Usage Of Paros & Charles For SSL Debugging
Upcoming SlideShare
Loading in...5

Usage Of Paros & Charles For SSL Debugging



With Charles and paros SSL Debugging is to simple . Try this

With Charles and paros SSL Debugging is to simple . Try this



Total Views
Views on SlideShare
Embed Views



1 Embed 5 5



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Usage Of Paros & Charles For SSL Debugging Usage Of Paros & Charles For SSL Debugging Presentation Transcript

  • Usage of Paros, charles for SSL Debugging Pradeep Patel
  • Agenda
    • Setting the expectation
    • Introduction to SSL handshake
    • Man in the middle attack
    • Live Demo on breaking SSL
    • How to setup Paros /Charles
    • Usage scenario of Paros
  • Setting the expectation
    • Areas that will not be covered are
      • Public Key & Symmetric key Cryptography
      • Digital Certificate
    • Areas that will be covered are
      • Man in the middle attack to view Secure socket layer (SSL) contents as plain text.
      • How to setup Paros & Charles.
      • How theses tool are useful.
  • SSL Handshake Protocol – overview client server client_hello server_hello certificate server_key_exchange certificate_request server_hello_done certificate client_key_exchange certificate_verify change_cipher_spec finished change_cipher_spec finished Phase 1 : Negotiation of the session ID, key exchange algorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers Phase 2 : Server may send its certificate and key exchange message, and it may request the client to send a certificate. Server signals end of hello phase. Phase 3 : Client sends certificate if requested and may send an explicit certificate verification message. Client always sends its key exchange message. Phase 4 : Change cipher spec and finish handshake
  • Man in the middle (MITM) to view SSL Contents
      • Emulates server when talking to client
      • Emulates client when talking to server
      • Passes through most messages as-is
      • Substitutes own public key for client’s and server’s
      • Records secret data, or modifies data to cause damage
    Client Attacker Server Attacker
  • Man in the middle (MITM) to view SSL Contents
    • Modification of the public key exchanged by server and client . (eg SSH1)
    S-KEY S-KEY S-KEY M Server Client MITM start KEY(rsa) KEY1(rsa) E key [ S-Key ] E key [S-Key] E skey (M) D(E(M)) D(E(M))
  • Setup : Paros
  • Setup : Paros - Outgoing proxy
  • Setup : Paros -local proxy
  • Client accessing secure website (https)
    • Lets consider the example of accessing any secure website like
  • Client gets a warning
  • On Paros : http Request
  • On Paros : http Response
  • Entering user name and password on secure site
  • Paros shows password in Plain Text
  • Paros : Session contents can be modified by using trap
  • Setup : Charles
      • Start Charles
      • Set proxy server in the browser (Address is the IP address of the machine running Paros) and the port number as configured.
      • if you are running client and Charles on the same machine no changes are needed.
  • Why to use Paros/Charles
    • Not for hacking
    • Hacking is crime (
    • Running proxy on blue network is against BCG
    • Debugging/Development of application using SSL
    • Viewing any communication happing between SP and Agent
    • Testing of SSL applications by introducing the traps & Filters and changing the contents
    • Questions
    • FYI : Most of the answers are available in
  • References
    • Paros -
    • Charles -
  • Thank You