A python attack script built on top of aioquic to perform request forgery with QUIC

• Python3 (3.8)
• NetfilterQueue and ScaPY
• Aioquic (0.9.20)
  1. Pull aioquic
  2. Checkout a compatible version
  3. Apply the aioquic.diff
  4. Follow the install instructions of aioquic
• Lsquic (3.0.4) (For legacy support, needed for CMRF)
• Wireshark (3.5.0) (Optional)

If the prerequisites are met the script should run out of the box. The described installation instructions are likely going to change in the future. If the setup instructions fail, please consult the official documentation of the respective software.

sudo apt install build-essential python-dev libnetfilter-queue-dev
sudo pip install https://github.com/johnteslade/python-netfilterqueue/archive/refs/heads/update-cython-code.zip
sudo pip install scapy 

• Install dependencies

   apt-get update && apt-get install -y git-core libssl-dev python3-dev python3-pip
   pip3 install aiofiles asgiref httpbin starlette wsproto werkzeug==2.0.3

• Clone the repository and apply the diff

   git clone https://github.com/aiortc/aioquic && cd /aioquic && git checkout tags/0.9.20
   #TODO APPLY DIFF
   pip3 install -e .

Tested on Ubuntu20.04

• Install dependencies

   sudo apt update && sudo apt install -y golang libevent-dev libz-dev git cmake binutils

• Setup boringssl

   git clone https://boringssl.googlesource.com/boringssl
   cd boringssl
   git checkout a9670a8b476470e6f874fef3554e8059683e1413
   cmake . &&  make
   BORINGSSL=$PWD
   cd ..

• Compile lsquic

   git clone https://github.com/litespeedtech/lsquic.git
   cd lsquic
   git checkout tags/v3.0.4
   git submodule update --init --recursive
   cmake -DBORINGSSL_DIR=$BORINGSSL .
   make

• In lsquic/include/lsquic.h: Change

   #define LSQUIC_DF_SCID_LEN 8

  to

   #define LSQUIC_DF_SCID_LEN MAX_CID_LEN

• In lsquic/src/liblsquic/lsquic_conn.c create a global set of your wanted CIDs (each CID needs to be unique):

   static int lsquic_cid_ctr = 0;
   char* data_buffer[10] = {
   		"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
   		"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",
   		"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC",
   		"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD",
   		"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE",
   		"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
   		"GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG",
   		"HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH",
   		"IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII",
   		"JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ"
   };

  Furthermore change the function lsquic_generate_cid to something similar to:

   if (!len){
   		len = 20;
   	}
   	//Set counter to the index used as new CID for path challenges.
   	cid->len = len;
   	if(lsquic_cid_ctr < 10){       
   		memcpy(cid->idbuf, data_buffer[lsquic_cid_ctr], cid->len);
   	}
   	else{
   		RAND_bytes(cid->idbuf, len);
   	}
   	lsquic_cid_ctr++;

  With this the all CIDs will be of length 20 and the first 10 generated CIDs will be static.

• Pull Git repository

   git clone https://gitlab.com/wireshark/wireshark.git
   cd wireshark

• Install dependencies

   sudo ./tools/debian-setup.sh --install-optional --install-deb-deps

• Build Wireshark

   mkdir build
   cd build
   cmake -G Ninja ../
   ninja
   sudo ninja install

Some need other formats

openssl req -x509 -nodes -newkey rsa:4096 -keyout <name>.key -out <name>.pem -days 365

The pre-built containers can be found here https://hub.docker.com/u/yukonsec

sudo docker run -p 12345:12345/udp -v </path/to/certs/>:/mnt/certs/ -v </tls/keys/output/>:/mnt/keys -it --rm <containername>

More information about the attack script can be viewed with:

sudo python3 request_forgery.py -h

Why is this code so ugly? This code developed over time from a little proof of concept script created during my master thesis. It was not planned to be publicly released and just created to proof the general possiblity of the attacks. Features where not initially planned and added on top with as little effort as possible. If you have nicer solutions (especially for the multithreading), feel free to share and contribute.

Why did you not inlude ATS, Quant, PQUIC, ...? I chose open source projects that were functional at the time for the scenarios I neede them for. If an implementation is missing it was likely buggy or not listed on the quic working group's github. Also projects that were not maintained for over a year and not supporting the current versions were dropped.