Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Https sniffer

from [Phalak, Kashmira Vijay] Network Security [Permanent Link]
Subject: RE: Https sniffer
Date: Thu, 21 Jul 2005 11:37:50 -0700 
Rogan,

Thanks for the explanation..that was really helpful! 
Now that I'm pretty much clear on this, I will have to pass up the idea
of using a HTTPS sniffer as it would require the server's private key
and look at some MITM tools such as Dsniff, EtterCap etc. as suggested
by you and other members. Imre gave some really good suggestions too and
I read up on stunnel and I think it would be worth a try for my purpose.


Thank you all for your help...

Regards,
Kashmira.




-----Original Message-----
From: Rogan Dawes [mailto:discard@dawes.za.net] 
Sent: Wednesday, July 20, 2005 11:54 PM
To: Phalak, Kashmira Vijay
Cc: vuln-dev@securityfocus.com; webappsec@securityfocus.com
Subject: Re: Https sniffer

Phalak, Kashmira Vijay wrote:

 
Hi All,

Thanks for your suggestions! But most of these products suggested need



the private key to be supplied for decrypting the SSL traffic. The 
HTTP Analyzer which I initially tried, does not need the private key 
to be supplied and does a good job of decrytping SSL traffic. Can 
anyone explain to me how this works? But the HTTP analyzer only sniffs



the traffic in the current user session. This behavior is different 
from that of ethereal when I set it in promiscuous mode. Here, I can 
see traffic from other machines on the same ether segment. I may be 
wrong here, but I don't see this in either ClearWatch,ssldump or

ngrep.


Thanks,
Kashmira.



Hi Kashmira,

The way that the tool that you have been using works is by accessing the
WinInet debugging interfaces, and getting the information as it is
decrypted by the MS SSL libraries. This is possible without the server's
private key, because it is accessing the client's negotiated symmetric
keys, I guess.

Of course, if you were to use any other non-WinInet SSL libraries (e.g. 
OpenSSL, FireFox, etc) HTTP Analyser would not be able to do anything at
all.

So, the significant difference between HTTP Analyser, and the other
tools that have been suggested, is that HTTP Analyser is not actually
sniffing the network at all, whereas the other recommendations do (and
hence CAN support a promiscuous mode).

If you want to perform promiscuous network sniffing, AND decrypt SSL
communications that you collect in this way, you WILL need the servers' 
private keys. There is no other way (short of "breaking" SSL).

The alternative, if you can convince the other parties on the network to
use you as a proxy, is to set up something like DSniff's SSL MITM, or
WebScarab, and intercept the connections. This would enable you to get
the clear text comms for a number of clients on the network, at the cost
of a certificate error pop-up in each client.

Regards,

Rogan
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein, Andrew van der Stock
Next by Date:  Application for stress testing webservers., McKinley, Jackson
Previous by Thread:  RE: Https sniffer, Erick Lee
Next by Thread:  Spot the bug, Mark Curphey
Indexes:  [Date] [Thread] [Top] [All Lists]