Re: SSL Scanner



On 27 Okt, 18:22, goarilla <"kevin DOT paulus AT skynet DOT be">
wrote:
royend wrote:
I am doing some research for a school project on authentication at the
web and the risk for identity theft. How can unauthorized users misuse
your identity and get access to classified information.

For my research I have tried some programs which stops the TCP-package
with headers like HTTP/1.0 and infomation about data submitted by a
form e.g. password and username.

I have tried two web scanners:
1. Burpsuite
which I managed to intercept packeges for HTTP 1.0 and hence was able
to read inserted username and password in plaintext. Still it wasn't
able to stop SSL-traffic, although it should be able to when turning
the "Use SSL"-parameter on.
2. Nikto
which is supposed to be a great listener/scanner, but I have not been
able to make it work.

Is there any programs you would recommend which will handle SSL/TLS?
Would for instance a program like Ethereal be able to read packages
using SSL protocols?

Looking forward to your help.

you want to decipher encrypted connections into plaintext ?
if that's the case ... bugger off- Skjul sitert tekst -

- Vis sitert tekst -

Wow...
not the kind of reply I was hoping for.
And no, I don't need a deciphering tool. What I want is a tool which
may scan for packages sent via SSL/TLS, like Burpsuite does with
HTTP1.0. This tool lets me read the headers (also possible to alter
them before sending them to server, but for my purpose it is only
necessary to read). Also, the project focuses on the vulnerability of
the web, and I am hoping to shove that even though SSL is implemented
the packages might be vulnerable to a Man-In-The-Middle-Attack (please
correct me if I am wrong), as the packages might be intercepted by an
attacker.

Any advice is appreciated for a tool which might help me prove it.

.



Relevant Pages

  • RE: how to hide e-mail header information?
    ... the normal way spam-sending packages do this is to ... So they can insert any extra/optional headers they wish. ... >> I use Outlook express for MUA and any receiver from me can know my ... > world's premier event for IT and network security experts. ...
    (Security-Basics)
  • Re: Any idea when Xorg 7.0s coming to FBSD?
    ... Half of the packages I installed were headers, so why in the world should so many requirements be made to install header files =), for instance, as well as other common C/C++ functions)? ... I believe that they should mass package all of the headers and prototypes into a metapackage, as well as the smaller packages, just for people initially installing X, as well as people just upgrading a module and nothing much else. ...
    (freebsd-questions)
  • Re: Here is the easy way to take a drier apart
    ... I've never had a credit card other than my bank debit card and many people think you must be a criminal if you demand privacy. ... I've been on to the identity theft creeps for decades and don't get my mail where I live because for more than 30 years I've used private mailbox services. ... I have a fellow who receives all my mail and packages for me because I don't want anything stolen from the mailbox at the front door or any packages left on the steps. ...
    (alt.home.repair)
  • Re: Yum update
    ... the yum started downloading/updating all of the software ... > packages headers, it went for almost an hour but suddenly my internet ...
    (Fedora)
  • Re: [SLE] YOU wants to downgrade my system
    ... > of all of these packages ... > Check the headers for your unsubscription address ... For additional commands send e-mail to suse-linux-e-help@suse.com ...
    (SuSE)