Your SlideShare is downloading. ×
0
Usage of Paros, charles for SSL Debugging   Pradeep Patel
Agenda <ul><li>Setting the expectation </li></ul><ul><li>Introduction to SSL handshake  </li></ul><ul><li>Man in the middl...
Setting the expectation <ul><li>Areas that will not be covered are </li></ul><ul><ul><li>Public Key & Symmetric key Crypto...
SSL Handshake Protocol – overview   client server client_hello server_hello certificate server_key_exchange certificate_re...
Man in the middle (MITM) to view  SSL Contents <ul><ul><li>Emulates server when talking to client </li></ul></ul><ul><ul><...
Man in the middle (MITM) to view  SSL Contents <ul><li>Modification of the public key exchanged by server and client . (eg...
Setup : Paros
Setup : Paros - Outgoing proxy
Setup : Paros -local proxy
Client accessing secure website (https) <ul><li>Lets consider the example of accessing any secure website like xyz.com </l...
Client gets a warning
On Paros : http Request
On Paros : http Response
Entering user name and password on secure site
Paros shows password in Plain Text
Paros : Session contents can be modified by using trap
Setup : Charles <ul><ul><li>Start Charles </li></ul></ul><ul><ul><li>Set proxy server in the browser (Address is the IP ad...
Why to use Paros/Charles <ul><li>Not for hacking  </li></ul><ul><li>Hacking is crime (http://www.cybercellmumbai.com)  </l...
<ul><li>Questions  </li></ul><ul><li>FYI : Most of the answers are available in www.google.com </li></ul>
References <ul><li>Paros - http://www.parosproxy.org/index.shtml </li></ul><ul><li>Charles - http://www.charlesproxy.com/d...
Thank You
Upcoming SlideShare
Loading in...5
×

Usage Of Paros & Charles For SSL Debugging

2,905

Published on

With Charles and paros SSL Debugging is to simple . Try this

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,905
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Usage Of Paros & Charles For SSL Debugging"

  1. 1. Usage of Paros, charles for SSL Debugging Pradeep Patel
  2. 2. Agenda <ul><li>Setting the expectation </li></ul><ul><li>Introduction to SSL handshake </li></ul><ul><li>Man in the middle attack </li></ul><ul><li>Live Demo on breaking SSL </li></ul><ul><li>How to setup Paros /Charles </li></ul><ul><li>Usage scenario of Paros </li></ul>
  3. 3. Setting the expectation <ul><li>Areas that will not be covered are </li></ul><ul><ul><li>Public Key & Symmetric key Cryptography </li></ul></ul><ul><ul><li>Digital Certificate </li></ul></ul><ul><li>Areas that will be covered are </li></ul><ul><ul><li>Man in the middle attack to view Secure socket layer (SSL) contents as plain text. </li></ul></ul><ul><ul><li>How to setup Paros & Charles. </li></ul></ul><ul><ul><li>How theses tool are useful. </li></ul></ul>
  4. 4. SSL Handshake Protocol – overview client server client_hello server_hello certificate server_key_exchange certificate_request server_hello_done certificate client_key_exchange certificate_verify change_cipher_spec finished change_cipher_spec finished Phase 1 : Negotiation of the session ID, key exchange algorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers Phase 2 : Server may send its certificate and key exchange message, and it may request the client to send a certificate. Server signals end of hello phase. Phase 3 : Client sends certificate if requested and may send an explicit certificate verification message. Client always sends its key exchange message. Phase 4 : Change cipher spec and finish handshake
  5. 5. Man in the middle (MITM) to view SSL Contents <ul><ul><li>Emulates server when talking to client </li></ul></ul><ul><ul><li>Emulates client when talking to server </li></ul></ul><ul><ul><li>Passes through most messages as-is </li></ul></ul><ul><ul><li>Substitutes own public key for client’s and server’s </li></ul></ul><ul><ul><li>Records secret data, or modifies data to cause damage </li></ul></ul>Client Attacker Server Attacker
  6. 6. Man in the middle (MITM) to view SSL Contents <ul><li>Modification of the public key exchanged by server and client . (eg SSH1) </li></ul>S-KEY S-KEY S-KEY M Server Client MITM start KEY(rsa) KEY1(rsa) E key [ S-Key ] E key [S-Key] E skey (M) D(E(M)) D(E(M))
  7. 7. Setup : Paros
  8. 8. Setup : Paros - Outgoing proxy
  9. 9. Setup : Paros -local proxy
  10. 10. Client accessing secure website (https) <ul><li>Lets consider the example of accessing any secure website like xyz.com </li></ul>
  11. 11. Client gets a warning
  12. 12. On Paros : http Request
  13. 13. On Paros : http Response
  14. 14. Entering user name and password on secure site
  15. 15. Paros shows password in Plain Text
  16. 16. Paros : Session contents can be modified by using trap
  17. 17. Setup : Charles <ul><ul><li>Start Charles </li></ul></ul><ul><ul><li>Set proxy server in the browser (Address is the IP address of the machine running Paros) and the port number as configured. </li></ul></ul><ul><ul><li>if you are running client and Charles on the same machine no changes are needed. </li></ul></ul>
  18. 18. Why to use Paros/Charles <ul><li>Not for hacking </li></ul><ul><li>Hacking is crime (http://www.cybercellmumbai.com) </li></ul><ul><li>Running proxy on blue network is against BCG </li></ul><ul><li>Debugging/Development of application using SSL </li></ul><ul><li>Viewing any communication happing between SP and Agent </li></ul><ul><li>Testing of SSL applications by introducing the traps & Filters and changing the contents </li></ul>
  19. 19. <ul><li>Questions </li></ul><ul><li>FYI : Most of the answers are available in www.google.com </li></ul>
  20. 20. References <ul><li>Paros - http://www.parosproxy.org/index.shtml </li></ul><ul><li>Charles - http://www.charlesproxy.com/download.php </li></ul>
  21. 21. Thank You
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×