Usage Of Paros & Charles For SSL Debugging
-
Upload
pradeep-patel -
Category
Technology
-
view
2.890 -
download
1
description
Transcript of Usage Of Paros & Charles For SSL Debugging
Usage of Paros, Usage of Paros, charles for SSL charles for SSL
DebuggingDebugging
Pradeep PatelPradeep Patel
2
AgendaAgenda
Setting the expectationSetting the expectation
Introduction to SSL handshake Introduction to SSL handshake
Man in the middle attackMan in the middle attack
Live Demo on breaking SSLLive Demo on breaking SSL
How to setup Paros /CharlesHow to setup Paros /Charles
Usage scenario of ParosUsage scenario of Paros
3
Setting the expectationSetting the expectation
► Areas that will not be covered areAreas that will not be covered are Public Key & Symmetric key CryptographyPublic Key & Symmetric key Cryptography Digital CertificateDigital Certificate
► Areas that will be covered areAreas that will be covered are Man in the middle attack to view Secure Man in the middle attack to view Secure socket layer (SSL) contents as plain text.socket layer (SSL) contents as plain text. How to setup Paros & Charles.How to setup Paros & Charles. How theses tool are useful.How theses tool are useful.
4
SSL Handshake Protocol – SSL Handshake Protocol – overviewoverview client server
client_hello
server_hello
certificate
server_key_exchange
certificate_request
server_hello_done
certificate
client_key_exchange
certificate_verify
change_cipher_spec
finished
change_cipher_spec
finished
Phase 1: Negotiation of the session ID, key exchangealgorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers
Phase 2: Server may send its certificate and keyexchange message, and it may request the clientto send a certificate. Server signals end of hellophase.
Phase 3: Client sends certificate if requested and maysend an explicit certificate verification message. Client always sends its key exchange message.
Phase 4: Change cipher spec and finish handshake
5
Man in the middle (MITM) to Man in the middle (MITM) to view SSL Contentsview SSL Contents
Client
Attacker
Server
Emulates server when talking to Emulates server when talking to clientclient
Emulates client when talking to Emulates client when talking to serverserver
Passes through most messages Passes through most messages as-isas-is
Substitutes own public key for Substitutes own public key for client’s and server’sclient’s and server’s
Records secret data, or modifies Records secret data, or modifies data to cause damagedata to cause damage
Attacker
6
Man in the middle (MITM) to Man in the middle (MITM) to view SSL Contentsview SSL Contents
►Modification of the public key Modification of the public key exchanged by server and exchanged by server and clientclient. (eg SSH1). (eg SSH1)
Server Client
MITM
start
KEY(rsa) KEY1(rsa)
Ekey[S-Key]Ekey[S-Key]S-KEY S-KEY S-KEY
MEskey(M)
D(E(M))
D(E(M))
7
Setup : ParosSetup : Paros
8
Setup : Paros - Outgoing Setup : Paros - Outgoing proxyproxy
9
Setup : Paros -local proxySetup : Paros -local proxy
10
Client accessing secure Client accessing secure website (https)website (https)
► Lets consider the example of Lets consider the example of accessing any secure website like accessing any secure website like xyz.comxyz.com
11
Client gets a warningClient gets a warning
12
On Paros : http RequestOn Paros : http Request
13
On Paros : http ResponseOn Paros : http Response
14
Entering user name and Entering user name and password on secure sitepassword on secure site
15
Paros shows password in Paros shows password in Plain Text Plain Text
16
Paros : Session contents can Paros : Session contents can be modified by using trapbe modified by using trap
17
Setup : CharlesSetup : Charles
Start CharlesStart CharlesSet proxy server in the browser (Address is the IP address of Set proxy server in the browser (Address is the IP address of the machine running Paros) and the port number as the machine running Paros) and the port number as configured.configured.if you are running client and Charles on the same machine if you are running client and Charles on the same machine no changes are needed.no changes are needed.
18
Why to use Paros/CharlesWhy to use Paros/Charles
► Not for hacking Not for hacking Hacking is crime Hacking is crime
(http://www.cybercellmumbai.com) (http://www.cybercellmumbai.com) Running proxy on blue network is against Running proxy on blue network is against
BCGBCG► Debugging/Development of application using SSL Debugging/Development of application using SSL Viewing any communication happing Viewing any communication happing
between SP and Agentbetween SP and Agent► Testing of SSL applications by introducing the Testing of SSL applications by introducing the
traps & Filters and changing the contentstraps & Filters and changing the contents
19
Questions Questions
FYI : Most of the answers are available in FYI : Most of the answers are available in www.google.comwww.google.com
20
ReferencesReferences
► Paros - Paros - http://www.parosproxy.org/index.shtmlhttp://www.parosproxy.org/index.shtml
► Charles - Charles - http://www.charlesproxy.com/downloadhttp://www.charlesproxy.com/download.php.php
21
Thank YouThank You