Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert...
Transcript of Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert...
![Page 1: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/1.jpg)
Ing. Ondřej Ševeček | GOPAS a.s.MCSM:Directory | MVP:Security | CISA | CISM | CEH | CHFI | CISSP
[email protected] | www.sevecek.com
relevantní kurzy:
GOC166 (ADFS), GOC168 (IIS), GOC169 (ISO 2700x)
Fiddler
Generální partner
![Page 2: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/2.jpg)
Motivation
Browsers
– IE, Edge, Chrome, ...
Non-browser clients
– winhttp, Java, ...
– Outlook, Word, Excel, web service clients, ...
User accounts
– my own user, SYSTEM, Network Service, Local Service, ...
![Page 3: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/3.jpg)
HTTP web proxy
WebClient GUI
Client browser Web service
Pro
xy:8
888
HTTP HTTP
![Page 4: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/4.jpg)
SSL proxy
WebClient GUI
Client browser Web service
Pro
xy:8
888
HTTPS HTTPS
cert
fake
cert
trust
![Page 5: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/5.jpg)
Local debugging
Fiddler
![Page 6: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/6.jpg)
Change proxy settings to all protocols
![Page 7: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/7.jpg)
Configure old winhttp SYSTEM clients
netsh winhttp set proxy
![Page 8: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/8.jpg)
Enable SSL inspection
![Page 9: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/9.jpg)
Remote debugging is smoother
Fiddler
![Page 10: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/10.jpg)
Enable remote proxy bindings
![Page 11: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/11.jpg)
Verify remote proxy bindings
must be 0.0.0.0:8888
![Page 12: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/12.jpg)
Proxy servers for more accounts and services$fdl = Read-Item 'Fiddler machine name'
Set-ItemProperty 'Microsoft.PowerShell.Core\Registry::HKEY_USERS\S-1-5-
18\Software\Microsoft\Windows\CurrentVersion\Internet Settings' ProxyServer "$($fdl):8888"
Set-ItemProperty ' Microsoft.PowerShell.Core\Registry:: HKEY_USERS\S-1-5-
19\Software\Microsoft\Windows\CurrentVersion\Internet Settings' ProxyServer "$($fdl):8888"
Set-ItemProperty ' Microsoft.PowerShell.Core\Registry:: HKEY_USERS\S-1-5-
20\Software\Microsoft\Windows\CurrentVersion\Internet Settings' ProxyServer "$($fdl):8888"
Set-ItemProperty ' Microsoft.PowerShell.Core\Registry::
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings' ProxyServer
"$($fdl):8888"
netsh winhttp set proxy "$($fdl):8888"
![Page 13: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/13.jpg)
Testing non-browser clients
(New-Object Net.WebClient).DownloadString("https://www.google.com")
# Note: more examples at
# https://www.sevecek.com/Lists/Posts/Post.aspx?ID=289
![Page 14: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/14.jpg)
Extended Protection for Authentication
![Page 15: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/15.jpg)
Extended Protection on RD Gateway
HKLM\System\CurrentControlSet\Control\LSA
– SuppressExtendedProtection = DWORD = 3 (1 -bxor 2)
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\TerminalServerGateway\Config\Core
– EnforceChannelBinding = DWORD = 0
![Page 16: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/16.jpg)
Client certificate authentication
Export .PFX with private key
Export .CER without private key
Import .PFX into current user profile
Save .CER as Documents\Fiddler2\ClientCertificate.cer
![Page 17: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/17.jpg)
Děkuji!
Ing. Ondřej Ševeček | GOPAS a.s.
[email protected] | www.sevecek.com
relevantní kurzy:
GOC166 (ADFS), GOC168 (IIS), GOC169 (ISO 2700x)
![Page 18: Šablona TechEd 2016 - Sevecek · Client GUI Web Client browser Web service HTTPS 88 cert fake cert trust. Local debugging Fiddler. Change proxy settings to all protocols. Configure](https://reader030.fdokument.com/reader030/viewer/2022041014/5ec5b718331c4433d473b49f/html5/thumbnails/18.jpg)
Aktuální a navazující kurzy sledujte na www.gopas.cz
DÁREK PRO VÁS!
Vyplňte dotazníkové hodnocení
a získejte tričko TechEd-DevCon 2018!
SOUTĚŽ! SOUTĚŽ! SOUTĚŽ!
Soutěžte o titul TechEd Best Developer
a TechEd Best IT PRO!