Usage of Paros, Usage of Paros, charles for SSL charles for SSL

DebuggingDebugging

Pradeep PatelPradeep Patel

2

AgendaAgenda

Setting the expectationSetting the expectation

Introduction to SSL handshake Introduction to SSL handshake

Man in the middle attackMan in the middle attack

Live Demo on breaking SSLLive Demo on breaking SSL

How to setup Paros /CharlesHow to setup Paros /Charles

Usage scenario of ParosUsage scenario of Paros

3

Setting the expectationSetting the expectation

► Areas that will not be covered areAreas that will not be covered are Public Key & Symmetric key CryptographyPublic Key & Symmetric key Cryptography Digital CertificateDigital Certificate

► Areas that will be covered areAreas that will be covered are Man in the middle attack to view Secure Man in the middle attack to view Secure socket layer (SSL) contents as plain text.socket layer (SSL) contents as plain text. How to setup Paros & Charles.How to setup Paros & Charles. How theses tool are useful.How theses tool are useful.

4

SSL Handshake Protocol – SSL Handshake Protocol – overviewoverview client server

client_hello

server_hello

certificate

server_key_exchange

certificate_request

server_hello_done

certificate

client_key_exchange

certificate_verify

change_cipher_spec

finished

change_cipher_spec

finished

Phase 1: Negotiation of the session ID, key exchangealgorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers

Phase 2: Server may send its certificate and keyexchange message, and it may request the clientto send a certificate. Server signals end of hellophase.

Phase 3: Client sends certificate if requested and maysend an explicit certificate verification message. Client always sends its key exchange message.

Phase 4: Change cipher spec and finish handshake

5

Man in the middle (MITM) to Man in the middle (MITM) to view SSL Contentsview SSL Contents

Client

Attacker

Server

Emulates server when talking to Emulates server when talking to clientclient

Emulates client when talking to Emulates client when talking to serverserver

Passes through most messages Passes through most messages as-isas-is

Substitutes own public key for Substitutes own public key for client’s and server’sclient’s and server’s

Records secret data, or modifies Records secret data, or modifies data to cause damagedata to cause damage

Attacker

6

Man in the middle (MITM) to Man in the middle (MITM) to view SSL Contentsview SSL Contents

►Modification of the public key Modification of the public key exchanged by server and exchanged by server and clientclient. (eg SSH1). (eg SSH1)

Server Client

MITM

start

KEY(rsa) KEY1(rsa)

Ekey[S-Key]Ekey[S-Key]S-KEY S-KEY S-KEY

MEskey(M)

D(E(M))

D(E(M))

7

Setup : ParosSetup : Paros

8

Setup : Paros - Outgoing Setup : Paros - Outgoing proxyproxy

9

Setup : Paros -local proxySetup : Paros -local proxy

10

Client accessing secure Client accessing secure website (https)website (https)

► Lets consider the example of Lets consider the example of accessing any secure website like accessing any secure website like xyz.comxyz.com

11

Client gets a warningClient gets a warning

12

On Paros : http RequestOn Paros : http Request

13

On Paros : http ResponseOn Paros : http Response

14

Entering user name and Entering user name and password on secure sitepassword on secure site

15

Paros shows password in Paros shows password in Plain Text Plain Text

16

Paros : Session contents can Paros : Session contents can be modified by using trapbe modified by using trap

17

Setup : CharlesSetup : Charles

Start CharlesStart CharlesSet proxy server in the browser (Address is the IP address of Set proxy server in the browser (Address is the IP address of the machine running Paros) and the port number as the machine running Paros) and the port number as configured.configured.if you are running client and Charles on the same machine if you are running client and Charles on the same machine no changes are needed.no changes are needed.

18

Why to use Paros/CharlesWhy to use Paros/Charles

► Not for hacking Not for hacking Hacking is crime Hacking is crime

(http://www.cybercellmumbai.com) (http://www.cybercellmumbai.com) Running proxy on blue network is against Running proxy on blue network is against

BCGBCG► Debugging/Development of application using SSL Debugging/Development of application using SSL Viewing any communication happing Viewing any communication happing

between SP and Agentbetween SP and Agent► Testing of SSL applications by introducing the Testing of SSL applications by introducing the

traps & Filters and changing the contentstraps & Filters and changing the contents

19

Questions Questions

FYI : Most of the answers are available in FYI : Most of the answers are available in www.google.comwww.google.com

20

ReferencesReferences

► Paros - Paros - http://www.parosproxy.org/index.shtmlhttp://www.parosproxy.org/index.shtml

► Charles - Charles - http://www.charlesproxy.com/downloadhttp://www.charlesproxy.com/download.php.php

21

Thank YouThank You