cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 11
Report Inappropriate Content
Message 1 of 1

Testing Basic Authentication with telnet and openssl

Its always frustrating trying to find a simple tool to verify things are working so this is just a

quick tutorial going over how to test basic auth against IIS using telnet and openssl on linux.

Basic  Authentication is a means to send usernames and passwords over the network to log into a device upstream.

This form of authentication is inherently insecure because it is sent in plain text over the network, however, it is widely adopted

by most clients/servers which still makes it relatively popular, especially in multi-platform environments.

We strongly suggest that if you are going to use it, then you should use it over

HTTPS (SSL/TLS), to prevent anyone from using a packet sniffer and picking up passwords while in transit.

Basic Authentication is simply a base64 encoded username/password sent across the wire as

user_name:password

To base64 encode a username and password:

echo -n "valid_user_name:valid_user_password"  | openssl base64 -base64

NOTE*

Do not echo a newline into  the username/password, there is a  difference

This is valid (-n = no newline):

echo -n "valid_user_name:valid_user_password"  | openssl base64 -base64

dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

This is NOT valid:

echo "valid_user_name:valid_user_password"  | openssl base64 -base64

dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQK

Comparison (Notice the last characters of each one):

dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQK

To test, we need to manually telnet to our webserver and issue a GET command followed

by any necessary HTTP headers. For the most part, I'll just keep using the same headers that I had

taken from a packet capture of a successful connection to my lab server:

        GET / HTTP/1.1

        Host: localhost

        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:9.0) Gecko/20111220 Firefox/9.0

        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

        Accept-Language: en-us,en;q=0.5

        Accept-Encoding: gzip, deflate    <-- # If your screen goes crazy with gibberish you may just want to either blank out these values or this whole line altogether.

        Connection: keep-alive

        Cache-Control: max-age=0

        Connection: keep-alive

For the authenication portion we will have to add the Authorization header

in the form of:

     "Authorization Basic <base64 encoded username:password>

Example:

        Authorization: Basic dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

Testing a connection via telnet:

(lines in italic are user input)

    root$ telnet 9.9.9.9 80

    Trying 9.9.9.9...

    Connected to 9.9.9.9.

    Escape character is '^]'.

        GET / HTTP/1.1

        Host: localhost

        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:9.0) Gecko/20111220 Firefox/9.0

        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

        Accept-Language: en-us,en;q=0.5

        Accept-Encoding: gzip, deflate

        Connection: keep-alive

        Cache-Control: max-age=0

        Connection: keep-alive

        Authorization: Basic dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

        HTTP/1.1 200 OK

        Content-Length: 5673

        Content-Type: text/html

        Content-Location: http://localhost/index.htm

        Last-Modified: Tue, 03 Jan 2012 22:32:03 GMT

        Accept-Ranges: bytes

        ETag: "9ef8488467cacc1:ab1"

        Server: Microsoft-IIS/6.0

        X-Powered-By: ASP.NET

        Date: Fri, 06 Jan 2012 22:28:14 GMT

Subtle Difference between IIS 6 and 7:

IIS 6:

when testing, you can keep it minimal with only the GET, Host, and Authorization headers:

    root$ telnet 9.9.9.9 80

    Trying 9.9.9.9...

    Connected to 9.9.9.9.

    Escape character is '^]'

        GET / HTTP/1.1

        Host: localhost

        Authorization: Basic dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

        HTTP/1.1 200 OK

        Content-Length: 5673

        Content-Type: text/html

        Content-Location: http://localhost/index.htm

        Last-Modified: Tue, 03 Jan 2012 22:32:03 GMT

        Accept-Ranges: bytes

        ETag: "9ef8488467cacc1:ab1"

        Server: Microsoft-IIS/6.0

        X-Powered-By: ASP.NET

        Date: Fri, 06 Jan 2012 23:11:55 GMT

        <html>

        <header>

With IIS 7 you need to supply the User-agent:

"User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:9.0) Gecko/20111220 Firefox/9.0"

otherwise you get a 400 error as you see below.

IIS 7:

    root$ telnet 10.10.10.10 80

    Trying 10.10.10.10...

    Connected to 10.10.10.10

    Escape character is '^]'

        GET /owa/ HTTP/1.1

        Host: localhost

        Authorization: Basic dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

        HTTP/1.1 400 Bad Request

        Cache-Control: no-cache, no-store

        Pragma: no-cache

        Transfer-Encoding: chunked

        Content-Type: text/html

        Expires: -1

        Server: Microsoft-IIS/7.5

        X-AspNet-Version: 2.0.50727

        Set-Cookie: OutlookSession=3bdb54d1295b4e19b3ffbcd728832f26; path=/; HttpOnly

        X-Powered-By: ASP.NET

        X-UA-Compatible: IE=EmulateIE7

        Date: Fri, 06 Jan 2012 23:15:27 GMT

  

So you dont really need to do much to make IIS 6.0 accept your creds, but 

For IIS 7 you do need to include the User-agent;:

    root$ telnet 10.10.10.10 80

    Trying 10.10.10.10...

    Connected to 10.10.10.10.

    Escape character is '^]'

        GET /owa/ HTTP/1.1

        Host: 127.0.0.1:10624

        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:9.0) Gecko/20111220 Firefox/9.0

        Accept: text/html,*/*;q=0.8

        Accept-Language: en-us,en;q=0.5

        Connection: keep-alive

        Authorization: Basic dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

Testing SSL with openssl:

    root$ openssl s_client -connect 10.10.10.10:443

    CONNECTED(00000003)

    depth=0 /C=US/ST=MyState/L=NewYork/O=myOrganization/OU=myDepartment/CN=my.fqdn.com/emailAddress=me@dom.com

    verify return:1

    depth=0 /C=US/ST=MyState/L=NewYork/O=myOrganization/OU=myDepartment/CN=my.fqdn.com/emailAddress=me@dom.com

    verify return:1

    depth=0 /C=US/ST=MyState/L=NewYork/O=myOrganization/OU=myDepartment/CN=my.fqdn.com/emailAddress=me@dom.com

    verify return:1

    ---

    Certificate chain

     0 s:/C=US/ST=MyState/L=NewYork/O=myOrganization/OU=myDepartment/CN=my.fqdn.com/emailAddress=me@dom.com

       i:/DC=com/DC=my/CN=fqdn

    ---

    Server certificate

    -----BEGIN CERTIFICATE-----

    MIIFmTCCBIGgAwIBAgIKS3yiQwAAAAAAEDANBgkqhkiG9w0BAQUFADBGMRMwEQYK

    ......

    <Breaking certificate to save space, it is a long certificate>

    ......

    Tvj65Mal1s6GRm271DrUSMFPCOK8AXK21I1oQw6dWFRntMDhBoP6eOX3UlOD

    -----END CERTIFICATE-----

    subject=/C=US/ST=MyState/L=NewYork/O=myOrganization/OU=myDepartment/CN=my.fqdn.com/emailAddress=me@dom.com

    issuer=/DC=com/DC=my/CN=fqdn

    ---

    No client certificate CA names sent

    ---

    SSL handshake has read 1596 bytes and written 465 bytes

    ---

    New, TLSv1/SSLv3, Cipher is AES128-SHA

    Server public key is 2048 bit

    Secure Renegotiation IS supported

    Compression: NONE

    Expansion: NONE

    SSL-Session:

        Protocol  : TLSv1

        Cipher    : AES128-SHA

        Session-ID: 6F0F000023C76F6B1CEFCC0AAFC9BDFC484215D09F2024CE4C915D512B0BEA64

        Session-ID-ctx:

        Master-Key: 94DDE828FFEF1ED3DE23091955CDDC1F0EC30D88281B742324040BE2093F3D92596EC8ADA89BFD86B2CAC9E872C9609B

        Key-Arg   : None

        Start Time: 1325892761

        Timeout   : 300 (sec)

        Verify return code: 21 (unable to verify the first certificate)

        ---

         GET / HTTP/1.1

        Host: localhost

        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:9.0) Gecko/20111220 Firefox/9.0

        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

        Accept-Language: en-us,en;q=0.5

        Accept-Encoding:

        Connection: keep-alive

        Cache-Control: max-age=0

        Authorization: Basic dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

 

        HTTP/1.1 200 OK

        Content-Type: text/html

        Last-Modified: Tue, 19 Apr 2011 14:44:05 GMT

        Accept-Ranges: bytes

        ETag: "d7b273ba0fecb1:0"

        Server: Microsoft-IIS/7.5

        X-Powered-By: ASP.NET

        Date: Fri, 06 Jan 2012 23:40:38 GMT

        Content-Length: 689

        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

 

        .........

 

    To degug the actual SSL portion of the connection you can use openssl commands like this (in increasing verbosity not necessarily in this order):

        openssl s_client -connect 10.10.10.10:443 -crlf

        openssl s_client -connect 10.10.10.10:443 -CAfile /path/to/your/ca/file

        openssl s_client -connect 10.10.10.10:443 -CAfile /path/to/your/ca/file -crlf -debug

        openssl s_client -connect 10.10.10.10:443 -CAfile /path/to/your/ca/file -crlf -debug -msg

        openssl s_client -connect 10.10.10.10:443 -CAfile /path/to/your/ca/file -crlf -debug -msg -state

        openssl s_client -connect 10.10.10.10:443 -CAfile /path/to/your/ca/file -crlf -debug -msg -state -tlsextdebug

 

     or if you want to save some screen real-estate:

        openssl s_client -connect 10.10.10.10:443 -CAfile /path/to/your/ca/file -quiet


on 1/8/12 2:56:25 AM CST
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community