ciphersuite uses MD5 for message integrity

| _ least strength: C

In the above output, the 3DES ciphers(highlighted ones) are the ones, that are vulnerable and it shows that the server is vulnerable to Sweet32 Attack.

For further confirmation we can use:

SSL labs tool for ssl vulnerabilities: https://www.ssllabs.com/ssltest/index.html

Sweet32 birthday attack:

The DES ciphers (and triple-DES) only have a 64-bit block size. This enables an attacker to run malicious JavaScript in a browser and send large amounts of traffic during the same TLS connection, creating a collision. With this collision, the attacker is able to retrieve information from a session cookie.

This vulnerability could be used by a MITM(man-in-the-middle) attacker to recover some plain-text data. The attacker is able to intercept and receive vast volumes of encrypted traffic between the client and the TLS/SSL server.

Thanks

Referene:

  1. Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN https://sweet32.info/

Connect with me via : https://www.i-vk.co.in

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vinayak Khandelwal

Vinayak Khandelwal

• Software Engineer with years of experience in Software design and Development. Worked on multiple technologies like Nginx, Spring, AWS, Java, Python, etc,