NULL cipher unencrypted connection

by FelixBauer 8 months ago

GNU/Linux ◆ foot ◆ bash 247 views

Even if the accessed resource is https doesn’t guarantee the traffic can not be seen.

This is not a downgrade attack simply the client and the server use the NULL cipher.

The connection handshake negotiates the NULL cipher and data is transferred in plain text.

openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -cipher "NULL-SHA:@SECLEVEL=0" -no_tls1_3

openssl s_client -cipher "NULL-SHA:@SECLEVEL=0" -no_tls1_3 -connect localhost:44330 

sudo tcpdump -nA -i lo 'port 44330'

More by FelixBauer

SambaCry exploit and vulnerable container (CVE-2017-7494) 02:37

by FelixBauer 4 years ago

seccomp 02:54

by FelixBauer 2 years ago

Check app security with mitmproxy --mode wireguard 00:39

by FelixBauer 1 year ago

Routing Basics (inside LXD) 08:22

by FelixBauer 6 years ago

See all

You can download this recording in asciicast v2 format, as a .cast file.

Download

Replay in terminal

You can replay the downloaded recording in your terminal using the asciinema play command:

asciinema play 648718.cast

If you don't have asciinema CLI installed then see installation instructions.

Use with stand-alone player on your website

Download asciinema player from the releases page (you only need .js and .css file), then use it like this:

<!DOCTYPE html>
<html>
<head>
  <link rel="stylesheet" type="text/css" href="asciinema-player.css" />
</head>
<body>
  <div id="player"></div>
  <script src="asciinema-player.min.js"></script>
  <script>
    AsciinemaPlayer.create(
      '/assets/648718.cast',
      document.getElementById('player'),
      { cols: 124, rows: 31 }
    );
  </script>
</body>
</html>

See asciinema player quick-start guide for full usage instructions.

While this site doesn't provide GIF conversion at the moment, you can still do it yourself with the help of asciinema GIF generator utility - agg.

Once you have it installed, generate a GIF with the following command:

agg https://asciinema.org/a/648718 demo.gif

Or, if you already downloaded the recording file:

agg demo.cast demo.gif

Check agg --help for all available options. You can change font family and size, select color theme, adjust speed and more.

See agg manual for full usage instructions.