-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok don't flame for being a bone head but let me pose a counter question or two. I was under the impression that (typically) SSL is run a mode that only encrypts the transport between the client and server. I think it is possible to use SSL to restrict access to the web server by userid in some modes but that generally is not how SSL is setup. If I understand correctly you are just trying to crack the web servers challenge. I think that what happens with cracking the web servers password is more of an end point dialog between the web server and the client. So if you can establish your SSL session (as if you were browsing the site) and are able to get the prompt for userid and password that the web server presents, you should be in business. Did I miss it? Do you have to do something extra with the SSL? If on the other hand you are trying to crack the actual SSL session itself...I am not sure but doesn't that involve cracking RSA or something? - -John - -----Original Message----- From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf Of Joel Brown Sent: Friday, April 13, 2001 10:52 AM To: PEN-TESTat_private Subject: Re: [PEN-TEST] Web site password guessing over SSL ssl.cracker.exe at http://neworder.box.sk/search.php3?srch=ssl+brute should work, also check out ObiWan at http://www.phenoelit.de/obiwan/ Joel >>Our client wants us to try to brute-force one of their public web sites that >>is password-protected via a form-based login over SSL. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.5.5 iQA/AwUBOtx/NX0lZ+LOrv8nEQJYcgCfX66o15M5e6q5dKMIz9Wb89qOszYAoJVa 7wsHwn7aq3oCpCSE87BnrXXn =jTZ8 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 07:55:31 PDT