Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

It seems that the -outputFile option is not working #103

Open
hachuping123 opened this issue Nov 7, 2024 · 17 comments
Open

It seems that the -outputFile option is not working #103

hachuping123 opened this issue Nov 7, 2024 · 17 comments

Comments

@hachuping123
Copy link

I am getting an error that says :
ERROR: ScanReportSerializer - Could not serialize scan report
com.fasterxml.jackson.databind.JsonMappingException: Document nesting depth (1001) exceeds the maximum allowed .....

I wonder if I'm the only one experiencing this error.
@ic0ns
Copy link
Contributor

ic0ns commented Nov 7, 2024

I just tested it on my machine - there it seemed to work in general. Maybe it's an issue that only pops up on specific hosts - can you share what you were scanning? Otherwise can you share the whole error message?

@m10x
Copy link
Contributor

m10x commented Nov 12, 2024
edited
Loading

I just received the same error. I cannot share the target but here's the "whole" (had to truncate it because of its length, but it's always the same Exception) error message:

INFO : ThreadedScanJobExecutor - Invalid curve probe executed
INFO : ThreadedScanJobExecutor - Finished scan
ERROR: ScanReportSerializer - Could not serialize scan report
com.fasterxml.jackson.databind.JsonMappingException: Document nesting depth (1001) exceeds the maximum allowed (1000, from `StreamWriteConstraints.getMaxNestingDepth()`) (through reference chain: de.rub.nds.tlsscanner.serverscanner.report.ServerReport["results"]->java.util.Collections$UnmodifiableMap["NO_MAC_CHECK_TICKET"]->de.rub.nds.tlsscanner.serverscanner.probe.result.VersionDependentSummarizableResult["resultMap"]->java.util.EnumMap["TLS12"]->de.rub.nds.tlsscanner.serverscanner.probe.result.sessionticket.TicketManipulationResult["responses"]->java.util.HashMap["0"]->de.rub.nds.tlsscanner.core.vector.VectorResponse["fingerprint"]->de.rub.nds.tlsscanner.core.vector.response.ResponseFingerprint["messageList"]->java.util.ArrayList[0]->de.rub.nds.tlsattacker.core.protocol.message.ServerHelloMessage["extensions"]->java.util.LinkedList[0]->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]->java.util.LinkedList[0]->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]->java.util.LinkedList[0]->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]->java.util.LinkedList[0]->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]->java.util.LinkedList[0]->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]->java.util.LinkedList[0]->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHol...>de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]->java.util.LinkedList[0]->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]->java.util.LinkedList[0]->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]->java.util.LinkedList[0]->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]->java.util.LinkedList[0]->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]->java.util.LinkedList[0]->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["extensionType"])
	at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:402)
	at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:361)
	at com.fasterxml.jackson.databind.ser.std.StdSerializer.wrapAndThrow(StdSerializer.java:323)
	at com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:778)
	at com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:184)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serializeContents(CollectionSerializer.java:145)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:107)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:25)
	at com.fasterxml.jackson.databind.ser.BeanPropertyWriter.serializeAsField(BeanPropertyWriter.java:732)
	at com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:770)
	at com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:184)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serializeContents(CollectionSerializer.java:145)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:107)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:25)
	at com.fasterxml.jackson.databind.ser.BeanPropertyWriter.serializeAsField(BeanPropertyWriter.java:732)
	at com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:770)
	at com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:184)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serializeContents(CollectionSerializer.java:145)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:107)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:25)
	at com.fasterxml.jackson.databind.ser.BeanPropertyWriter.serializeAsField(BeanPropertyWriter.java:732)
	at com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:770)
	at com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:184)
	...
Caused by: com.fasterxml.jackson.core.exc.StreamConstraintsException: Document nesting depth (1001) exceeds the maximum allowed (1000, from `StreamWriteConstraints.getMaxNestingDepth()`)
	at com.fasterxml.jackson.core.StreamWriteConstraints._constructException(StreamWriteConstraints.java:177)
	at com.fasterxml.jackson.core.StreamWriteConstraints.validateNestingDepth(StreamWriteConstraints.java:162)
	at com.fasterxml.jackson.core.json.UTF8JsonGenerator.writeStartObject(UTF8JsonGenerator.java:398)
	at com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:180)
	at com.fasterxml.jackson.databind.ser.BeanPropertyWriter.serializeAsField(BeanPropertyWriter.java:732)
	at com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:770)
	at com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:184)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serializeContents(CollectionSerializer.java:145)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:107)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:25)
	at com.fasterxml.jackson.databind.ser.BeanPropertyWriter.serializeAsField(BeanPropertyWriter.java:732)
	at com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:770)
	at com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:184)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serializeContents(CollectionSerializer.java:145)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:107)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:25)
	at com.fasterxml.jackson.databind.ser.BeanPropertyWriter.serializeAsField(BeanPropertyWriter.java:732)
	at com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:770)
	at com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:184)
	...
	at com.fasterxml.jackson.databind.ser.BeanPropertyWriter.serializeAsField(BeanPropertyWriter.java:732)
	at com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:770)
	at com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:184)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serializeContents(CollectionSerializer.java:145)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:107)
	at com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:25)
INFO : Main - Scanned in: 10213s

@m10x
Copy link
Contributor

m10x commented Nov 12, 2024
edited
Loading

I don't know if it's related but this scan took reaally really long after the printing of "Session ticket manipulation probe executed" (way over 60 Minutes) until it threw the following error

INFO : ThreadedScanJobExecutor - Session ticket manipulation probe executed
Exception in thread "dnsjava NIO selector" java.lang.OutOfMemoryError: Java heap space
	at java.base/java.util.HashMap$KeySet.iterator(HashMap.java:913)
	at java.base/java.util.HashSet.iterator(HashSet.java:173)
	at java.base/sun.nio.ch.Util$2.iterator(Util.java:352)ERROR: SessionTicketPaddingOracleProbe - Could not scan SessionTickets Padding Oracle for version TLS12
java.lang.RuntimeException: Failed to execute tasks!
	at de.rub.nds.tlsattacker.core.workflow.ParallelExecutor.bulkExecuteTasks(ParallelExecutor.java:139)
	at de.rub.nds.tlsscanner.serverscanner.probe.SessionTicketPaddingOracleProbe.createVectorResponseList(SessionTicketPaddingOracleProbe.java:375)
	at de.rub.nds.tlsscanner.serverscanner.probe.SessionTicketPaddingOracleProbe.createInformationLeakTest(SessionTicketPaddingOracleProbe.java:349)
	at de.rub.nds.tlsscanner.serverscanner.probe.SessionTicketPaddingOracleProbe.checkPaddingOracle(SessionTicketPaddingOracleProbe.java:242)
	at de.rub.nds.tlsscanner.serverscanner.probe.SessionTicketPaddingOracleProbe.executeTest(SessionTicketPaddingOracleProbe.java:155)
	at de.rub.nds.scanner.core.probe.ScannerProbe.call(ScannerProbe.java:45)
	at de.rub.nds.scanner.core.probe.ScannerProbe.call(ScannerProbe.java:25)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.util.concurrent.ExecutionException: java.lang.OutOfMemoryError: Java heap space
	at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
	at de.rub.nds.tlsattacker.core.workflow.ParallelExecutor.bulkExecuteTasks(ParallelExecutor.java:137)
	... 11 more
Caused by: java.lang.OutOfMemoryError: Java heap space
	at java.base/java.lang.StringLatin1.toUpperCase(StringLatin1.java:483)
	at java.base/java.lang.String.toUpperCase(String.java:2584)
	at java.base/java.util.Formatter$FormatSpecifier.toUpperCaseWithLocale(Formatter.java:3062)
	at java.base/java.util.Formatter$FormatSpecifier.print(Formatter.java:3286)
	at java.base/java.util.Formatter$FormatSpecifier.print(Formatter.java:3215)
	at java.base/java.util.Formatter$FormatSpecifier.printInteger(Formatter.java:2928)
	at java.base/java.util.Formatter$FormatSpecifier.print(Formatter.java:2892)
	at java.base/java.util.Formatter.format(Formatter.java:2673)
	at java.base/java.util.Formatter.format(Formatter.java:2609)
	at java.base/java.lang.String.format(String.java:2897)
	at de.rub.nds.modifiablevariable.util.ArrayConverter.bytesToHexString(ArrayConverter.java:164)
	at de.rub.nds.modifiablevariable.util.ArrayConverter.bytesToHexString(ArrayConverter.java:143)
	at de.rub.nds.modifiablevariable.util.ArrayConverter.bytesToHexString(ArrayConverter.java:136)
	at de.rub.nds.asn1.parser.ParserHelper.parseBitStringContent(ParserHelper.java:469)
	at de.rub.nds.asn1.parser.ParserHelper.parseAsn1BitString(ParserHelper.java:331)
	at de.rub.nds.x509attacker.x509.parser.PublicKeyBitStringParser.parse(PublicKeyBitStringParser.java:37)
	at de.rub.nds.x509attacker.x509.parser.SubjectPublicKeyInfoParser.parseSubcomponents(SubjectPublicKeyInfoParser.java:33)
	at de.rub.nds.x509attacker.x509.parser.X509ComponentContainerParser.parseContent(X509ComponentContainerParser.java:35)
	at de.rub.nds.x509attacker.x509.parser.X509ComponentFieldParser.parse(X509ComponentFieldParser.java:38)
	at de.rub.nds.x509attacker.x509.parser.TbsCertificateParser.parseSubjectPublicKey(TbsCertificateParser.java:92)
	at de.rub.nds.x509attacker.x509.parser.TbsCertificateParser.parseSubcomponents(TbsCertificateParser.java:39)
	at de.rub.nds.x509attacker.x509.parser.X509ComponentContainerParser.parseContent(X509ComponentContainerParser.java:35)
	at de.rub.nds.x509attacker.x509.parser.X509ComponentFieldParser.parse(X509ComponentFieldParser.java:38)
	at de.rub.nds.x509attacker.x509.parser.X509CertificateParser.parseTbsCertificate(X509CertificateParser.java:48)
	at de.rub.nds.x509attacker.x509.parser.X509CertificateParser.parseSubcomponents(X509CertificateParser.java:29)
	at de.rub.nds.x509attacker.x509.parser.X509ComponentContainerParser.parseContent(X509ComponentContainerParser.java:35)
	at de.rub.nds.x509attacker.x509.parser.X509ComponentFieldParser.parse(X509ComponentFieldParser.java:38)
	at de.rub.nds.tlsattacker.core.protocol.parser.cert.CertificateEntryParser.parseX509Certificate(CertificateEntryParser.java:105)
	at de.rub.nds.tlsattacker.core.protocol.parser.CertificateMessageParser.parseCertificateList(CertificateMessageParser.java:114)
	at de.rub.nds.tlsattacker.core.protocol.parser.CertificateMessageParser.parse(CertificateMessageParser.java:49)
	at de.rub.nds.tlsattacker.core.protocol.parser.CertificateMessageParser.parse(CertificateMessageParser.java:23)
	at de.rub.nds.tlsattacker.core.layer.impl.MessageLayer.readHandshakeProtocolData(MessageLayer.java:364)

	at org.xbill.DNS.NioClient.processReadyKeys(NioClient.java:177)
	at org.xbill.DNS.NioClient.runSelector(NioClient.java:134)
	at org.xbill.DNS.NioClient$$Lambda$355/0x00000008404c1440.run(Unknown Source)
	at java.base/java.lang.Thread.run(Thread.java:829)
INFO : ThreadedScanJobExecutor - Session ticket padding oracle probe executed
INFO : ThreadedScanJobExecutor - Session ticket collector for afterprobe probe executed
INFO : ThreadedScanJobExecutor - Named groups order probe executed
WARN : TlsServerProbe - Was unable to get results for TLS12>SECP256R1>UNCOMPRESSED>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Message: null
WARN : TlsServerProbe - Was unable to get results for TLS12>SECP384R1>UNCOMPRESSED>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Message: null
WARN : TlsServerProbe - Was unable to get results for TLS12>SECP521R1>UNCOMPRESSED>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Message: null
WARN : TlsServerProbe - Was unable to get results for TLS13>SECP256R1>UNCOMPRESSED>TLS_AES_128_GCM_SHA256 Message: null
WARN : TlsServerProbe - Was unable to get results for TLS13>SECP384R1>UNCOMPRESSED>TLS_AES_128_GCM_SHA256 Message: null
WARN : TlsServerProbe - Was unable to get results for TLS13>SECP521R1>UNCOMPRESSED>TLS_AES_128_GCM_SHA256 Message: null
INFO : ThreadedScanJobExecutor - Invalid curve probe executed
INFO : ThreadedScanJobExecutor - Finished scan
ERROR: ScanReportSerializer - Could not serialize scan report
com.fasterxml.jackson.databind.JsonMappingException: Document nesting depth (1001) exce....

@m10x
Copy link
Contributor

m10x commented Nov 12, 2024

Here I ran it again for the same target. This time TLS Scanner crashed before finishing the scan

INFO : ThreadedScanJobExecutor - Session ticket probe executed
INFO : ThreadedScanJobExecutor - Session ticket manipulation probe executed

Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "dnsjava NIO selector"
ERROR: ThreadedScanJobExecutor - Some probe execution failed
java.util.concurrent.ExecutionException: java.lang.OutOfMemoryError: Java heap space
	at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
	at de.rub.nds.scanner.core.execution.ThreadedScanJobExecutor.executeProbesTillNoneCanBeExecuted(ThreadedScanJobExecutor.java:112)
	at de.rub.nds.scanner.core.execution.ThreadedScanJobExecutor.execute(ThreadedScanJobExecutor.java:82)
	at de.rub.nds.scanner.core.execution.Scanner.scan(Scanner.java:159)
	at de.rub.nds.tlsscanner.serverscanner.Main.main(Main.java:44)
Caused by: java.lang.OutOfMemoryError: Java heap space
Exception in thread "main" java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.OutOfMemoryError: Java heap space
	at de.rub.nds.scanner.core.execution.ThreadedScanJobExecutor.executeProbesTillNoneCanBeExecuted(ThreadedScanJobExecutor.java:116)
	at de.rub.nds.scanner.core.execution.ThreadedScanJobExecutor.execute(ThreadedScanJobExecutor.java:82)
	at de.rub.nds.scanner.core.execution.Scanner.scan(Scanner.java:159)
	at de.rub.nds.tlsscanner.serverscanner.Main.main(Main.java:44)
Caused by: java.util.concurrent.ExecutionException: java.lang.OutOfMemoryError: Java heap space
	at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
	at de.rub.nds.scanner.core.execution.ThreadedScanJobExecutor.executeProbesTillNoneCanBeExecuted(ThreadedScanJobExecutor.java:112)
	... 3 more
Caused by: java.lang.OutOfMemoryError: Java heap space
WARN : SessionTicketCollectingProbe - Could not collect SessionTickets for version TLS12
java.lang.RuntimeException: Cannot add Tasks to already shutdown executor
	at de.rub.nds.tlsattacker.core.workflow.ParallelExecutor.addTask(ParallelExecutor.java:87)
	at de.rub.nds.tlsattacker.core.workflow.ParallelExecutor.addStateTask(ParallelExecutor.java:108)
	at de.rub.nds.tlsattacker.core.workflow.ParallelExecutor.bulkExecuteStateTasks(ParallelExecutor.java:114)
	at de.rub.nds.tlsscanner.core.probe.TlsProbe.executeState(TlsProbe.java:36)
	at de.rub.nds.tlsscanner.serverscanner.probe.SessionTicketCollectingProbe.collectTickets(SessionTicketCollectingProbe.java:62)
	at de.rub.nds.tlsscanner.serverscanner.probe.SessionTicketCollectingProbe.executeTest(SessionTicketCollectingProbe.java:36)
	at de.rub.nds.scanner.core.probe.ScannerProbe.call(ScannerProbe.java:45)
	at de.rub.nds.scanner.core.probe.ScannerProbe.call(ScannerProbe.java:25)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
WARN : SessionTicketCollectingProbe - Could not collect SessionTickets for version TLS13
java.lang.RuntimeException: Cannot add Tasks to already shutdown executor
	at de.rub.nds.tlsattacker.core.workflow.ParallelExecutor.addTask(ParallelExecutor.java:87)
	at de.rub.nds.tlsattacker.core.workflow.ParallelExecutor.addStateTask(ParallelExecutor.java:108)
	at de.rub.nds.tlsattacker.core.workflow.ParallelExecutor.bulkExecuteStateTasks(ParallelExecutor.java:114)
	at de.rub.nds.tlsscanner.core.probe.TlsProbe.executeState(TlsProbe.java:36)
	at de.rub.nds.tlsscanner.serverscanner.probe.SessionTicketCollectingProbe.collectTickets(SessionTicketCollectingProbe.java:62)
	at de.rub.nds.tlsscanner.serverscanner.probe.SessionTicketCollectingProbe.executeTest(SessionTicketCollectingProbe.java:36)
	at de.rub.nds.scanner.core.probe.ScannerProbe.call(ScannerProbe.java:45)
	at de.rub.nds.scanner.core.probe.ScannerProbe.call(ScannerProbe.java:25)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)

@ic0ns
Copy link
Contributor

ic0ns commented Nov 12, 2024

Thanks for sharing these - they indeed hint at some issues in the new session tickets probes. @XoMEX do you have an idea what could cause this?

@XoMEX
Copy link
Member

XoMEX commented Nov 14, 2024

#103 (comment)

Session ticket manipulation probe executed" (way over 60 Minutes)
SessionTicketPaddingOracleProbe

Unfortunately, the SessionTicketPaddingOracleProbe is very slow if it thinks it has found something and may store quite some information in memory (java seems to hit some memory limit in the last two traces). I'd recommend

  • disabling the SessionTicketPaddingOracleProbe probe
  • reducing the scan detail (though this may also affect other probes)
  • increasing RAM (though that does not improve the runtime)

@m10x
Copy link
Contributor

m10x commented Nov 14, 2024
edited
Loading

#103 (comment)

Session ticket manipulation probe executed" (way over 60 Minutes)
SessionTicketPaddingOracleProbe

Unfortunately, the SessionTicketPaddingOracleProbe is very slow if it thinks it has found something and may store quite some information in memory (java seems to hit some memory limit in the last two traces). I'd recommend

* disabling the SessionTicketPaddingOracleProbe probe

* reducing the scan detail (though this may also affect other probes)

* increasing RAM (though that does not improve the runtime)

The scanDetail was set to NORMAL in both cases.
There is no flag to disable specific probes, or is there?

@XoMEX
Copy link
Member

XoMEX commented Nov 14, 2024

Not from the commandline :/
The workflow thus far has been to remove unneeded probes from the source code.

@XoMEX
Copy link
Member

XoMEX commented Nov 14, 2024

Btw, disabling the probe (regarding the OutOfMemoryError and JsonMappingException) is just fighting the symptoms.

To solve the OutOfMemoryError some profiling which shows which objects take up that much space would be needed.

Regarding the JsonMappingException: This looks like a bug in the serialization of a ResponseFingerprint (more precisely the RenegotiationInfoExtensionMessage within a ServerHello) @ic0ns

com.fasterxml.jackson.databind.JsonMappingException: Document nesting depth (1001) exceeds the maximum allowed (1000, from `StreamWriteConstraints.getMaxNestingDepth()`) (through reference chain:

de.rub.nds.tlsscanner.serverscanner.report.ServerReport["results"]
->java.util.Collections$UnmodifiableMap["NO_MAC_CHECK_TICKET"]
->de.rub.nds.tlsscanner.serverscanner.probe.result.VersionDependentSummarizableResult["resultMap"]
->java.util.EnumMap["TLS12"]
->de.rub.nds.tlsscanner.serverscanner.probe.result.sessionticket.TicketManipulationResult["responses"]
->java.util.HashMap["0"]
->de.rub.nds.tlsscanner.core.vector.VectorResponse["fingerprint"]
->de.rub.nds.tlsscanner.core.vector.response.ResponseFingerprint["messageList"]
->java.util.ArrayList[0]
->de.rub.nds.tlsattacker.core.protocol.message.ServerHelloMessage["extensions"]
->java.util.LinkedList[0]
->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]
->java.util.LinkedList[0]
->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]
->java.util.LinkedList[0]
->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]
->java.util.LinkedList[0]
->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]
->java.util.LinkedList[0]
->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]
->java.util.LinkedList[0]
->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHol...
->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]
->java.util.LinkedList[0]
->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]
->java.util.LinkedList[0]
->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]
->java.util.LinkedList[0]
->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]
->java.util.LinkedList[0]
->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]
->java.util.LinkedList[0]
->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["extensionType"])

@ic0ns
Copy link
Contributor

ic0ns commented Nov 14, 2024

I am not entirely convinced this is the RenegotiationInfoExtensionMessage, but it is just the first one on the list. Fixing this from just the exception seems tough. Do you have an example to reproduce the issue?

@XoMEX
Copy link
Member

XoMEX commented Nov 15, 2024

@m10x can you chat whether a report file is created? If I have seen it correctly we serialize the report twice (which is an issue on its own, but should not affect you)

  • Once in the Scanner-Core project. This fails for you.
  • Once in the TLS-Server-Scanner. This should still work and output to a file.

@ic0ns
Copy link
Contributor

ic0ns commented Nov 15, 2024 

        // Serialize report to file
        if (executorConfig.isWriteReportToFile()) {
            LOGGER.debug("Writing report to file");
            ScanReportSerializer.serialize(new File(executorConfig.getOutputFile()), report);
        }

Can you comment out these lines in Scanner.java and try again?

@m10x
Copy link
Contributor

m10x commented Nov 15, 2024

@m10x can you chat whether a report file is created? If I have seen it correctly we serialize the report twice (which is an issue on its own, but should not affect you)

  • Once in the Scanner-Core project. This fails for you.
  • Once in the TLS-Server-Scanner. This should still work and output to a file.

An empty report file is created

@m10x
Copy link
Contributor

m10x commented Nov 15, 2024
edited
Loading

ScanReportSerializer

        // Serialize report to file
        if (executorConfig.isWriteReportToFile()) {
            LOGGER.debug("Writing report to file");
            ScanReportSerializer.serialize(new File(executorConfig.getOutputFile()), report);
        }

Can you comment out these lines in Scanner.java and try again?

I'm not able to find a file called Scanner.java or any code line containing "ScanReportSerializer".
However there is

                if (config.getExecutorConfig().isWriteReportToFile()) {
                    File outputFile = new File(config.getExecutorConfig().getOutputFile());
                    ServerReportSerializer.serialize(outputFile, report);
                }

in serverscanner and

                if (config.getExecutorConfig().isWriteReportToFile()) {
                    File outputFile = new File(config.getExecutorConfig().getOutputFile());
                    ClientReportSerializer.serialize(outputFile, report);
                }

in clientscanner

@ic0ns
Copy link
Contributor

ic0ns commented Nov 15, 2024

ah I see - it is in the dependency ScannerCore (https://github.com/tls-attacker/Scanner-Core) - you would need to comment it out there and then recompile the server scanner with the modified version of Scanner-Core.

@m10x
Copy link
Contributor

m10x commented Nov 15, 2024

The RAM problem might be because the VM which I've used had only 2GB RAM left for TLS-Scanner.
I've run the scan again from another machine with more RAM. The scan took very long again but not RAM problems this time. The ScanReportSerializer message differs this time

ERROR: ScanReportSerializer - Could not serialize scan report                                                                                                                                                                                                                                                                                                                                                                                                                      
com.fasterxml.jackson.databind.JsonMappingException: Document nesting depth (1001) exceeds the maximum allowed (1000, from `StreamWriteConstraints.getMaxNestingDepth()`) (through reference chain: de.rub.nds.tlsscanner.serverscanner.report.ServerReport["results"]->java.util.Collections$UnmodifiableMap["PADDING_ORACLE_TICKET"]->de.rub.nds.tlsscanner.serverscanner.probe.result.VersionDependentSummarizableResult["resultMap"]->java.util.EnumMap["TLS12"]->de.rub.nds.tlsscanner.serverscanner.probe.result.sessionticket.TicketPaddingOracleResult["positionResults"]->java.util.ArrayList[0]->de.rub.nds.tlsscanner.serverscanner.probe.result.sessionticket.TicketPaddingOracleOffsetResult["lastByteLeakTest"]->de.rub.nds.tlsscanner.core.vector.statistics.InformationLeakTest["vectorContainerList"]->java.util.LinkedList[0]->de.rub.nds.tlsscanner.core.vector.statistics.VectorContainer["distinctResponsesCounterList"]->java.util.Collections$UnmodifiableList[0]->de.rub.nds.tlsscanner.core.vector.statistics.ResponseCounter["fingerprint"]->de.rub.nds.tlsscanner.core.vector.response.ResponseFingerprint["messageList"]->java.util.ArrayList[0]->de.rub.nds.tlsattacker.core.protocol.message.ServerHelloMessage["extensions"]->java.util.LinkedList[0]->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]->java.util.LinkedList[0]->de.rub.nds.tlsattacker.core.protocol.message.extension.RenegotiationInfoExtensionMessage["allModifiableVariableHolders"]->java.util.LinkedList[0]->de.rub.nds.tlsattack

I can share the target with you in a DM

@ic0ns
Copy link
Contributor

ic0ns commented Nov 15, 2024

jeah feel free to send me an email [email protected]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@m10x @XoMEX @ic0ns @hachuping123