I'm not trying to crack the SSL session itself. I'm just trying to get an idea of the quality of passwords the users are using for that site, but from an external test only. The web server is not using the typical 'username/password' pop-up box, they're using a dynamically generated form, which has a different URL every time the page is brought up. The user enters their userid and password in the form and clicks on 'submit' which uses the HTTP POST method. The session is SSL-encrypted as well. The difficulty I am having is that short of writing my own perl script (which I am desperately trying to avoid... sorry, I don't like coding any more), none of the tools I have found can brute-force a form-based login over SSL. I tried using sslproxy and stunnel on NT/2000, but those ports lack some of the functionality I need. My next step is to try and convince one of my Linux co-workers to run stunnel on their system. Gerald. Note: Views expressed in this e-mail do not necessarily represent those of my employer. Note: Views expressed in this e-mail are not necessarily mine either. -----Original Message----- From: John R. Sciandra [mailto:johnrsat_private] Sent: Tuesday, April 17, 2001 1:37 PM To: PEN-TESTat_private Subject: Re: Web site password guessing over SSL -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok don't flame for being a bone head but let me pose a counter question or two. I was under the impression that (typically) SSL is run a mode that only encrypts the transport between the client and server. I think it is possible to use SSL to restrict access to the web server by userid in some modes but that generally is not how SSL is setup. If I understand correctly you are just trying to crack the web servers challenge. I think that what happens with cracking the web servers password is more of an end point dialog between the web server and the client. So if you can establish your SSL session (as if you were browsing the site) and are able to get the prompt for userid and password that the web server presents, you should be in business. Did I miss it? Do you have to do something extra with the SSL? If on the other hand you are trying to crack the actual SSL session itself...I am not sure but doesn't that involve cracking RSA or something? - -John - -----Original Message----- From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf Of Joel Brown Sent: Friday, April 13, 2001 10:52 AM To: PEN-TESTat_private Subject: Re: [PEN-TEST] Web site password guessing over SSL ssl.cracker.exe at http://neworder.box.sk/search.php3?srch=ssl+brute should work, also check out ObiWan at http://www.phenoelit.de/obiwan/ Joel >>Our client wants us to try to brute-force one of their public web sites that >>is password-protected via a form-based login over SSL. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.5.5 iQA/AwUBOtx/NX0lZ+LOrv8nEQJYcgCfX66o15M5e6q5dKMIz9Wb89qOszYAoJVa 7wsHwn7aq3oCpCSE87BnrXXn =jTZ8 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 14:16:01 PDT