{"id":18265900,"url":"https://github.com/mpgn/beast-poc","last_synced_at":"2025-10-11T16:10:47.465Z","repository":{"id":29491937,"uuid":"33029463","full_name":"mpgn/BEAST-PoC","owner":"mpgn","description":":muscle: Proof Of Concept of the BEAST attack against SSL/TLS CVE-2011-3389 :muscle:","archived":false,"fork":false,"pushed_at":"2019-01-30T21:36:22.000Z","size":36,"stargazers_count":73,"open_issues_count":0,"forks_count":31,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-04-04T21:40:18.808Z","etag":null,"topics":["beast","plaintext-attack","python","sslv3","tls"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mpgn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-03-28T10:28:16.000Z","updated_at":"2025-02-04T11:32:42.000Z","dependencies_parsed_at":"2022-08-24T07:10:18.553Z","dependency_job_id":null,"html_url":"https://github.com/mpgn/BEAST-PoC","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mpgn/BEAST-PoC","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpgn%2FBEAST-PoC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpgn%2FBEAST-PoC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpgn%2FBEAST-PoC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpgn%2FBEAST-PoC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mpgn","download_url":"https://codeload.github.com/mpgn/BEAST-PoC/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpgn%2FBEAST-PoC/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279007786,"owners_count":26084364,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-11T02:00:06.511Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["beast","plaintext-attack","python","sslv3","tls"],"created_at":"2024-11-05T11:20:33.956Z","updated_at":"2025-10-11T16:10:47.435Z","avatar_url":"https://github.com/mpgn.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# BEAST-PoC (chosen-plaintext attack)\n\nThis proof of concept is focused on the cryptography behind the BEAST (Browser Exploit Against SSL/TLS) attack presented by Thai Duong and Juliano Rizzo on September 23, 2011. This a [chosen-plaintext attack](https://en.wikipedia.org/wiki/Chosen-plaintext_attack) and this allow you to retrieve sensitives informations if the Transport Layer Security used is TLS1.0 or SSLv3.\nThe orginal proof of concept can be found here : [Here come the Ninjas](http://netifera.com/research/beast/beast_DRAFT_0621.pdf)\n\n**Note**: This is also an implementation of the vulnerability originally discovered by [Phillip Rogaway](https://en.wikipedia.org/wiki/Phillip_Rogaway). Discovered in 2002, there was no exploit released until BEAST in 2011. OpenSSL already knew the [problem](https://www.openssl.org/~bodo/tls-cbc.txt) and this why they updated TLS1.0 to TLS1.1 in April 2006.\n\n\u003e 2 The CBC IV for each record except the first is the previous records' last\n   ciphertext block.  Thus the encryption is not secure against adversaries who\n   can adaptively choose plaintexts;\n\n### Be the BEAST\n\n#### 1. SSLv3/TLS1.0 and CBC cipher mode\n\nSSLv3/TLS1.0 are protocols to encrypt/decrypt and secure your data. In our case, they both use the [CBC cipher mode chainning](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_.28CBC.29) . The plaintext is divided into block regarding the encryption alogithm (AES,DES, 3DES) and the length is a mulitple of 8 or 16. If the plaintext don't fill the length, a [padding](https://en.wikipedia.org/wiki/Padding_(cryptography)#PKCS7) is added at the end to complete the missing space. I strongly advice you to open this images of [encryption](https://upload.wikimedia.org/wikipedia/commons/thumb/8/80/CBC_encryption.svg/601px-CBC_encryption.svg.png) and [decryption](https://upload.wikimedia.org/wikipedia/commons/thumb/2/2a/CBC_decryption.svg/601px-CBC_decryption.svg.png) to read this readme.\n\n\nEncryption | Decryption\n--- | --- \nC\u003csub\u003ei\u003c/sub\u003e = E\u003csub\u003ek\u003c/sub\u003e(P\u003csub\u003ei\u003c/sub\u003e ⊕ C\u003csub\u003ei-1\u003c/sub\u003e), and C\u003csub\u003e0\u003c/sub\u003e = IV | P\u003csub\u003ei\u003c/sub\u003e = D\u003csub\u003ek\u003c/sub\u003e(C\u003csub\u003ei\u003c/sub\u003e) ⊕ C\u003csub\u003ei-1\u003c/sub\u003e, and C\u003csub\u003e0\u003c/sub\u003e = IV\n \nBasically this is just some simple XOR, you can also watch this video (not me) https://www.youtube.com/watch?v=0D7OwYp6ZEc. \n\nI will introduce the [IV](https://en.wikipedia.org/wiki/Initialization_vector) in the next point. Remember that all this property will help us to drive our attack.\n\n#### 2. Cryptology\n\nWhen we use the CBC we need a vector initialisation call IV. This IV is random (or fixed) but in any case it should not be predictable from anyone. In TLS1.0 and SSLv3 the first IV of the request is random, fine. But to gain some time and not generate a new random IV every time, the implemenation of TLS1.0 and SSLv3 used the last block of the previous cipher text has an IV. In other words, the IV is now guessable.\nWe will assume the length of each block will be 8 (DES) and the attacker have a MiTM to retrieve all the cipher.\n\nExample :\n\nC\u003csub\u003e0\u003c/sub\u003e | C\u003csub\u003e...\u003c/sub\u003e | C\u003csub\u003ei-1\u003c/sub\u003e | C\u003csub\u003ei\u003c/sub\u003e | C\u003csub\u003ei+1\u003c/sub\u003e |C\u003csub\u003en\u003c/sub\u003e\n\nNow the interesting part, this is the different cryptographic steps of the attack to retrieve one byte : \n\n* first we send a request call C² to get the last block of the cipher meaning the next IV of the second request\n* this is a chosen plaintext attack, so the attacker can send this message `bbbbbbbTHIS_IS_A_SECRET_COOKIE` through the victim.\n\nYou can notice the seven `b` before the secret cookie. If the length of a block is 8 we need to push 7 know bytes. This information is very important, the attacker know the 7 first bytes of the first block. \n\nBut why ? This allow us to have only 256 possibilty to find one byte and not 256^8 to find 8 bytes !  \n\nNow the victim send the request and it will be encrypted like this :\n\nC\u003csub\u003e0\u003c/sub\u003e | C\u003csub\u003e1\u003c/sub\u003e | C\u003csub\u003e2\u003c/sub\u003e | C\u003csub\u003e3\u003c/sub\u003e | C\u003csub\u003e4\u003c/sub\u003e\n\nWhere C\u003csub\u003e0\u003c/sub\u003e = E\u003csub\u003ek\u003c/sub\u003e(IV ⊕ bbbbbbbT) = E\u003csub\u003ek\u003c/sub\u003e(C²\u003csub\u003en\u003c/sub\u003e ⊕ bbbbbbbT)\n\n* the attacker want to retrieve the information in the block C\u003csub\u003e0\u003c/sub\u003e C\u003csub\u003e1\u003c/sub\u003e, C\u003csub\u003e2\u003c/sub\u003e ... **he always need the previous block**\n* a third request is send after build a special block P'\u003csub\u003e0\u003c/sub\u003e. The first block will be encrypted like this : C'\u003csub\u003e0\u003c/sub\u003e = E\u003csub\u003ek\u003c/sub\u003e(P'\u003csub\u003e0\u003c/sub\u003e ⊕ IV')\nSince this is a chosen plaintext attack, the attacker can construct a block P'\u003csub\u003e0\u003c/sub\u003e like this :\n\nP'\u003csub\u003e0\u003c/sub\u003e = C²\u003csub\u003en\u003c/sub\u003e ⊕ C\u003csub\u003e4\u003c/sub\u003e ⊕ bbbbbbbX\n\nThe only unknow element is `X`, there is 256 possibilities so he will try max 256 char.\nThe request is send and encrypt like this :\n\nC'\u003csub\u003e0\u003c/sub\u003e = E\u003csub\u003ek\u003c/sub\u003e(P'\u003csub\u003e0\u003c/sub\u003e ⊕ IV') \u003cbr\u003e\nC'\u003csub\u003e0\u003c/sub\u003e = E\u003csub\u003ek\u003c/sub\u003e(C²\u003csub\u003en\u003c/sub\u003e ⊕ C\u003csub\u003e4\u003c/sub\u003e ⊕ bbbbbbbX ⊕ IV') or C\u003csub\u003e4\u003c/sub\u003e ⊕ IV' = 0 \u003cbr\u003e\nC'\u003csub\u003e0\u003c/sub\u003e = E\u003csub\u003ek\u003c/sub\u003e(C²\u003csub\u003en\u003c/sub\u003e ⊕ bbbbbbbX) \u003cbr\u003e\nC'\u003csub\u003e0\u003c/sub\u003e = E\u003csub\u003ek\u003c/sub\u003e(IV ⊕ bbbbbbbX) \u003cbr\u003e\n\nNow he compares : C'\u003csub\u003e0\u003c/sub\u003e and C\u003csub\u003e0\u003c/sub\u003e, if they are equal, then he just found the byte `X` in position 8. If it doesn't match, he retries with another char and compare again etc.\n\nNow we have one byte we can get another one by shift the previous request by one on the left : `bbbbbbTHIS_IS_A_SECRET_COOKIE`. He now have six `b` and we also now the `T`, so we have one char unknow. We build a new P'\u003csub\u003e0\u003c/sub\u003e = C\u003csub\u003e0\u003c/sub\u003e ⊕ C\u003csub\u003e4\u003c/sub\u003e ⊕ bbbbbbTX etc...\n\n**Note**: another way with only two request is to set the first block of the plaintext and use this information for the three XOR. We don't need anymore the C² last block. C\u003csub\u003e1\u003c/sub\u003e = E\u003csub\u003ek\u003c/sub\u003e(C\u003csub\u003e0\u003c/sub\u003e ⊕ bbbbbbbT) and then P'\u003csub\u003e0\u003c/sub\u003e = C\u003csub\u003e0\u003c/sub\u003e ⊕ C\u003csub\u003e4\u003c/sub\u003e ⊕ bbbbbbbX. He also need to compare C'\u003csub\u003e0\u003c/sub\u003e and C\u003csub\u003e1\u003c/sub\u003e.\nThis is another way to do it, you can notice in the PoC i code the two possibilities :)\n\nWe can now retrieve all the char !\n\n### Launch\n\n```\npython BEAST-poc.py\n```\n\n[![asciicast](https://asciinema.org/a/40094.png)](https://asciinema.org/a/40094)\n\n#### Attack\n\nAn attacker cannot use HTTP protocol because the first block will be field with `GET / HTTP/1.1\\r\\n`.\n\n\u003e ... cannot control the first few bytes of each request because they are always\nset as a fixed string such as GET /, POST /, etc. Instead he can use [socket](https://en.wikipedia.org/wiki/Network_socket).\n\nHe also need to inject some javascript into a malicious page. The victim need to be connected to this page and stay during unitl the attack is done.\nThis is a chosen-plaintext attack so the attacker can send through the javascript code every plaintext he wants and intercept the result with a Man in The Middle. This diagram of the attack :\n\n![beast](https://user-images.githubusercontent.com/5891788/52014211-41b1f780-24df-11e9-9af3-c0ae82f8df7e.png)\n\nThis attack need a important conditions to be successfull (TLS1.0 or inferior, CBC cipher mode, MiTM, malicious javascript). But Thai Duong and Juliano Rizzo proove it can be possible and the demontrate there exploit by stealing cookie on [Paypal](https://www.youtube.com/watch?v=BTqAIDVUvrU) webiste.\n\nEverythings is now fix and this attack has little probability of being realized.\n\n## Contributor\n\n[mpgn](https://github.com/mpgn) \n\n### Licences\n\n[licence MIT](https://github.com/mpgn/BEAST-PoC/blob/master/LICENSE)\n\n### References\n\n* http://netifera.com/research/beast/beast_DRAFT_0621.pdf\n* http://www.bortzmeyer.org/beast-tls.html\n* http://fr.slideshare.net/danrlde/20120418-luedtke-ssltlscbcbeast\n* http://crypto.stackexchange.com/questions/5094/is-aes-in-cbc-mode-secure-if-a-known-and-or-fixed-iv-is-used\n* http://security.stackexchange.com/questions/18505/is-beast-really-fixed-in-all-modern-browsers\n* https://defuse.ca/cbcmodeiv.htm\n* http://stackoverflow.com/questions/22644392/chrome-websockets-cors-policy\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmpgn%2Fbeast-poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmpgn%2Fbeast-poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmpgn%2Fbeast-poc/lists"}