Re: [PEN-TEST] Web site password guessing over SSL

From: John R. Sciandra (johnrsat_private)
Date: Tue Apr 17 2001 - 10:37:27 PDT

  • Next message: Lluis Mora: "Re: [PEN-TEST] linux iptables ftp port command -- demo tool"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Ok don't flame for being a bone head but let me pose a counter
    question or two.
    
    I was under the impression that (typically) SSL is run a mode that
    only encrypts the transport between the client and server.  I think it
    is possible to use SSL to restrict access to the web server by userid
    in some modes but that generally is not how SSL is setup.
    
    If I understand correctly you are just trying to crack the web servers
    challenge. I think that what happens with cracking the web servers
    password is more of an end point dialog between the web server and the
    client.  So if you can establish your SSL session (as if you were
    browsing the site) and are able to get the prompt for userid and
    password that the web server presents, you should be in business. Did
    I miss it? Do you have to do something extra with the SSL?
    
    If on the other hand you are trying to crack the actual SSL session
    itself...I am not sure but doesn't that involve cracking RSA or
    something?
    
    - -John
    
    - -----Original Message-----
    From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf
    Of Joel Brown
    Sent: Friday, April 13, 2001 10:52 AM
    To: PEN-TESTat_private
    Subject: Re: [PEN-TEST] Web site password guessing over SSL
    
    
    ssl.cracker.exe at
    http://neworder.box.sk/search.php3?srch=ssl+brute should work,
    also check out ObiWan at
    http://www.phenoelit.de/obiwan/
    
    Joel
    
    >>Our client wants us to try to brute-force one of their public web
    sites
    that
    >>is password-protected via a form-based login over SSL.
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP for Personal Privacy 5.5.5
    
    iQA/AwUBOtx/NX0lZ+LOrv8nEQJYcgCfX66o15M5e6q5dKMIz9Wb89qOszYAoJVa
    7wsHwn7aq3oCpCSE87BnrXXn
    =jTZ8
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 07:55:31 PDT