Download - Usage Of Paros & Charles For SSL Debugging
![Page 1: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/1.jpg)
Usage of Paros, Usage of Paros, charles for SSL charles for SSL
DebuggingDebugging
Pradeep PatelPradeep Patel
![Page 2: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/2.jpg)
2
AgendaAgenda
Setting the expectationSetting the expectation
Introduction to SSL handshake Introduction to SSL handshake
Man in the middle attackMan in the middle attack
Live Demo on breaking SSLLive Demo on breaking SSL
How to setup Paros /CharlesHow to setup Paros /Charles
Usage scenario of ParosUsage scenario of Paros
![Page 3: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/3.jpg)
3
Setting the expectationSetting the expectation
► Areas that will not be covered areAreas that will not be covered are Public Key & Symmetric key CryptographyPublic Key & Symmetric key Cryptography Digital CertificateDigital Certificate
► Areas that will be covered areAreas that will be covered are Man in the middle attack to view Secure Man in the middle attack to view Secure socket layer (SSL) contents as plain text.socket layer (SSL) contents as plain text. How to setup Paros & Charles.How to setup Paros & Charles. How theses tool are useful.How theses tool are useful.
![Page 4: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/4.jpg)
4
SSL Handshake Protocol – SSL Handshake Protocol – overviewoverview client server
client_hello
server_hello
certificate
server_key_exchange
certificate_request
server_hello_done
certificate
client_key_exchange
certificate_verify
change_cipher_spec
finished
change_cipher_spec
finished
Phase 1: Negotiation of the session ID, key exchangealgorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers
Phase 2: Server may send its certificate and keyexchange message, and it may request the clientto send a certificate. Server signals end of hellophase.
Phase 3: Client sends certificate if requested and maysend an explicit certificate verification message. Client always sends its key exchange message.
Phase 4: Change cipher spec and finish handshake
![Page 5: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/5.jpg)
5
Man in the middle (MITM) to Man in the middle (MITM) to view SSL Contentsview SSL Contents
Client
Attacker
Server
Emulates server when talking to Emulates server when talking to clientclient
Emulates client when talking to Emulates client when talking to serverserver
Passes through most messages Passes through most messages as-isas-is
Substitutes own public key for Substitutes own public key for client’s and server’sclient’s and server’s
Records secret data, or modifies Records secret data, or modifies data to cause damagedata to cause damage
Attacker
![Page 6: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/6.jpg)
6
Man in the middle (MITM) to Man in the middle (MITM) to view SSL Contentsview SSL Contents
►Modification of the public key Modification of the public key exchanged by server and exchanged by server and clientclient. (eg SSH1). (eg SSH1)
Server Client
MITM
start
KEY(rsa) KEY1(rsa)
Ekey[S-Key]Ekey[S-Key]S-KEY S-KEY S-KEY
MEskey(M)
D(E(M))
D(E(M))
![Page 7: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/7.jpg)
7
Setup : ParosSetup : Paros
![Page 8: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/8.jpg)
8
Setup : Paros - Outgoing Setup : Paros - Outgoing proxyproxy
![Page 9: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/9.jpg)
9
Setup : Paros -local proxySetup : Paros -local proxy
![Page 10: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/10.jpg)
10
Client accessing secure Client accessing secure website (https)website (https)
► Lets consider the example of Lets consider the example of accessing any secure website like accessing any secure website like xyz.comxyz.com
![Page 11: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/11.jpg)
11
Client gets a warningClient gets a warning
![Page 12: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/12.jpg)
12
On Paros : http RequestOn Paros : http Request
![Page 13: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/13.jpg)
13
On Paros : http ResponseOn Paros : http Response
![Page 14: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/14.jpg)
14
Entering user name and Entering user name and password on secure sitepassword on secure site
![Page 15: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/15.jpg)
15
Paros shows password in Paros shows password in Plain Text Plain Text
![Page 16: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/16.jpg)
16
Paros : Session contents can Paros : Session contents can be modified by using trapbe modified by using trap
![Page 17: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/17.jpg)
17
Setup : CharlesSetup : Charles
Start CharlesStart CharlesSet proxy server in the browser (Address is the IP address of Set proxy server in the browser (Address is the IP address of the machine running Paros) and the port number as the machine running Paros) and the port number as configured.configured.if you are running client and Charles on the same machine if you are running client and Charles on the same machine no changes are needed.no changes are needed.
![Page 18: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/18.jpg)
18
Why to use Paros/CharlesWhy to use Paros/Charles
► Not for hacking Not for hacking Hacking is crime Hacking is crime
(http://www.cybercellmumbai.com) (http://www.cybercellmumbai.com) Running proxy on blue network is against Running proxy on blue network is against
BCGBCG► Debugging/Development of application using SSL Debugging/Development of application using SSL Viewing any communication happing Viewing any communication happing
between SP and Agentbetween SP and Agent► Testing of SSL applications by introducing the Testing of SSL applications by introducing the
traps & Filters and changing the contentstraps & Filters and changing the contents
![Page 19: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/19.jpg)
19
Questions Questions
FYI : Most of the answers are available in FYI : Most of the answers are available in www.google.comwww.google.com
![Page 20: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/20.jpg)
20
ReferencesReferences
► Paros - Paros - http://www.parosproxy.org/index.shtmlhttp://www.parosproxy.org/index.shtml
► Charles - Charles - http://www.charlesproxy.com/downloadhttp://www.charlesproxy.com/download.php.php
![Page 21: Usage Of Paros & Charles For SSL Debugging](https://reader033.vdocuments.mx/reader033/viewer/2022052411/55756553d8b42a2e248b47ab/html5/thumbnails/21.jpg)
21
Thank YouThank You