Testing HTTP/HTTPS through telnet/openssl

I know this is available other places, but I needed one place to keep track of everything:

Basic HTTP (telnet hostname.com 80):

GET / HTTP/1.1
host: hostname.com
– additional carriage return –

HTTPS (openssl s_client -connect hostname.com:443):

GET / HTTP/1.1
host: hostname.com
– additional carriage return –

HTTPS with Basic Authentication (openssl s_client -connect hostname.com:443):

GET / HTTP/1.1
host: hostname.com
Authorization: Basic cGVyyyyblahyyyyrJtYx4h
– additional carriage return –

This is how you would come up with the Base64 Encoded string for basic Authentication:

(This is supposed to work, but it didn’t work for me. I ended up running a sniffer on an unencrypted page that used my credentials (of course, internally) and pulled it out of the headers. If you know what I am doing wrong here, please let me know.)

perl -e 'print "username:", crypt("password","tR"), "\n"'
==> username:tR40ZxFCZTntI
perl -MMIME::Base64 -e'print encode_base64("username:tR40ZxFCZTntI")'
==> dXNlcm5hbWU6dFI0MFp4RkNaVG50SQ==

So technically you should put:

Authorization: Basic dXNlcm5hbWU6dFI0MFp4RkNaVG50SQ==

(Thanks to Brandon Checketts for the openssl replacement of telnet for https connections.)

9 thoughts on “Testing HTTP/HTTPS through telnet/openssl

  1. You’re using to much encryption on your basic auth. Here’s the perl line that works:

    perl -MMIME::Base64 -e ‘print encode_base64(“username:password”)’

    (yes, the password is plain text that’s just base 64 encoded – it has basically no security.)

    <mike

  2. Also, if your password has some “special” characters in it, it can be a pain with both the shell and perl trying to have their way with it. Here is an example on how to use openssl itself to encode it.

    $ echo ‘UserName:P@$$w()Rd!’ | openssl base64 -e
    VXNlck5hbWU6UEAkJHcoKVJkIQo=

  3. Hi, you can also use Python from the shell:

    python -c ‘import base64; print base64.encodestring(“username:password”).rstrip(“\n”)’

    then just continue normally. E.g.:

    openssl s_client -connect mywebsite.tld:443
    GET / HTTP/1.1
    Host: localhost
    Authorization: Basic

    I know its late but maybe it helps somebody in the future.

  4. Seems the website strips < stuff.

    In my other comment:

    Authorization: Basic

    in

    Authorization: Basic (included python -c stuff here from the command above)

  5. Testing TLS SMTP:

    perl -MMIME::Base64 -e ‘print encode_base64(“username”);’
    perl -MMIME::Base64 -e ‘print encode_base64(“password”);’

    in SMTP use AUTH LOGIN

    334 VXNlcm5hbWU6
    enter_encoded_username
    334 UGFzc3dvcmQ6
    enter_encoded_password

Leave a Comment