Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS alert internal error received, make sure to use RC4-SHA #17

Open
mrj0b opened this issue Feb 19, 2018 · 10 comments
Open

TLS alert internal error received, make sure to use RC4-SHA #17

mrj0b opened this issue Feb 19, 2018 · 10 comments

Comments

@mrj0b
Copy link

mrj0b commented Feb 19, 2018

the rdp connection get stuck and seth doesn't capture anything
@AdrianVollmer
Copy link
Member

Can you please run it with SETH_DEBUG=1 ./seth.sh ... and post the output?

@mrj0b
Copy link
Author

mrj0b commented Feb 20, 2018

[] Spoofing arp replies...
[] Turning on IP forwarding...
[] Set iptables rules for SYN packets...
[] Waiting for a SYN packet to the original destination...
[+] Got it! Original destination is 190.168.1.2
[] Clone the x509 certificate of the original destination...
[] Adjust the iptables rule for all packets...
[*] Run RDP proxy...
Warning: The python3 module 'hexdump' is missing. Using hexlify instead.
Listening for new connection
Connection received from 190.168.5.100:49178
Listening for new connection
From client:
030000130ee000000000000100080003000000
From server:
030000130ed000001234000201080002000000
Enable SSL
From client:
3037a003020102a130302e302ca02a04284e544c4d5353500001000000b78208e2000000000000000000000000000000000601b11d0000000f
TLS alert internal error received, make sure to use RC4-SHA

@mrj0b
Copy link
Author

mrj0b commented Feb 20, 2018

[] Spoofing arp replies...
[] Turning on IP forwarding...
[] Set iptables rules for SYN packets...
[] Waiting for a SYN packet to the original destination...
[+] Got it! Original destination is 190.168.1.2
[] Clone the x509 certificate of the original destination...
[] Adjust the iptables rule for all packets...
[] Run RDP proxy...
Listening for new connection
Connection received from 190.168.5.100:49226
Listening for new connection
From client:
00000000: 03 00 00 13 0E E0 00 00 00 00 00 01 00 08 00 03 ................
00000010: 00 00 00 ...
From server:
00000000: 03 00 00 13 0E D0 00 00 12 34 00 02 01 08 00 02 .........4......
00000010: 00 00 00 ...
Enable SSL
From client:
00000000: 30 37 A0 03 02 01 02 A1 30 30 2E 30 2C A0 2A 04 07......00.0,..
00000010: 28 4E 54 4C 4D 53 53 50 00 01 00 00 00 B7 82 08 (NTLMSSP........
00000020: E2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 06 01 B1 1D 00 00 00 0F .........
TLS alert internal error received, make sure to use RC4-SHA

@AdrianVollmer
Copy link
Member

Not sure what the problem is. I'm also very busy with other things these days, so sorry about the delay. Can you tell me the versions of the following software packages? Maybe that will give me a clue.

  • python
  • openssl
  • the windows RDP client
  • the windows RDP host

@therokh
Copy link

therokh commented Mar 24, 2018

I am having the same error when authenticating on connection.

Python: 3.4.5
OpenSSL: 1.0.2k-fips 26 Jan 2017
Windows RDP client: Windows 10 version 1709 - OS Build 16299.309
Windows RDP host: Windows Server 2012 R2

@therokh
Copy link

therokh commented Mar 25, 2018
edited

From the box running Seth:
openssl s_client -connect 10.3.201.20:3389 --showcerts

CONNECTED(00000003)
depth=0 CN = WIN-MJBCIAMI6CU
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = WIN-MJBCIAMI6CU
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=WIN-MJBCIAMI6CU
   i:/CN=WIN-MJBCIAMI6CU
-----BEGIN CERTIFICATE-----
MIIC4jCCAcqgAwIBAgIQef0RiSoBFZpGqAR+6l+KcjANBgkqhkiG9w0BAQUFADAa
MRgwFgYDVQQDEw9XSU4tTUpCQ0lBTUk2Q1UwHhcNMTgwMzIzMTAwNjMyWhcNMTgw
OTIyMTAwNjMyWjAaMRgwFgYDVQQDEw9XSU4tTUpCQ0lBTUk2Q1UwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXxB5zSQtP8ZIzwAq2kDVJWSuasI1bTNJ1
j3DBmgajRiS/OaKbIhYjCy7KYjVjyx5Hbhqu8jJnGZt39gqtatJePK9DFXlcVbFW
zt9nKdMVW4L7+Fdvly/BJ1mLr6keEaNgzsgNrF/h/AtQVew9/l/dhXOjdu/qIXTq
fYoq+gKoJ7tfqNY9MHycRSPZvL0PrrxntTcfVDvLuB0A7u7ecksD1sIlG8ZONnjT
uBlSsf5u4Hg/jlcnq8bA1EaBCjXTfO4010jbv+R5WdEU65jNJXOOE7DMmCNfs994
t6twNMaW9kSvj+DaVXILCo1scTXSvlItmeJc9iAOMwLkVwsOblF5AgMBAAGjJDAi
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQUF
AAOCAQEAWTBiPySS9Z49Kl3pJ4ZZh6A1j8yA8tP35PnkGo2jBqh3OmLBimjJ0B+n
rPjfkIPZV4IvVqz+M94sGHxmHOo9YVgYIcHfH7UAhftlbqLvkZfxItdOlcWuncQ+
XEZaoltzQEOSXXlTWuCdL/pkYi2BXugyJneejTScyM2U1+wWVZG3vQaoqG04hzRs
PnZuLeh9cBLnSQlrzq8y166vIH4UW/aOPTi1Gdc2hXQBJvG12TCXWGPi/YnLlvFO
m8Iau503VZuWQ0XS5k0DVsXX1jXVuCwMV553Ut8KY16Uv6KkeADd0HKXUxbquqx/
WMWVdsN24/7rNzzRic5BSALbIOP/HQ==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=WIN-MJBCIAMI6CU
issuer=/CN=WIN-MJBCIAMI6CU
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1282 bytes and written 471 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 3C3E00001BF29065C8D056572BB6B901AA9BF66B7BF62FB9C23EC5B15E1D4904
    Session-ID-ctx:
    Master-Key: 74DE41503EDF3C8108BA6DB2921778878C0415571F08A217EF794CCE6E9C111E5303A10BA6138914DD2EC752D78F0F02
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1521944433
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

@AdrianVollmer
Copy link
Member

Could you please provide a list of TLS ciphers that the RDP host is offering? For example with sslscan <host ip>:3389

Maybe there is some cipher mismatch between the python client and the windows host.

@therokh
Copy link

therokh commented May 30, 2018

Refer attached for sslscan
sslscan.txt

AdrianVollmer added a commit that referenced this issue May 30, 2018
@AdrianVollmer
output error message in case RC4-SHA is not available; see #17
d7ac0d6
@AdrianVollmer
Copy link
Member

Thanks! RC4-SHA is supported, so still no idea... I slightly increased verbosity with the latest commit, so you could pull and try again.

@therokh
Copy link

therokh commented May 30, 2018

It does not appear to trigger the sslError:

Listening for new connection
Connection received from x.x.x.x:32720
Downgrading authentication options from 11 to 3
Listening for new connection
Enable SSL
[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1748)
TLS alert internal error received, make sure to use RC4-SHA
Connection received from x.x.x.x:32721
Downgrading authentication options from 11 to 3
Listening for new connection
Enable SSL
[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1748)
TLS alert internal error received, make sure to use RC4-SHA

@tfriesen tfriesen mentioned this issue Jun 22, 2018
Open
@manasmbellani manasmbellani mentioned this issue Feb 28, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mrj0b @therokh @AdrianVollmer