Giters

yurigbur / QUICforge

QUICforge is an experimental python tool for request forgery attacks with QUIC

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

QUICforge

A python attack script built on top of aioquic to perform request forgery with QUIC

Prerequisites

  • Python3 (3.8)
  • NetfilterQueue and ScaPY
  • Aioquic (0.9.20)
    1. Pull aioquic
    2. Checkout a compatible version
    3. Apply the aioquic.diff
    4. Follow the install instructions of aioquic
  • Lsquic (3.0.4) (For legacy support, needed for CMRF)
  • Wireshark (3.5.0) (Optional)

Installation / Setup

If the prerequisites are met the script should run out of the box. The described installation instructions are likely going to change in the future. If the setup instructions fail, please consult the official documentation of the respective software.

Install NetfilterQueue and ScaPY

sudo apt install build-essential python-dev libnetfilter-queue-dev
sudo pip install https://github.com/johnteslade/python-netfilterqueue/archive/refs/heads/update-cython-code.zip
sudo pip install scapy

Installation of aioquic

  • Install dependencies 
     apt-get update && apt-get install -y git-core libssl-dev python3-dev python3-pip
 pip3 install aiofiles asgiref httpbin starlette wsproto werkzeug==2.0.3
  • Clone the repository and apply the diff 
     git clone https://github.com/aiortc/aioquic && cd /aioquic && git checkout tags/0.9.20
 #TODO APPLY DIFF
 pip3 install -e .

Installation of lsquic for legacy mode

Tested on Ubuntu20.04

  • Install dependencies 
     sudo apt update && sudo apt install -y golang libevent-dev libz-dev git cmake binutils
  • Setup boringssl 
     git clone https://boringssl.googlesource.com/boringssl
 cd boringssl
 git checkout a9670a8b476470e6f874fef3554e8059683e1413
 cmake . &&  make
 BORINGSSL=$PWD
 cd ..
  • Compile lsquic 
     git clone https://github.com/litespeedtech/lsquic.git
 cd lsquic
 git checkout tags/v3.0.4
 git submodule update --init --recursive
 cmake -DBORINGSSL_DIR=$BORINGSSL .
 make

Changes to codbase to get a predictable CID of length 20

  • In lsquic/include/lsquic.h: Change 
     #define LSQUIC_DF_SCID_LEN 8
    to 
     #define LSQUIC_DF_SCID_LEN MAX_CID_LEN
  • In lsquic/src/liblsquic/lsquic_conn.c create a global set of your wanted CIDs (each CID needs to be unique): 
     static int lsquic_cid_ctr = 0;
 char* data_buffer[10] = {
 		"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
 		"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",
 		"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC",
 		"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD",
 		"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE",
 		"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
 		"GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG",
 		"HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH",
 		"IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII",
 		"JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ"
 };
    Furthermore change the function lsquic_generate_cid to something similar to: 
     if (!len){
 		len = 20;
 	}
 	//Set counter to the index used as new CID for path challenges.
 	cid->len = len;
 	if(lsquic_cid_ctr < 10){       
 		memcpy(cid->idbuf, data_buffer[lsquic_cid_ctr], cid->len);
 	}
 	else{
 		RAND_bytes(cid->idbuf, len);
 	}
 	lsquic_cid_ctr++;
    With this the all CIDs will be of length 20 and the first 10 generated CIDs will be static.

Installation of Development Wireshark (Optional)

  • Pull Git repository 
     git clone https://gitlab.com/wireshark/wireshark.git
 cd wireshark
  • Install dependencies 
     sudo ./tools/debian-setup.sh --install-optional --install-deb-deps
  • Build Wireshark 
     mkdir build
 cd build
 cmake -G Ninja ../
 ninja
 sudo ninja install

Usage

Generate Certificates

Some need other formats

openssl req -x509 -nodes -newkey rsa:4096 -keyout <name>.key -out <name>.pem -days 365

Use the server docker containers

The pre-built containers can be found here https://hub.docker.com/u/yukonsec

sudo docker run -p 12345:12345/udp -v </path/to/certs/>:/mnt/certs/ -v </tls/keys/output/>:/mnt/keys -it --rm <containername>

Use the attack script

More information about the attack script can be viewed with:

sudo python3 request_forgery.py -h

FAQ

Why is this code so ugly? This code developed over time from a little proof of concept script created during my master thesis. It was not planned to be publicly released and just created to proof the general possiblity of the attacks. Features where not initially planned and added on top with as little effort as possible. If you have nicer solutions (especially for the multithreading), feel free to share and contribute.

Why did you not inlude ATS, Quant, PQUIC, ...? I chose open source projects that were functional at the time for the scenarios I neede them for. If an implementation is missing it was likely buggy or not listed on the quic working group's github. Also projects that were not maintained for over a year and not supporting the current versions were dropped.

About

QUICforge is an experimental python tool for request forgery attacks with QUIC

Languages

Language:Python 88.9%Language:Dockerfile 8.5%Language:Shell 2.7%