ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

Usage Of Paros & Charles For SSL Debugging

•Download as PPT, PDF•
•
Pradeep Patel
Pradeep Patel

Paros and Charles are tools that can intercept SSL encrypted traffic by acting as a man-in-the-middle. They emulate the server when talking to the client and the client when talking to the server, allowing the intercepted traffic to be viewed and analyzed in plain text. To use Paros, one configures it as either an outgoing or local proxy and then sets the browser to use that proxy. Any HTTPS traffic can then be seen by Paros, including usernames and passwords. Paros also allows modifying the intercepted traffic using traps. Charles works similarly by configuring it as the proxy on the client device. These tools are useful for debugging, development, and testing applications using SSL, not for illegal hacking.

1 of 21
Downloaded 33 times
Usage of Paros, charles for SSL Debugging Pradeep Patel
Agenda Setting the expectation Introduction to SSL handshake Man in the middle attack Live Demo on breaking SSL How to setup Paros /Charles Usage scenario of Paros
Setting the expectation Areas that will not be covered are Public Key & Symmetric key Cryptography Digital Certificate Areas that will be covered are Man in the middle attack to view Secure socket layer (SSL) contents as plain text. How to setup Paros & Charles. How theses tool are useful.
SSL Handshake Protocol – overview client server client_hello server_hello certificate server_key_exchange certificate_request server_hello_done certificate client_key_exchange certificate_verify change_cipher_spec finished change_cipher_spec finished Phase 1 : Negotiation of the session ID, key exchange algorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers Phase 2 : Server may send its certificate and key exchange message, and it may request the client to send a certificate. Server signals end of hello phase. Phase 3 : Client sends certificate if requested and may send an explicit certificate verification message. Client always sends its key exchange message. Phase 4 : Change cipher spec and finish handshake
Man in the middle (MITM) to view SSL Contents Emulates server when talking to client Emulates client when talking to server Passes through most messages as-is Substitutes own public key for client’s and server’s Records secret data, or modifies data to cause damage Client Attacker Server Attacker
Man in the middle (MITM) to view SSL Contents Modification of the public key exchanged by server and client . (eg SSH1) S-KEY S-KEY S-KEY M Server Client MITM start KEY(rsa) KEY1(rsa) E key [ S-Key ] E key [S-Key] E skey (M) D(E(M)) D(E(M))
Setup : Paros
Setup : Paros - Outgoing proxy
Setup : Paros -local proxy
Client accessing secure website (https) Lets consider the example of accessing any secure website like xyz.com
Client gets a warning
On Paros : http Request
On Paros : http Response
Entering user name and password on secure site
Paros shows password in Plain Text
Paros : Session contents can be modified by using trap
Setup : Charles Start Charles Set proxy server in the browser (Address is the IP address of the machine running Paros) and the port number as configured. if you are running client and Charles on the same machine no changes are needed.
Why to use Paros/Charles Not for hacking Hacking is crime (http://www.cybercellmumbai.com) Running proxy on blue network is against BCG Debugging/Development of application using SSL Viewing any communication happing between SP and Agent Testing of SSL applications by introducing the traps & Filters and changing the contents
Questions FYI : Most of the answers are available in www.google.com
References Paros - http://www.parosproxy.org/index.shtml Charles - http://www.charlesproxy.com/download.php
Thank You

More Related Content

Usage Of Paros & Charles For SSL Debugging

  • 1. Usage of Paros, charles for SSL Debugging Pradeep Patel
  • 2. Agenda Setting the expectation Introduction to SSL handshake Man in the middle attack Live Demo on breaking SSL How to setup Paros /Charles Usage scenario of Paros
  • 3. Setting the expectation Areas that will not be covered are Public Key & Symmetric key Cryptography Digital Certificate Areas that will be covered are Man in the middle attack to view Secure socket layer (SSL) contents as plain text. How to setup Paros & Charles. How theses tool are useful.
  • 4. SSL Handshake Protocol – overview client server client_hello server_hello certificate server_key_exchange certificate_request server_hello_done certificate client_key_exchange certificate_verify change_cipher_spec finished change_cipher_spec finished Phase 1 : Negotiation of the session ID, key exchange algorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers Phase 2 : Server may send its certificate and key exchange message, and it may request the client to send a certificate. Server signals end of hello phase. Phase 3 : Client sends certificate if requested and may send an explicit certificate verification message. Client always sends its key exchange message. Phase 4 : Change cipher spec and finish handshake
  • 5. Man in the middle (MITM) to view SSL Contents Emulates server when talking to client Emulates client when talking to server Passes through most messages as-is Substitutes own public key for client’s and server’s Records secret data, or modifies data to cause damage Client Attacker Server Attacker
  • 6. Man in the middle (MITM) to view SSL Contents Modification of the public key exchanged by server and client . (eg SSH1) S-KEY S-KEY S-KEY M Server Client MITM start KEY(rsa) KEY1(rsa) E key [ S-Key ] E key [S-Key] E skey (M) D(E(M)) D(E(M))
  • 8. Setup : Paros - Outgoing proxy
  • 9. Setup : Paros -local proxy
  • 10. Client accessing secure website (https) Lets consider the example of accessing any secure website like xyz.com
  • 11. Client gets a warning
  • 12. On Paros : http Request
  • 13. On Paros : http Response
  • 14. Entering user name and password on secure site
  • 15. Paros shows password in Plain Text
  • 16. Paros : Session contents can be modified by using trap
  • 17. Setup : Charles Start Charles Set proxy server in the browser (Address is the IP address of the machine running Paros) and the port number as configured. if you are running client and Charles on the same machine no changes are needed.
  • 18. Why to use Paros/Charles Not for hacking Hacking is crime (http://www.cybercellmumbai.com) Running proxy on blue network is against BCG Debugging/Development of application using SSL Viewing any communication happing between SP and Agent Testing of SSL applications by introducing the traps & Filters and changing the contents
  • 19. Questions FYI : Most of the answers are available in www.google.com
  • 20. References Paros - http://www.parosproxy.org/index.shtml Charles - http://www.charlesproxy.com/download.php