OFFSITE.DARK
← Signals

Jun 29, 2026

2 min

Sploitus

  • tls
  • tls1.2
  • pentest
  • education
  • sploitus

news

TLS1.2_Exploit-Scripts — Misconfigured TLS Pentest Lab

Six lab scripts demonstrate LOGJAM, LUCKY13, session ticket hijack, SSL strip, cert MITM, and RC4 JWT forgery against deliberate nginx 1.18 misconfig.

Summary

TLS1.2_Exploit-Scripts (MalekAlthubiany/TLS1.2_Exploit-Scripts) pairs six Python/Bash proofs with a deliberately vulnerable Docker nginx 1.18 lab for authorized TLS 1.2 misconfiguration testing. It accompanies the Medium article Breaking TLS 1.2: A Penetration Tester's Guide.

This is not a single CVE — it is an educational misconfiguration exploitation kit for authorized assessments.

Key Findings

#ScriptCVE / topicDemonstrated impact
1exploit_01_logjam.pyCVE-2015-4000Passive DHE session decryption (1024-bit DH)
2exploit_02_lucky13.pyCVE-2013-0169CBC+HMAC-SHA1 timing oracle
3exploit_03_session_hijack.pySession ticketsStolen ticket → session reuse / cookie theft
4exploit_04_sslstrip.pyMissing HSTSDowngrade + credential capture proxy
5exploit_05_cert_mitm.shSelf-signed certForged CA MITM on :9443
6exploit_06_jwt_forge.pyRC4 JWTKeystream recovery → role escalation

Lab defaults: TLS 1.2 only, CBC suites, 1024-bit DH, static STEK, no HSTS, RC4-signed JWT cookie.

Attack Chain (representative — session hijack)

Victim TLS handshake → session ticket saved (openssl s_client -sess_out)
        ↓
Attacker replays ticket (-sess_in) without re-auth
        ↓
Server responds "Reused" → attacker HTTP GET steals Set-Cookie / JWT

Impact

For defenders, the repo signals copy-paste TLS audit tooling circulating on Sploitus — useful for purple teams, dangerous when operators mistake lab scripts for live exploit chains against hardened TLS 1.3 deployments.

For attackers, impact equals each underlying misconfiguration (recorded traffic decryption, strip, MITM) — only where those configs still exist in production.

Mitigation

Ship the hardened nginx template from the upstream README: 4096-bit DH, AEAD-only ciphers, ssl_session_tickets off, HSTS preload, public CA certs, HS256/RS256 JWTs.

Related Signals

Sources

→ Source