Penetration Testing mailing list archives
RE: Can you impersonate a client side cert??
From: "Michael Howard" <mikehow () microsoft com>
Date: Wed, 30 Jan 2002 13:23:35 -0800
Depends on a number of things. For example, IIS4 and IIS5 natively support this, the IIS5 version is better as it can tie into Active Directory, which, by default will use the CN in the cert as the principal to use. You can also add alternate names in AD to map onto the same principal. Note that if you use CertSrv in enterprise mode, where the cert is already part of the user's entry, there is nothing you need to do - everything happens for you! The same stuff holds true for smartcard login in Win2000 and later... This is why schannel is integrated into lsa in win2000 and later... Of course, the server must trust the cert issuer, and all other validity checks must pass (date validity, not revoked etc) Cheers, MH Secure Windows Inititative Got an access denied? Good, my job is done! Writing Secure Code: http://www.microsoft.com/mspress/books/5612.asp -----Original Message----- From: Darren Craig [mailto:darren.craig () celare co uk] Sent: Monday, January 28, 2002 4:00 AM To: pen-test () securityfocus com Subject: Can you impersonate a client side cert?? Hi All, I have been reading a paper which was published back in Feb 2001 by a company call Sensepost which says that there is a way to impersonate a users client side cert by using the same common name. Does anybody have any experience of doing this or is it even possible considering that the users public part of the cert would be installed on the web server? Darren ****************************************************************** Privileged, confidential and/or copyright information may be contained in this e-mail. This e-mail is for the use only of the intended addressee. If you are not the intended addressee, or the person responsible for delivering it to the intended addressee, you may not copy, forward, disclose or otherwise use it or any part of it in any way whatsoever, to do so is prohibited and may be unlawful. If you receive this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software. Celare Limited may monitor the content of e-mails sent and received via its network for the purposes of ensuring compliance with its policies and procedures. This message is subject to and does not create or vary any contractual relationship between Celare Limited and you. Thank you. ****************************************************************** ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: Can you impersonate a client side cert?? Ed Moyle (Jan 28)
- <Possible follow-ups>
- RE: Can you impersonate a client side cert?? Jason Brvenik (Jan 28)
- RE: Can you impersonate a client side cert?? charl van der walt (Jan 28)
- Can you impersonate a client side cert?? Darren Craig (Jan 28)
- RE: Can you impersonate a client side cert?? Bryan Allerdice (Jan 28)
- RE: Can you impersonate a client side cert?? L Williams (Jan 28)
- RE: Can you impersonate a client side cert?? pmawson (Jan 28)
- RE: Can you impersonate a client side cert?? Ed Moyle (Jan 29)
- RE: Can you impersonate a client side cert?? Cushing, David (Jan 30)
- RE: Can you impersonate a client side cert?? Michael Howard (Jan 30)