Penetration Testing mailing list archives
Evading Client-Certificate Authentication
From: "Kevin Vanhaelen" <blowfish448 () hotmail com>
Date: Wed, 31 Mar 2004 22:43:56 +0200
Hi to all, whilst in the middle of a Penetration Test I stumbled on a web server only serving SSL and demanding the client to present a certificate to identify himself. I tried to nikto it with sslproxy and browse the site thru paros both with a temporary Verisign personal certificate. No such luck, the server keeps bouncing me off. Even vulnerability scanners like Nessus and Retina don't get passed the port-scan portion. Does anyone have an idea to further assess this server? Am I looking at a mission impossible here maybe? Thanks, ~kevin --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- Evading Client-Certificate Authentication Kevin Vanhaelen (Mar 31)
- Re: Evading Client-Certificate Authentication Imre Kertesz (Mar 31)
- Message not available
- Re: Evading Client-Certificate Authentication Rogan Dawes (Apr 02)
- Message not available
- Re: Evading Client-Certificate Authentication Imre Kertesz (Mar 31)
- Re: Evading Client-Certificate Authentication Skip Carter (Mar 31)
- Re: Evading Client-Certificate Authentication Jason (Apr 01)
- <Possible follow-ups>
- Re: Evading Client-Certificate Authentication Brad Showalter (Apr 22)