Kali进行web渗透笔记(八)
来源:互联网 发布:淘宝代销怎么设置运费 编辑:程序博客网 时间:2024/06/08 11:29
Attacking SSL-based website
- Securing the communication between the client and the web application is the most common use of TLS/SSL,and it is known as HTTP over SSL or HTTPS.
TLS ia also used to secure the communication channel used by other protocols in the following ways:
- Used by mail servers to encrypt emails between two mail servers and also between the client and the mail server
- To secure communication between database servers and LDAP authentication servers.
- To encrypt virtual private network(VPN) connections known as SSL VPN.
- Remote desktop services in Windows operation system used TLS to encrypt and authenticate the client connecting to the server.
Asymmetric encryption,which uses a combination of public-private keys,is more secure than symmetric encryption
Asymmetric encryption algorithms
- Diffie-Hellman key exchange
- Rivest Shamir Adleman(RSA)
- Elliptic Curve Cryptography(ECC):similar to RSA
Symmetric encryption algorithm
- Data Encryption Standard(DES):easily breakable
- Advance EncryptionStandard(AES)
- International Data Encryption Algorithm(IDEA)
Symmetric algorithms are divided in two major ways:
- Block cipher
- Stream cipher
secure hashing algorithm(SHA),is often used to create hashes:
Hashing function Output hash size MD5 128 SHA-1 160 SHA-2 224;256;384;512In a collision attack,two different input files will genetate the same hash output.
- HMAC,stands for keyed-hash message authentication code.
- SSLScan:By default the tool checks if the server is vulnerable to the CRIME and heartbleed vulnerabilities.
- Watch out when NULL is pointed out in the names of ciphers supported.If NULL cipher is selected,the SSL handshake will complete and the browser will display the secure padlock but HTTP data would be transmitted in clear text.(sslscan)
sslyze:
- Checking for older versions of SSL
- Analysing the cipher suites and identifying weak ciphers
- Scanning multiple servers using an input file
- Checking for session resumption support
Testing SSL configuration using Nmap:Nmap includes a script known as ssl-enum-ciphers
- The SSL Server Test(https://www.ssllabs.com/ssltest/) is a online tool hosted by Qualys that performs deep analysis of the SSL configuration of a website.
SSL man-in-the-middle attack
SSL MITM tools in Kali:
- SSLsplit
- SSlstrip
- SSLsniff
0 0
- Kali进行web渗透笔记(八)
- Kali进行web渗透笔记(一)
- Kali进行web渗透笔记(二)
- Kali进行web渗透笔记(三)
- Kali进行web渗透笔记(四)
- Kali进行web渗透笔记(五)
- Kali进行web渗透笔记(六)
- Kali进行web渗透笔记(七)
- Kali进行web渗透笔记(九)
- Kali进行web渗透笔记(十)
- Kali进行web渗透笔记(十一)
- kali linux web渗透测试学习笔记
- kali linux web渗透测试学习笔记
- 【安全牛学习笔记】Kali实战-Web渗透
- 搭建Web版Kali Linux渗透系统
- 《Web渗透测试使用kali linux》pdf
- Kali Linux Web 渗透测试秘籍 第一章 配置 Kali Linux
- 避免Vm桥接,使用Kali进行内网渗透测试
- Kali进行web渗透笔记(七)
- Android UI(二)
- 正则表达式使用
- Chromium网页Pending Layer Tree激活为Active Layer Tree的过程分析
- 我的第一个公众号
- Kali进行web渗透笔记(八)
- Kali进行web渗透笔记(九)
- 第一篇博文
- Kali进行web渗透笔记(十)
- Kali进行web渗透笔记(十一)
- C#猜拳游戏
- 编译器gcc与g++的区别
- Wireshark笔记
- Linux服务器集群LVS