0 Replies Latest reply on Jan 8, 2012 2:56 AM by ijahnke

    Testing Basic Authentication with telnet and openssl

    ijahnke

      Its always frustrating trying to find a simple tool to verify things are working so this is just a

      quick tutorial going over how to test basic auth against IIS using telnet and openssl on linux.

       

      Basic  Authentication is a means to send usernames and passwords over the network to log into a device upstream.

      This form of authentication is inherently insecure because it is sent in plain text over the network, however, it is widely adopted

      by most clients/servers which still makes it relatively popular, especially in multi-platform environments.

      We strongly suggest that if you are going to use it, then you should use it over

      HTTPS (SSL/TLS), to prevent anyone from using a packet sniffer and picking up passwords while in transit.

       

       

      Basic Authentication is simply a base64 encoded username/password sent across the wire as

      user_name:password

       

      To base64 encode a username and password:

      echo -n "valid_user_name:valid_user_password"  | openssl base64 -base64

       

      NOTE*

      Do not echo a newline into  the username/password, there is a  difference

       

      This is valid (-n = no newline):

      echo -n "valid_user_name:valid_user_password"  | openssl base64 -base64

      dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

       

      This is NOT valid:

      echo "valid_user_name:valid_user_password"  | openssl base64 -base64

      dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQK

       

      Comparison (Notice the last characters of each one):

      dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

      dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQK

       

      To test, we need to manually telnet to our webserver and issue a GET command followed

      by any necessary HTTP headers. For the most part, I'll just keep using the same headers that I had

      taken from a packet capture of a successful connection to my lab server:

              GET / HTTP/1.1

              Host: localhost

              User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:9.0) Gecko/20111220 Firefox/9.0

              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

              Accept-Language: en-us,en;q=0.5

              Accept-Encoding: gzip, deflate    <-- # If your screen goes crazy with gibberish you may just want to either blank out these values or this whole line altogether.

              Connection: keep-alive

              Cache-Control: max-age=0

              Connection: keep-alive

       

      For the authenication portion we will have to add the Authorization header

      in the form of:

           "Authorization Basic <base64 encoded username:password>

       

      Example:

              Authorization: Basic dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

       

       

      Testing a connection via telnet:

      (lines in italic are user input)

       

          root$ telnet 9.9.9.9 80

          Trying 9.9.9.9...

          Connected to 9.9.9.9.

          Escape character is '^]'.

              GET / HTTP/1.1

              Host: localhost

              User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:9.0) Gecko/20111220 Firefox/9.0

              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

              Accept-Language: en-us,en;q=0.5

              Accept-Encoding: gzip, deflate

              Connection: keep-alive

              Cache-Control: max-age=0

              Connection: keep-alive

              Authorization: Basic dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

       

              HTTP/1.1 200 OK

              Content-Length: 5673

              Content-Type: text/html

              Content-Location: http://localhost/index.htm

              Last-Modified: Tue, 03 Jan 2012 22:32:03 GMT

              Accept-Ranges: bytes

              ETag: "9ef8488467cacc1:ab1"

              Server: Microsoft-IIS/6.0

              X-Powered-By: ASP.NET

              Date: Fri, 06 Jan 2012 22:28:14 GMT

       

       

       

      Subtle Difference between IIS 6 and 7:

       

       

      IIS 6:

      when testing, you can keep it minimal with only the GET, Host, and Authorization headers:

          root$ telnet 9.9.9.9 80

          Trying 9.9.9.9...

          Connected to 9.9.9.9.

          Escape character is '^]'

              GET / HTTP/1.1

              Host: localhost

              Authorization: Basic dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

       

              HTTP/1.1 200 OK

              Content-Length: 5673

              Content-Type: text/html

              Content-Location: http://localhost/index.htm

              Last-Modified: Tue, 03 Jan 2012 22:32:03 GMT

              Accept-Ranges: bytes

              ETag: "9ef8488467cacc1:ab1"

              Server: Microsoft-IIS/6.0

              X-Powered-By: ASP.NET

              Date: Fri, 06 Jan 2012 23:11:55 GMT

       

              <html>

              <header>

       

      With IIS 7 you need to supply the User-agent:

      "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:9.0) Gecko/20111220 Firefox/9.0"

      otherwise you get a 400 error as you see below.

      IIS 7:

          root$ telnet 10.10.10.10 80

          Trying 10.10.10.10...

          Connected to 10.10.10.10

          Escape character is '^]'

              GET /owa/ HTTP/1.1

              Host: localhost

              Authorization: Basic dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

       

              HTTP/1.1 400 Bad Request

              Cache-Control: no-cache, no-store

              Pragma: no-cache

              Transfer-Encoding: chunked

              Content-Type: text/html

              Expires: -1

              Server: Microsoft-IIS/7.5

              X-AspNet-Version: 2.0.50727

              Set-Cookie: OutlookSession=3bdb54d1295b4e19b3ffbcd728832f26; path=/; HttpOnly

              X-Powered-By: ASP.NET

              X-UA-Compatible: IE=EmulateIE7

              Date: Fri, 06 Jan 2012 23:15:27 GMT

       

       

        

      So you dont really need to do much to make IIS 6.0 accept your creds, but 

      For IIS 7 you do need to include the User-agent;:

          root$ telnet 10.10.10.10 80

          Trying 10.10.10.10...

          Connected to 10.10.10.10.

          Escape character is '^]'

              GET /owa/ HTTP/1.1

              Host: 127.0.0.1:10624

              User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:9.0) Gecko/20111220 Firefox/9.0

              Accept: text/html,*/*;q=0.8

              Accept-Language: en-us,en;q=0.5

              Connection: keep-alive

              Authorization: Basic dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

       

       

       

      Testing SSL with openssl:

       

       

          root$ openssl s_client -connect 10.10.10.10:443

          CONNECTED(00000003)

          depth=0 /C=US/ST=MyState/L=NewYork/O=myOrganization/OU=myDepartment/CN=my.fqdn.com/emailAddress=me@dom.com

          verify return:1

          depth=0 /C=US/ST=MyState/L=NewYork/O=myOrganization/OU=myDepartment/CN=my.fqdn.com/emailAddress=me@dom.com

          verify return:1

          depth=0 /C=US/ST=MyState/L=NewYork/O=myOrganization/OU=myDepartment/CN=my.fqdn.com/emailAddress=me@dom.com

          verify return:1

          ---

          Certificate chain

           0 s:/C=US/ST=MyState/L=NewYork/O=myOrganization/OU=myDepartment/CN=my.fqdn.com/emailAddress=me@dom.com

             i:/DC=com/DC=my/CN=fqdn

          ---

          Server certificate

          -----BEGIN CERTIFICATE-----

          MIIFmTCCBIGgAwIBAgIKS3yiQwAAAAAAEDANBgkqhkiG9w0BAQUFADBGMRMwEQYK

          ......

          <Breaking certificate to save space, it is a long certificate>

          ......

          Tvj65Mal1s6GRm271DrUSMFPCOK8AXK21I1oQw6dWFRntMDhBoP6eOX3UlOD

          -----END CERTIFICATE-----

          subject=/C=US/ST=MyState/L=NewYork/O=myOrganization/OU=myDepartment/CN=my.fqdn.com/emailAddress=me@dom.com

          issuer=/DC=com/DC=my/CN=fqdn

          ---

          No client certificate CA names sent

          ---

          SSL handshake has read 1596 bytes and written 465 bytes

          ---

          New, TLSv1/SSLv3, Cipher is AES128-SHA

          Server public key is 2048 bit

          Secure Renegotiation IS supported

          Compression: NONE

          Expansion: NONE

          SSL-Session:

              Protocol  : TLSv1

              Cipher    : AES128-SHA

              Session-ID: 6F0F000023C76F6B1CEFCC0AAFC9BDFC484215D09F2024CE4C915D512B0BEA64

              Session-ID-ctx:

              Master-Key: 94DDE828FFEF1ED3DE23091955CDDC1F0EC30D88281B742324040BE2093F3D92596EC8ADA89BFD8 6B2CAC9E872C9609B

              Key-Arg   : None

              Start Time: 1325892761

              Timeout   : 300 (sec)

              Verify return code: 21 (unable to verify the first certificate)

              ---

               GET / HTTP/1.1

              Host: localhost

              User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:9.0) Gecko/20111220 Firefox/9.0

              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

              Accept-Language: en-us,en;q=0.5

              Accept-Encoding:

              Connection: keep-alive

              Cache-Control: max-age=0

              Authorization: Basic dmFsaWRfdXNlcl9uYW1lOnZhbGlkX3VzZXJfcGFzc3dvcmQ=

       

              HTTP/1.1 200 OK

              Content-Type: text/html

              Last-Modified: Tue, 19 Apr 2011 14:44:05 GMT

              Accept-Ranges: bytes

              ETag: "d7b273ba0fecb1:0"

              Server: Microsoft-IIS/7.5

              X-Powered-By: ASP.NET

              Date: Fri, 06 Jan 2012 23:40:38 GMT

              Content-Length: 689

       

              <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

       

              .........

       

          To degug the actual SSL portion of the connection you can use openssl commands like this (in increasing verbosity not necessarily in this order):

              openssl s_client -connect 10.10.10.10:443 -crlf

              openssl s_client -connect 10.10.10.10:443 -CAfile /path/to/your/ca/file

              openssl s_client -connect 10.10.10.10:443 -CAfile /path/to/your/ca/file -crlf -debug

              openssl s_client -connect 10.10.10.10:443 -CAfile /path/to/your/ca/file -crlf -debug -msg

              openssl s_client -connect 10.10.10.10:443 -CAfile /path/to/your/ca/file -crlf -debug -msg -state

              openssl s_client -connect 10.10.10.10:443 -CAfile /path/to/your/ca/file -crlf -debug -msg -state -tlsextdebug

       

           or if you want to save some screen real-estate:

              openssl s_client -connect 10.10.10.10:443 -CAfile /path/to/your/ca/file -quiet

       

       

       

       

       

       

       


       

      on 1/8/12 2:56:25 AM CST