Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > SSL Scanner

Reply
Thread Tools

SSL Scanner

 
 
royend
Guest
Posts: n/a
 
      10-27-2007
I am doing some research for a school project on authentication at the
web and the risk for identity theft. How can unauthorized users misuse
your identity and get access to classified information.

For my research I have tried some programs which stops the TCP-package
with headers like HTTP/1.0 and infomation about data submitted by a
form e.g. password and username.

I have tried two web scanners:
1. Burpsuite
which I managed to intercept packeges for HTTP 1.0 and hence was able
to read inserted username and password in plaintext. Still it wasn't
able to stop SSL-traffic, although it should be able to when turning
the "Use SSL"-parameter on.
2. Nikto
which is supposed to be a great listener/scanner, but I have not been
able to make it work.

Is there any programs you would recommend which will handle SSL/TLS?
Would for instance a program like Ethereal be able to read packages
using SSL protocols?

Looking forward to your help.

 
Reply With Quote
 
 
 
 
goarilla
Guest
Posts: n/a
 
      10-27-2007
royend wrote:
> I am doing some research for a school project on authentication at the
> web and the risk for identity theft. How can unauthorized users misuse
> your identity and get access to classified information.
>
> For my research I have tried some programs which stops the TCP-package
> with headers like HTTP/1.0 and infomation about data submitted by a
> form e.g. password and username.
>
> I have tried two web scanners:
> 1. Burpsuite
> which I managed to intercept packeges for HTTP 1.0 and hence was able
> to read inserted username and password in plaintext. Still it wasn't
> able to stop SSL-traffic, although it should be able to when turning
> the "Use SSL"-parameter on.
> 2. Nikto
> which is supposed to be a great listener/scanner, but I have not been
> able to make it work.
>
> Is there any programs you would recommend which will handle SSL/TLS?
> Would for instance a program like Ethereal be able to read packages
> using SSL protocols?
>
> Looking forward to your help.
>


you want to decipher encrypted connections into plaintext ?
if that's the case ... bugger off
 
Reply With Quote
 
 
 
 
royend
Guest
Posts: n/a
 
      10-27-2007
On 27 Okt, 18:22, goarilla <"kevin DOT paulus AT skynet DOT be">
wrote:
> royend wrote:
> > I am doing some research for a school project on authentication at the
> > web and the risk for identity theft. How can unauthorized users misuse
> > your identity and get access to classified information.

>
> > For my research I have tried some programs which stops the TCP-package
> > with headers like HTTP/1.0 and infomation about data submitted by a
> > form e.g. password and username.

>
> > I have tried two web scanners:
> > 1. Burpsuite
> > which I managed to intercept packeges for HTTP 1.0 and hence was able
> > to read inserted username and password in plaintext. Still it wasn't
> > able to stop SSL-traffic, although it should be able to when turning
> > the "Use SSL"-parameter on.
> > 2. Nikto
> > which is supposed to be a great listener/scanner, but I have not been
> > able to make it work.

>
> > Is there any programs you would recommend which will handle SSL/TLS?
> > Would for instance a program like Ethereal be able to read packages
> > using SSL protocols?

>
> > Looking forward to your help.

>
> you want to decipher encrypted connections into plaintext ?
> if that's the case ... bugger off- Skjul sitert tekst -
>
> - Vis sitert tekst -


Wow...
not the kind of reply I was hoping for.
And no, I don't need a deciphering tool. What I want is a tool which
may scan for packages sent via SSL/TLS, like Burpsuite does with
HTTP1.0. This tool lets me read the headers (also possible to alter
them before sending them to server, but for my purpose it is only
necessary to read). Also, the project focuses on the vulnerability of
the web, and I am hoping to shove that even though SSL is implemented
the packages might be vulnerable to a Man-In-The-Middle-Attack (please
correct me if I am wrong), as the packages might be intercepted by an
attacker.

Any advice is appreciated for a tool which might help me prove it.

 
Reply With Quote
 
Solbu
Guest
Posts: n/a
 
      10-28-2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

royend sent the following transmission through subspace:

> the project focuses on the vulnerability of
> the web, and I am hoping to shove that even though SSL is implemented
> the packages might be vulnerable to a Man-In-The-Middle-Attack (please
> correct me if I am wrong), as the packages might be intercepted by an
> attacker.


If someone intercepts the packages using a man-in-the-middle-attack,
the encryption will break, thus alerting the user.

You cannot intercept encrypted packages
without alerting the user that someone _IS_ intercepting them.
Because the certificate will be wrong.

- --
Solbu - http://www.solbu.net
Remove 'ugyldig.' for email
PGP key ID: 0xFA687324
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFHJAbBT1rWTfpocyQRAqGlAKCxkpbRHcfiYKUr10lkzQ 9BBC1siwCg9/fW
ZpxgxPOj+WIKQd7tmRv8fSo=
=wwlT
-----END PGP SIGNATURE-----
 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      10-28-2007
On Sat, 27 Oct 2007 08:22:11 -0700, royend <(E-Mail Removed)> wrote:

>Is there any programs you would recommend which will handle SSL/TLS?
>Would for instance a program like Ethereal be able to read packages
>using SSL protocols?


Part of the reason that SSL is encrypted is to stop
people doing what you propose.

So the quick answer is no you can't.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
royend
Guest
Posts: n/a
 
      10-28-2007
On 28 Okt, 04:49, Solbu <(E-Mail Removed)> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> royend sent the following transmission through subspace:
>
> > the project focuses on the vulnerability of
> > the web, and I am hoping to shove that even though SSL is implemented
> > the packages might be vulnerable to a Man-In-The-Middle-Attack (please
> > correct me if I am wrong), as the packages might be intercepted by an
> > attacker.

>
> If someone intercepts the packages using a man-in-the-middle-attack,
> the encryption will break, thus alerting the user.
>
> You cannot intercept encrypted packages
> without alerting the user that someone _IS_ intercepting them.
> Because the certificate will be wrong.
>
> - --
> Solbu -http://www.solbu.net
> Remove 'ugyldig.' for email
> PGP key ID: 0xFA687324
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
>
> iD8DBQFHJAbBT1rWTfpocyQRAqGlAKCxkpbRHcfiYKUr10lkzQ 9BBC1siwCg9/fW
> ZpxgxPOj+WIKQd7tmRv8fSo=
> =wwlT
> -----END PGP SIGNATURE-----



On 28 Okt, 11:29, Jim Watt <(E-Mail Removed)_way> wrote:
> On Sat, 27 Oct 2007 08:22:11 -0700, royend <(E-Mail Removed)> wrote:
> >Is there any programs you would recommend which will handle SSL/TLS?
> >Would for instance a program like Ethereal be able to read packages
> >using SSL protocols?

>
> Explanation why it can't be done...
> --
> Jim Watt http://www.gibnet.com


That is what I thought (and hoped for...).
Can the packages be saved when intercepted and without changing the
package be used in a replay attack?

royend.

 
Reply With Quote
 
goarilla
Guest
Posts: n/a
 
      10-28-2007
royend wrote:
> On 28 Okt, 04:49, Solbu <(E-Mail Removed)> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> royend sent the following transmission through subspace:
>>
>>> the project focuses on the vulnerability of
>>> the web, and I am hoping to shove that even though SSL is implemented
>>> the packages might be vulnerable to a Man-In-The-Middle-Attack (please
>>> correct me if I am wrong), as the packages might be intercepted by an
>>> attacker.

>> If someone intercepts the packages using a man-in-the-middle-attack,
>> the encryption will break, thus alerting the user.
>>
>> You cannot intercept encrypted packages
>> without alerting the user that someone _IS_ intercepting them.
>> Because the certificate will be wrong.
>>
>> - --
>> Solbu -http://www.solbu.net
>> Remove 'ugyldig.' for email
>> PGP key ID: 0xFA687324
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.2 (GNU/Linux)
>>
>> iD8DBQFHJAbBT1rWTfpocyQRAqGlAKCxkpbRHcfiYKUr10lkzQ 9BBC1siwCg9/fW
>> ZpxgxPOj+WIKQd7tmRv8fSo=
>> =wwlT
>> -----END PGP SIGNATURE-----

>
>
> On 28 Okt, 11:29, Jim Watt <(E-Mail Removed)_way> wrote:
>> On Sat, 27 Oct 2007 08:22:11 -0700, royend <(E-Mail Removed)> wrote:
>>> Is there any programs you would recommend which will handle SSL/TLS?
>>> Would for instance a program like Ethereal be able to read packages
>>> using SSL protocols?

>> Explanation why it can't be done...
>> --
>> Jim Watt http://www.gibnet.com

>
> That is what I thought (and hoped for...).
> Can the packages be saved when intercepted and without changing the
> package be used in a replay attack?
>
> royend.
>

:%s/package/packet/g

i'm sorry in my native language 'pakket' has both meanings as well but still
i know the difference and the appropriate term when using them in english
 
Reply With Quote
 
Ari
Guest
Posts: n/a
 
      10-28-2007
On Sat, 27 Oct 2007 08:22:11 -0700, royend wrote:

> Is there any programs you would recommend which will handle SSL/TLS?
> Would for instance a program like Ethereal be able to read packages
> using SSL protocols?


Read (view) or decrypt?
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/
 
Reply With Quote
 
royend
Guest
Posts: n/a
 
      10-30-2007
On 28 Okt, 22:00, Ari <(E-Mail Removed)> wrote:
> On Sat, 27 Oct 2007 08:22:11 -0700, royend wrote:
> > Is there any programs you would recommend which will handle SSL/TLS?
> > Would for instance a program like Ethereal be able to read packages
> > using SSL protocols?

>
> Read (view) or decrypt?
> --
> "You can't trust code that you did not totally create yourself"
> Ken Thompson "Reflections on Trusting Trust"http://www.acm.org/classics/sep95/


Basically read (view).
I guess the decryption would depend on what kind of encryption is
used, which is decided in the SSL handshake? Is it possible to somehow
decide what kind of encryption is used by viewing the encrypted text?

ALso, thanks to everyone for their contribution to this thread!

 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      10-30-2007
On Tue, 30 Oct 2007 00:09:20 -0000, royend <(E-Mail Removed)> wrote:

>On 28 Okt, 22:00, Ari <(E-Mail Removed)> wrote:
>> On Sat, 27 Oct 2007 08:22:11 -0700, royend wrote:
>> > Is there any programs you would recommend which will handle SSL/TLS?
>> > Would for instance a program like Ethereal be able to read packages
>> > using SSL protocols?

>>
>> Read (view) or decrypt?
>> --
>> "You can't trust code that you did not totally create yourself"
>> Ken Thompson "Reflections on Trusting Trust"http://www.acm.org/classics/sep95/

>
>Basically read (view).
>I guess the decryption would depend on what kind of encryption is
>used, which is decided in the SSL handshake? Is it possible to somehow
>decide what kind of encryption is used by viewing the encrypted text?
>
>ALso, thanks to everyone for their contribution to this thread!


If it was easy then there would be no point in using it.

The scheme is designed to keep hackers out.

Read the SSL specifications and see.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Flat Bed Scanner + Enlarger = Film Scanner? G. Huang Digital Photography 10 08-07-2011 03:46 PM
epson (or others) flat bed scanner vs film scanner Albert Ma Digital Photography 1 10-30-2004 02:39 AM
SSL with backend SSL on CSS 11500 Olivier PELERIN Cisco 0 08-30-2004 08:30 PM
How to imbed non-SSL links within SSL pages without using code CW ASP .Net 2 05-02-2004 01:40 PM
From non-ssl area to ssl ara with a virtual href path? 620 ASP .Net 2 01-06-2004 09:58 PM



Advertisments