From a security testing perspective, I use OpenSSL in the following ways:
* Information Gathering
Checking connectivity with an encrypted site; viewing the information available within the certificate; confirming what cipher strengths the server permits client browsers to use when communicating with it; etc
* Target Identification
Mostly this step is left to the automated tools like nmap, but connecting to ports that are running SSL (or TLS) services (not only TCP port 443, but many others) could be useful in helping to confirm that you want to include a particular target system as part of a test.
* Service Enumeration
Mostly this step is left to the automated tools like nmap, but being able to confirm that a service listening on a target is running SSL/TLS could help narrow the focus of the testing activities performed against the target.
* Manual Testing
Being able to manually perform (or re-perform) examples of the communications that normally are automatically performed between a web browser and a web server has become one of the cornerstones of any Web Application Vulnerability Assessment I have ever performed.
* Automated Testing
Generally, I will use manual testing to validate the key results identified by automated tools, e.g. vulnerability scanners like Nessus, ISS, Retina, WebInspect, AppScan, etc, with a primary aim being to eliminate false-positive results.
OpenSSL is available for many platforms. I use the OpenSSL package that comes with CygWin on my Microsoft Windows machines.
For information about command line switches and options available with openssl, refer to: http://dev.openssl.org/docs
When connecting to a web server, there are two main HTTP protocol standards used: HTTP/1.0 and HTTP/1.1
The basic command format needed to connect to a website so that you can interact with it as though you were mimicking a web browser is:
openssl s_client -connect web.site.address:port
== Example 1 Start ==
Example connection to a site, requesting the contents of the default root directory:
-- Step 1: Establish the connection to the site, by inputting "openssl s_client -connect www.google.com:443" at the command prompt and pressing [Enter]
-- Step 2: Issue the basic HTTP command "GET / HTTP/1.o" and press [Enter] twice
$ openssl s_client -connect www.google.com:443 CONNECTED(00000003) depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDITCCAoqgAwIBAgIQS6WuWd7dHMeAfIkikfDiQzANBgkqhkiG9w0BAQQFADBM MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wNjA1MTUyMzE4MTFaFw0w NzA1MTUyMzE4MTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcw FQYDVQQDEw53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA5sXGjc0LowME3K7MyUa+vcydvHM0SP7TdWTQycl2J3IPqZYaO4HzFPaukFbn GdJzaKeFpK7KJBQwALroNl2BczpxBY+xrxGH2lzxPr9TUYRvRA636CbXL7Jv8vJd 36fPjKXpHm8wSJQhCwGtug5xAQ0Q77/uLNON/lSo/tOXj8sCAwEAAaOB5zCB5DAo BgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEATA2BgNVHR8E LzAtMCugKaAnhiVodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU0dDQ0EuY3Js MHIGCCsGAQUFBwEBBGYwZDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3Rl LmNvbTA+BggrBgEFBQcwAoYyaHR0cDovL3d3dy50aGF3dGUuY29tL3JlcG9zaXRv cnkvVGhhd3RlX1NHQ19DQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQBXS7ykQ+fgAZKgljX5GAiIHXtwGY/5NrIFOgXKFFlNJA7liq9Oh1r3HCqW j8thQJ7StDhAISTBTx/LE0qPlQLfkT3WQOsRb5sQoW/OkV4w9m0TXhWkLsIYngDD 2DJnR/y4HprZmo7M/3wStwO/UiDPIfTzd90SFfCU+pDV41logQ== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA --- No client certificate CA names sent --- SSL handshake has read 1777 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 565454E28BCFC41C7704F9E67AD0A0AA70A36995464AE1D1A2C 1450F218F27B7 Session-ID-ctx: Master-Key: 9579BF349BA3A4DFE3EF0E72E63DC3DF5303E33643FC4DC37D3 78ADBABCEFD57EA440EFCEFA39A7E81695DF2A717E999 Key-Arg : None Start Time: 1152582311 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- GET / HTTP/1.0 HTTP/1.0 302 Found Location: http://www.google.com Date: Tue, 11 Jul 2006 01:45:16 GMT Content-Type: text/html Server: GFE/1.3 Connection: Close Content-Length: 218 <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.com">here</A>. </BODY></HTML> read:errno=0 |
== Example 1 End ==
P.S. I see there is a new project that is being worked on, which will be interesting to watch: OpenTLS.org
No comments:
Post a Comment