Usage Of Paros & Charles For SSL Debugging


Published on

With Charles and paros SSL Debugging is to simple . Try this

Published in: Technology, Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Usage Of Paros & Charles For SSL Debugging

  1. 1. Usage of Paros, charles for SSL Debugging Pradeep Patel
  2. 2. Agenda <ul><li>Setting the expectation </li></ul><ul><li>Introduction to SSL handshake </li></ul><ul><li>Man in the middle attack </li></ul><ul><li>Live Demo on breaking SSL </li></ul><ul><li>How to setup Paros /Charles </li></ul><ul><li>Usage scenario of Paros </li></ul>
  3. 3. Setting the expectation <ul><li>Areas that will not be covered are </li></ul><ul><ul><li>Public Key & Symmetric key Cryptography </li></ul></ul><ul><ul><li>Digital Certificate </li></ul></ul><ul><li>Areas that will be covered are </li></ul><ul><ul><li>Man in the middle attack to view Secure socket layer (SSL) contents as plain text. </li></ul></ul><ul><ul><li>How to setup Paros & Charles. </li></ul></ul><ul><ul><li>How theses tool are useful. </li></ul></ul>
  4. 4. SSL Handshake Protocol – overview client server client_hello server_hello certificate server_key_exchange certificate_request server_hello_done certificate client_key_exchange certificate_verify change_cipher_spec finished change_cipher_spec finished Phase 1 : Negotiation of the session ID, key exchange algorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers Phase 2 : Server may send its certificate and key exchange message, and it may request the client to send a certificate. Server signals end of hello phase. Phase 3 : Client sends certificate if requested and may send an explicit certificate verification message. Client always sends its key exchange message. Phase 4 : Change cipher spec and finish handshake
  5. 5. Man in the middle (MITM) to view SSL Contents <ul><ul><li>Emulates server when talking to client </li></ul></ul><ul><ul><li>Emulates client when talking to server </li></ul></ul><ul><ul><li>Passes through most messages as-is </li></ul></ul><ul><ul><li>Substitutes own public key for client’s and server’s </li></ul></ul><ul><ul><li>Records secret data, or modifies data to cause damage </li></ul></ul>Client Attacker Server Attacker
  6. 6. Man in the middle (MITM) to view SSL Contents <ul><li>Modification of the public key exchanged by server and client . (eg SSH1) </li></ul>S-KEY S-KEY S-KEY M Server Client MITM start KEY(rsa) KEY1(rsa) E key [ S-Key ] E key [S-Key] E skey (M) D(E(M)) D(E(M))
  7. 7. Setup : Paros
  8. 8. Setup : Paros - Outgoing proxy
  9. 9. Setup : Paros -local proxy
  10. 10. Client accessing secure website (https) <ul><li>Lets consider the example of accessing any secure website like </li></ul>
  11. 11. Client gets a warning
  12. 12. On Paros : http Request
  13. 13. On Paros : http Response
  14. 14. Entering user name and password on secure site
  15. 15. Paros shows password in Plain Text
  16. 16. Paros : Session contents can be modified by using trap
  17. 17. Setup : Charles <ul><ul><li>Start Charles </li></ul></ul><ul><ul><li>Set proxy server in the browser (Address is the IP address of the machine running Paros) and the port number as configured. </li></ul></ul><ul><ul><li>if you are running client and Charles on the same machine no changes are needed. </li></ul></ul>
  18. 18. Why to use Paros/Charles <ul><li>Not for hacking </li></ul><ul><li>Hacking is crime ( </li></ul><ul><li>Running proxy on blue network is against BCG </li></ul><ul><li>Debugging/Development of application using SSL </li></ul><ul><li>Viewing any communication happing between SP and Agent </li></ul><ul><li>Testing of SSL applications by introducing the traps & Filters and changing the contents </li></ul>
  19. 19. <ul><li>Questions </li></ul><ul><li>FYI : Most of the answers are available in </li></ul>
  20. 20. References <ul><li>Paros - </li></ul><ul><li>Charles - </li></ul>
  21. 21. Thank You