Tuesday, July 11, 2006

Using OpenSSL

The OpenSSL command-line utility is very useful for testing various aspects of connecting to a website that implements Secure Socket Layer or Transport Layer Security encryption.

From a security testing perspective, I use OpenSSL in the following ways:

* Information Gathering

Checking connectivity with an encrypted site; viewing the information available within the certificate; confirming what cipher strengths the server permits client browsers to use when communicating with it; etc

* Target Identification

Mostly this step is left to the automated tools like nmap, but connecting to ports that are running SSL (or TLS) services (not only TCP port 443, but many others) could be useful in helping to confirm that you want to include a particular target system as part of a test.

* Service Enumeration
Mostly this step is left to the automated tools like nmap, but being able to confirm that a service listening on a target is running SSL/TLS could help narrow the focus of the testing activities performed against the target.

* Manual Testing
Being able to manually perform (or re-perform) examples of the communications that normally are automatically performed between a web browser and a web server has become one of the cornerstones of any Web Application Vulnerability Assessment I have ever performed.

* Automated Testing
Generally, I will use manual testing to validate the key results identified by automated tools, e.g. vulnerability scanners like Nessus, ISS, Retina, WebInspect, AppScan, etc, with a primary aim being to eliminate false-positive results.

OpenSSL is available for many platforms. I use the OpenSSL package that comes with CygWin on my Microsoft Windows machines.

For information about command line switches and options available with openssl, refer to: http://dev.openssl.org/docs

When connecting to a web server, there are two main HTTP protocol standards used: HTTP/1.0 and HTTP/1.1

The basic command format needed to connect to a website so that you can interact with it as though you were mimicking a web browser is:
openssl s_client -connect web.site.address:port

== Example 1 Start ==
Example connection to a site, requesting the contents of the default root directory:
-- Step 1: Establish the connection to the site, by inputting "openssl s_client -connect www.google.com:443" at the command prompt and pressing [Enter]
-- Step 2: Issue the basic HTTP command "GET / HTTP/1.o" and press [Enter] twice

$ openssl s_client -connect www.google.com:443
CONNECTED(00000003)
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIQS6WuWd7dHMeAfIkikfDiQzANBgkqhkiG9w0BAQQFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wNjA1MTUyMzE4MTFaFw0w
NzA1MTUyMzE4MTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcw
FQYDVQQDEw53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA5sXGjc0LowME3K7MyUa+vcydvHM0SP7TdWTQycl2J3IPqZYaO4HzFPaukFbn
GdJzaKeFpK7KJBQwALroNl2BczpxBY+xrxGH2lzxPr9TUYRvRA636CbXL7Jv8vJd
36fPjKXpHm8wSJQhCwGtug5xAQ0Q77/uLNON/lSo/tOXj8sCAwEAAaOB5zCB5DAo
BgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEATA2BgNVHR8E
LzAtMCugKaAnhiVodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU0dDQ0EuY3Js
MHIGCCsGAQUFBwEBBGYwZDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3Rl
LmNvbTA+BggrBgEFBQcwAoYyaHR0cDovL3d3dy50aGF3dGUuY29tL3JlcG9zaXRv
cnkvVGhhd3RlX1NHQ19DQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF
AAOBgQBXS7ykQ+fgAZKgljX5GAiIHXtwGY/5NrIFOgXKFFlNJA7liq9Oh1r3HCqW
j8thQJ7StDhAISTBTx/LE0qPlQLfkT3WQOsRb5sQoW/OkV4w9m0TXhWkLsIYngDD
2DJnR/y4HprZmo7M/3wStwO/UiDPIfTzd90SFfCU+pDV41logQ==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 1777 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 565454E28BCFC41C7704F9E67AD0A0AA70A36995464AE1D1A2C 1450F218F27B7
Session-ID-ctx:
Master-Key: 9579BF349BA3A4DFE3EF0E72E63DC3DF5303E33643FC4DC37D3 78ADBABCEFD57EA440EFCEFA39A7E81695DF2A717E999
Key-Arg : None
Start Time: 1152582311
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
GET / HTTP/1.0


HTTP/1.0 302 Found
Location: http://www.google.com
Date: Tue, 11 Jul 2006 01:45:16 GMT
Content-Type: text/html
Server: GFE/1.3
Connection: Close
Content-Length: 218


<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.com">here</A>.
</BODY></HTML>
read:errno=0

== Example 1 End ==

P.S. I see there is a new project that is being worked on, which will be interesting to watch: OpenTLS.org

No comments:

Post a Comment