🔒 OverTheWire Bandit Level 16: Using OpenSSL to Connect to SSL/TLS Services

Level 16 introduces SSL/TLS encryption—the same encryption used by HTTPS websites. Instead of connecting to a plaintext service like in Level 15, you'll connect to an encrypted service using OpenSSL. This teaches you how encrypted network connections work and how to interact with SSL/TLS services.

Level 16 teaches you:

• Using openssl s_client to connect to SSL/TLS services
• Understanding SSL/TLS encryption
• Submitting passwords over encrypted connections
• Handling SSL certificate information
• Using -ign_eof flag to avoid connection issues

This level builds on what you learned about netcat in Level 15, but now you're working with encrypted connections. Understanding SSL/TLS is essential for penetration testing, as most modern services use encryption.

---

🎯 The Objective

After logging into bandit15, your goal is to find the password for Level 16. The password is retrieved by submitting the current level's password (bandit15) to a service running on port 30001 on localhost using SSL encryption.

What Level 16 teaches:

• Using openssl s_client to connect to SSL/TLS ports
• Understanding encrypted connections
• Submitting passwords over SSL
• Handling SSL certificate output
• Using flags to control SSL client behavior

The challenge: Connect to port 30001 on localhost using OpenSSL (instead of plain netcat), submit the bandit15 password, and receive the bandit16 password in response.

---

🔍 Understanding the Problem

Let's start by connecting to Level 15 and seeing what we're dealing with:

sshpass -p `cat bandit15` ssh bandit15@bandit.labs.overthewire.org -p 2220

Once connected, you need to:

1. Get the current level's password (bandit15)
2. Connect to port 30001 on localhost using SSL
3. Submit that password over the encrypted connection
4. Receive the next level's password

The problem: How do you connect to an SSL-encrypted service instead of a plaintext one?

The answer: Use openssl s_client instead of netcat. It works similarly to netcat but handles SSL/TLS encryption.

---

🧠 Understanding SSL/TLS

Let's dive deeper into SSL/TLS, because understanding encryption is crucial:

What Is SSL/TLS?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are encryption protocols that:

• Encrypt data — Protect data in transit
• Authenticate servers — Verify server identity with certificates
• Ensure integrity — Detect if data is tampered with

Common uses:

• HTTPS (HTTP over SSL/TLS)
• Secure email (SMTP, IMAP over SSL)
• Secure remote access
• Encrypted network services

Why SSL/TLS Matters

SSL/TLS is essential because:

• Privacy — Data is encrypted, can't be read by interceptors
• Security — Protects against man-in-the-middle attacks
• Industry standard — Used by virtually all modern services
• Required — Many services only accept encrypted connections

SSL vs. Plaintext

Plaintext (Level 15):

• Data sent in clear text
• Anyone can intercept and read it
• Uses netcat or nc

SSL/TLS (Level 16):

• Data encrypted before transmission
• Interceptors see encrypted gibberish
• Uses openssl s_client

For Level 16: We use SSL, so we need openssl s_client instead of netcat.

---

📋 Step-by-Step Walkthrough

Step 1: Connect to Level 15

sshpass -p `cat bandit15` ssh bandit15@bandit.labs.overthewire.org -p 2220

Step 2: Get the Current Password

First, get the password for the current level (bandit15):

cat /etc/bandit_pass/bandit15

Copy this password—you'll need to submit it to the SSL service.

Step 3: Connect to the SSL Service

Connect to port 30001 on localhost using OpenSSL:

openssl s_client -connect localhost:30001

Breaking this down:

• openssl — OpenSSL command-line tool
• s_client — SSL client mode (connects to SSL servers)
• -connect localhost:30001 — Connects to localhost on port 30001

What you'll see: A lot of SSL certificate information will scroll by. This is normal! The connection is establishing the encrypted session. After the certificate information stops scrolling, the service is ready for input.

Important: Just like with netcat in Level 15, there's no prompt—the service is waiting for you to send the password.

Step 4: Submit the Password

Type the password you got from step 2 and press Enter. The service will process it and respond.

What you'll see: If the password is correct, you'll get a message saying "Correct!" followed by the password for Level 16.

Example output:

Correct!
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Step 5: Save the Password

Copy the password and save it on your local machine:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit16

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit16 -NoNewline

Step 6: Connect to Level 16

sshpass -p `cat bandit16` ssh bandit16@bandit.labs.overthewire.org -p 2220

---

💡 Automating with Pipes and -ign_eof

Instead of manually typing the password, you can automate it using pipes. However, there's an important flag to use:

Method 1: Pipe Password with -ign_eof (Recommended)

cat /etc/bandit_pass/bandit15 | openssl s_client -connect localhost:30001 -ign_eof

Breaking this down:

• cat /etc/bandit_pass/bandit15 — Reads the password file
• | — Pipes the password to the next command
• openssl s_client -connect localhost:30001 — Connects to the SSL service
• -ign_eof — Ignores EOF (end of file), keeps connection open

Why -ign_eof? Without this flag, you might get "HEARTBEATING" or "Read R BLOCK" errors. The -ign_eof flag tells OpenSSL to keep the connection open even after receiving the password, allowing you to see the response.

What this does: Automatically sends the password to the SSL service and displays the response.

Output: You'll see the SSL certificate information, then the password submission, then the response with the password for Level 16.

Pros:

• Faster and more efficient
• No manual typing (reduces errors)
• Handles SSL connection properly
• Avoids common errors

Method 2: Manual Entry

openssl s_client -connect localhost:30001
# Wait for certificate info to stop scrolling
# Then type the password manually and press Enter

Pros:

• Simple, no pipes needed
• Good for learning

Cons:

• Requires manual typing
• More error-prone
• Slower

For Level 16, use Method 1 — it's more efficient and avoids common errors.

---

🛠️ Alternative Methods

Here are different ways to submit the password:

Method 1: Pipe with -ign_eof (Recommended)

cat /etc/bandit_pass/bandit15 | openssl s_client -connect localhost:30001 -ign_eof

Pros: Fast, automated, avoids errors Cons: None really

Method 2: Manual Entry

openssl s_client -connect localhost:30001
# Type password manually after certificate info stops

Pros: Simple, good for learning Cons: Manual typing, error-prone

Method 3: Using echo

echo "PASSWORD_HERE" | openssl s_client -connect localhost:30001 -ign_eof

Pros: Explicit, can test with different passwords Cons: Requires knowing the password first

Method 4: Using printf

printf "PASSWORD_HERE\n" | openssl s_client -connect localhost:30001 -ign_eof

Pros: More control over formatting Cons: More complex syntax

For Level 16, use Method 1 — it's the most efficient and teaches you valuable skills.

---

🔒 Real-World Context

Why does this matter in penetration testing?

In real security assessments, you'll constantly work with SSL/TLS services:

1. HTTPS Testing

Testing encrypted web services:

• HTTPS websites
• API endpoints
• Secure web applications

Example: Testing HTTPS service:

openssl s_client -connect example.com:443

2. Certificate Analysis

Analyzing SSL certificates:

• Certificate information
• Expiration dates
• Certificate chains
• Weak ciphers

Example: Viewing certificate details:

openssl s_client -connect target.com:443 -showcerts

3. Encrypted Service Testing

Testing encrypted network services:

• SMTP over SSL (port 465)
• IMAP over SSL (port 993)
• POP3 over SSL (port 995)
• Custom encrypted services

Example: Testing encrypted SMTP:

openssl s_client -connect mail.example.com:465

4. SSL/TLS Vulnerability Testing

Testing for SSL/TLS vulnerabilities:

• Weak ciphers
• Expired certificates
• Misconfigured SSL
• Protocol versions

Example: Testing SSL configuration:

openssl s_client -connect target.com:443 -cipher 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'

5. Encrypted Data Submission

Submitting data over encrypted connections:

• API authentication
• Encrypted form submission
• Secure data transfer
• CTF challenges

Example: Submitting credentials over SSL:

echo "username:password" | openssl s_client -connect api.example.com:443 -ign_eof

6. SSL Handshake Analysis

Analyzing SSL handshakes:

• Protocol negotiation
• Cipher selection
• Certificate exchange
• Connection establishment

Example: Verbose SSL connection:

openssl s_client -connect target.com:443 -state -debug

The skill you're learning: How to interact with SSL/TLS encrypted services. This is essential when:

• Testing HTTPS services
• Analyzing SSL certificates
• Working with encrypted APIs
• Performing SSL/TLS security assessments
• Interacting with modern encrypted services

---

🚨 Common Mistakes

Mistake 1: Using netcat Instead of OpenSSL

Wrong:

nc localhost 30001
# Won't work! This is an SSL service, not plaintext

Right:

openssl s_client -connect localhost:30001
# Correct! Uses SSL client

Why: Port 30001 uses SSL encryption. netcat can't handle SSL—you need openssl s_client.

Mistake 2: Not Using -ign_eof Flag

Wrong:

cat /etc/bandit_pass/bandit15 | openssl s_client -connect localhost:30001
# Might get "HEARTBEATING" or "Read R BLOCK" errors

Right:

cat /etc/bandit_pass/bandit15 | openssl s_client -connect localhost:30001 -ign_eof
# Avoids connection errors

Why: The -ign_eof flag tells OpenSSL to keep the connection open after receiving input, allowing you to see the response. Without it, you might get errors or miss the response.

Mistake 3: Expecting a Prompt Immediately

Wrong:

openssl s_client -connect localhost:30001
# Waits... sees certificate info scrolling, thinks it's broken

Right:

openssl s_client -connect localhost:30001
# Wait for certificate info to stop scrolling, then type password

Why: SSL connections show certificate information first. This is normal—wait for it to finish, then send the password.

Mistake 4: Wrong Port

Wrong:

openssl s_client -connect localhost:30000
# Wrong port (that's the plaintext service from Level 15)

Right:

openssl s_client -connect localhost:30001
# Correct port (SSL service)

Why: Port 30000 is plaintext (Level 15), port 30001 is SSL (Level 16). Make sure you're using the correct port.

Mistake 5: Not Understanding SSL Output

Confusion: "There's so much output! What do I do with it?"

Clarification:

• The certificate information is normal SSL handshake output
• You can ignore most of it
• Wait for it to stop scrolling
• Then send your password
• The response will come after

For Level 16: The certificate info is just informational—wait for it to finish, then send the password.

---

💻 Practice Exercise

Try these to reinforce what you learned:

1. Test SSL connection:

   openssl s_client -connect localhost:30001
   # See the certificate information
   

2. Pipe password with -ign_eof:

   cat /etc/bandit_pass/bandit15 | openssl s_client -connect localhost:30001 -ign_eof
   # Automates password submission
   

3. View certificate details:

   openssl s_client -connect localhost:30001 -showcerts
   # Shows full certificate chain
   

4. Test with timeout:

   timeout 10 openssl s_client -connect localhost:30001
   # 10 second timeout
   

---

🎓 Understanding OpenSSL s_client

This is a good time to understand openssl s_client better:

Common Options

-connect host:port — Connect to host and port

openssl s_client -connect localhost:30001

-ign_eof — Ignore EOF, keep connection open

openssl s_client -connect localhost:30001 -ign_eof

-showcerts — Show all certificates in chain

openssl s_client -connect host:443 -showcerts

-state — Show SSL state transitions

openssl s_client -connect host:443 -state

-quiet — Suppress certificate output

openssl s_client -connect host:443 -quiet

For Level 16: We use -connect and -ign_eof to connect and keep the connection open.

---

🔗 What's Next?

Level 17 introduces port scanning—a technique for discovering open ports and services. You'll learn to scan for open ports and identify what services are running, which is essential for network reconnaissance.

Before moving on, make sure you:

• ✅ Successfully used openssl s_client to connect to port 30001
• ✅ Understand the difference between SSL and plaintext connections
• ✅ Can automate password submission with pipes and -ign_eof
• ✅ Know that SSL shows certificate information before accepting input
• ✅ Understand why -ign_eof is important

---

📚 Key Takeaways

After completing Level 16, you should understand:

1. SSL/TLS encryption — Encrypted network connections
2. openssl s_client — Tool for connecting to SSL/TLS services
3. -ign_eof flag — Keeps connection open to see responses
4. Certificate information — Normal SSL handshake output
5. Encrypted vs. plaintext — SSL services need OpenSSL, not netcat

---

🎯 Quick Reference

Problem	Solution	Example
Connect to SSL port	Use openssl s_client	openssl s_client -connect localhost:30001
Submit password	Pipe with -ign_eof	cat password | openssl s_client -connect localhost:30001 -ign_eof
Avoid errors	Use -ign_eof	openssl s_client ... -ign_eof
Show certificates	Use -showcerts	openssl s_client ... -showcerts
Quiet mode	Use -quiet	openssl s_client ... -quiet

---

Questions about Level 16 or using OpenSSL with SSL/TLS? Reach out directly:

• Email: m1k3@msquarellc.net
• Phone: (559) 670-3159
• Schedule: Book a free consultation

---

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice