Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Usage Of Paros & Charles For SSL Debugging

With Charles and paros SSL Debugging is to simple . Try this

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

Usage Of Paros & Charles For SSL Debugging

  1. 1. Usage of Paros, charles for SSL Debugging Pradeep Patel
  2. 2. Agenda <ul><li>Setting the expectation </li></ul><ul><li>Introduction to SSL handshake </li></ul><ul><li>Man in the middle attack </li></ul><ul><li>Live Demo on breaking SSL </li></ul><ul><li>How to setup Paros /Charles </li></ul><ul><li>Usage scenario of Paros </li></ul>
  3. 3. Setting the expectation <ul><li>Areas that will not be covered are </li></ul><ul><ul><li>Public Key & Symmetric key Cryptography </li></ul></ul><ul><ul><li>Digital Certificate </li></ul></ul><ul><li>Areas that will be covered are </li></ul><ul><ul><li>Man in the middle attack to view Secure socket layer (SSL) contents as plain text. </li></ul></ul><ul><ul><li>How to setup Paros & Charles. </li></ul></ul><ul><ul><li>How theses tool are useful. </li></ul></ul>
  4. 4. SSL Handshake Protocol – overview client server client_hello server_hello certificate server_key_exchange certificate_request server_hello_done certificate client_key_exchange certificate_verify change_cipher_spec finished change_cipher_spec finished Phase 1 : Negotiation of the session ID, key exchange algorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers Phase 2 : Server may send its certificate and key exchange message, and it may request the client to send a certificate. Server signals end of hello phase. Phase 3 : Client sends certificate if requested and may send an explicit certificate verification message. Client always sends its key exchange message. Phase 4 : Change cipher spec and finish handshake
  5. 5. Man in the middle (MITM) to view SSL Contents <ul><ul><li>Emulates server when talking to client </li></ul></ul><ul><ul><li>Emulates client when talking to server </li></ul></ul><ul><ul><li>Passes through most messages as-is </li></ul></ul><ul><ul><li>Substitutes own public key for client’s and server’s </li></ul></ul><ul><ul><li>Records secret data, or modifies data to cause damage </li></ul></ul>Client Attacker Server Attacker
  6. 6. Man in the middle (MITM) to view SSL Contents <ul><li>Modification of the public key exchanged by server and client . (eg SSH1) </li></ul>S-KEY S-KEY S-KEY M Server Client MITM start KEY(rsa) KEY1(rsa) E key [ S-Key ] E key [S-Key] E skey (M) D(E(M)) D(E(M))
  7. 7. Setup : Paros
  8. 8. Setup : Paros - Outgoing proxy
  9. 9. Setup : Paros -local proxy
  10. 10. Client accessing secure website (https) <ul><li>Lets consider the example of accessing any secure website like xyz.com </li></ul>
  11. 11. Client gets a warning
  12. 12. On Paros : http Request
  13. 13. On Paros : http Response
  14. 14. Entering user name and password on secure site
  15. 15. Paros shows password in Plain Text
  16. 16. Paros : Session contents can be modified by using trap
  17. 17. Setup : Charles <ul><ul><li>Start Charles </li></ul></ul><ul><ul><li>Set proxy server in the browser (Address is the IP address of the machine running Paros) and the port number as configured. </li></ul></ul><ul><ul><li>if you are running client and Charles on the same machine no changes are needed. </li></ul></ul>
  18. 18. Why to use Paros/Charles <ul><li>Not for hacking </li></ul><ul><li>Hacking is crime (http://www.cybercellmumbai.com) </li></ul><ul><li>Running proxy on blue network is against BCG </li></ul><ul><li>Debugging/Development of application using SSL </li></ul><ul><li>Viewing any communication happing between SP and Agent </li></ul><ul><li>Testing of SSL applications by introducing the traps & Filters and changing the contents </li></ul>
  19. 19. <ul><li>Questions </li></ul><ul><li>FYI : Most of the answers are available in www.google.com </li></ul>
  20. 20. References <ul><li>Paros - http://www.parosproxy.org/index.shtml </li></ul><ul><li>Charles - http://www.charlesproxy.com/download.php </li></ul>
  21. 21. Thank You

    Be the first to comment

    Login to see the comments

  • nguyenchiencong

    Jan. 27, 2016

With Charles and paros SSL Debugging is to simple . Try this

Views

Total views

7,736

On Slideshare

0

From embeds

0

Number of embeds

13

Actions

Downloads

33

Shares

0

Comments

0

Likes

1

×