mailing list archives
Re: [PEN-TEST] Scanning through SSL proxies.
From: Chris Romeo <Chris.Romeo () EXODUS NET>
Date: Fri, 8 Sep 2000 10:27:22 -0700
I use a tool called stunnel (www.stunnel.org).
You can specify the remote server name and port, as well as the local port
to bind to. Then I start whisker against 127.0.0.1 and the port that I
bound stunnel to. All traffic sent to the local port is redirected over the
From: van Eeden, Stieler [mailto:veedest () EY CO ZA]
Sent: Friday, September 08, 2000 3:24 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Scanning through SSL proxies.
Since everybody is starting to realise that SSL is a more
than HTTP ..heh.. A lot of clients is running SSL based webservers.
Unfortunately most make the mistake by thinking if they
implement SSL they
are secure and cant be hacked. But they are actually just secured from
sniffing etc. and then dont bother to harden the OS or
review their cgi
scripts. The attacks can still be automated through a SSL
proxy. Go and
check you could still be vulnerable to RDS :P
Up to now I've done all the checks manually, damn it takes
long! In the
whisker documentation RFP says that it is possible to use an
SSL proxy. I
quote from his documentation (
"<> SSL support is officially to be had by using sslproxy by Christian
Starkjohann <cs () obdev at>, at http://www.obdev.at/Products/. It
runs on both Win and Unix, so life is good. Copies are available
from my site just in case you can't find them. RTFM for usage."
I also noted that a few paragraphes before that he stated -
"<> Proxy support has been removed until version v2.0. The
commandline options have been
other v1.4 features."
I assume he is talking about normal proxy support.
I had a look at SSLproxy and had a few problems to get it to
work in Linux,
I could be missing a few Libs. I have OpenSSH and OpenSSL
Apparently there is a win32 port of sslproxy, the link to the
win32 port is
Anyone got a copy ?
Have anybody got this to work successfully ? I need some
help, please give
me some light ! Is there any other SSL Proxies that can be
used to simulate
webscan's ? Up to now whisker look like the only worth while
tool with ssl
proxy support for the job.