Re: [PEN-TEST] Web site password guessing over SSL

From: Batten, Gerald (GBattenat_private)
Date: Tue Apr 17 2001 - 08:15:02 PDT

  • Next message: Mike Ahern: "[PEN-TEST] sap tools"

    I'm not trying to crack the SSL session itself.  I'm just trying to get an
    idea of the quality of passwords the users are using for that site, but from
    an external test only.
    
    The web server is not using the typical 'username/password' pop-up box,
    they're using a dynamically generated form, which has a different URL every
    time the page is brought up.  The user enters their userid and password in
    the form and clicks on 'submit' which uses the HTTP POST method.  The
    session is SSL-encrypted as well.  The difficulty I am having is that short
    of writing my own perl script (which I am desperately trying to avoid...
    sorry, I don't like coding any more), none of the tools I have found can
    brute-force a form-based login over SSL.  I tried using sslproxy and stunnel
    on NT/2000, but those ports lack some of the functionality I need.  My next
    step is to try and convince one of my Linux co-workers to run stunnel on
    their system.
    
    Gerald.
    
    Note:  Views expressed in this e-mail do not necessarily represent those of
    my employer.
    Note:  Views expressed in this e-mail are not necessarily mine either.
    
    -----Original Message-----
    From: John R. Sciandra [mailto:johnrsat_private]
    Sent: Tuesday, April 17, 2001 1:37 PM
    To: PEN-TESTat_private
    Subject: Re: Web site password guessing over SSL
    
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Ok don't flame for being a bone head but let me pose a counter
    question or two.
    
    I was under the impression that (typically) SSL is run a mode that
    only encrypts the transport between the client and server.  I think it
    is possible to use SSL to restrict access to the web server by userid
    in some modes but that generally is not how SSL is setup.
    
    If I understand correctly you are just trying to crack the web servers
    challenge. I think that what happens with cracking the web servers
    password is more of an end point dialog between the web server and the
    client.  So if you can establish your SSL session (as if you were
    browsing the site) and are able to get the prompt for userid and
    password that the web server presents, you should be in business. Did
    I miss it? Do you have to do something extra with the SSL?
    
    If on the other hand you are trying to crack the actual SSL session
    itself...I am not sure but doesn't that involve cracking RSA or
    something?
    
    - -John
    
    - -----Original Message-----
    From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf
    Of Joel Brown
    Sent: Friday, April 13, 2001 10:52 AM
    To: PEN-TESTat_private
    Subject: Re: [PEN-TEST] Web site password guessing over SSL
    
    
    ssl.cracker.exe at
    http://neworder.box.sk/search.php3?srch=ssl+brute should work,
    also check out ObiWan at
    http://www.phenoelit.de/obiwan/
    
    Joel
    
    >>Our client wants us to try to brute-force one of their public web
    sites
    that
    >>is password-protected via a form-based login over SSL.
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP for Personal Privacy 5.5.5
    
    iQA/AwUBOtx/NX0lZ+LOrv8nEQJYcgCfX66o15M5e6q5dKMIz9Wb89qOszYAoJVa
    7wsHwn7aq3oCpCSE87BnrXXn
    =jTZ8
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 14:16:01 PDT