Penetration Testing mailing list archives
Re: Evading Client-Certificate Authentication
From: Rogan Dawes <lists@NO_dawes.SPAM_za.net>
Date: Fri, 02 Apr 2004 08:20:13 +0200
I have seen reports from the guys at SensePost[1] that they have a certificate generated by VeriSign or one of the other recognised CA's in the name of "Administrator", which they have used to gain access to various SSL-client-certificate-protected servers.
In those cases, I guess that the webserver was configured to allow certificates that match existing accountnames on the server, and are signed by a recognised CA.
This may be an approach that could could try, rather than getting the client to generate the certificate for you.
Regards, Rogan [1] http://archives.neohapsis.com/archives/sf/pentest/2002-01/0098.html Kevin Vanhaelen wrote:
indeed it is during a blind penetration test that I found this web server. In a next phase the customer will provide me with a temporary client certificate but I wanted to know how far I could get without. To simulate a non-customer/ employee connecting to the server in question. Thanks, ~kevin----- Original Message ----- From: "Imre Kertesz" <ikertesz () fastq com>To: <pen-test () securityfocus com>; <webappsec () securityfocus com> Sent: Thursday, April 01, 2004 1:58 AM Subject: Re: Evading Client-Certificate AuthenticationIm not one to argue semantics, but "stumbling" upon a web server during a "sanctioned" penetration test doesn't happen unless the penetration test is blind .. or the customer forgot to set you up with a client certificate .. or the web server that you stumbled upon isn't within the scope of your sanctioned assessment. In all cases but the latter, the customer needs to generate a client certificate for you. They are probably running their own CA, which you may need to visit to generate a certificate request. The trick is to get a certificate that is EXPORTABLE so that you can fux0r it with openssl into PEM format that stunnel can use and viola - instant client certificate proxy. Once you have this client certificate / stunnel proxy, you might have to do some local DNS foo to make sure that the application recognizes your stunnel host as a legitimate target, but it should work fine. -I Kevin Vanhaelen wrote:Hi to all, whilst in the middle of a Penetration Test I stumbled on a web serveronlyserving SSL and demanding the client to present a certificate to identify himself. I tried to nikto it with sslproxy and browse the site thru paros bothwith atemporary Verisign personal certificate. No such luck, the server keeps bouncing me off. Even vulnerabilityscannerslike Nessus and Retina don't get passed the port-scan portion. Does anyone have an idea to further assess this server? Am I looking at a mission impossible here maybe? Thanks, ~kevin-- -· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --· "If you sit quietly at the edge of a river, eventually you will see the bodies of your enemies float by" -A maxim of patience, author unknown Imre Kertesz PGP ID: 0xA5DD6F44
-- Rogan Dawes email: lists AT dawes DOT za DOT net "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench." - Gene Spafford --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- Evading Client-Certificate Authentication Kevin Vanhaelen (Mar 31)
- Re: Evading Client-Certificate Authentication Imre Kertesz (Mar 31)
- Message not available
- Re: Evading Client-Certificate Authentication Rogan Dawes (Apr 02)
- Message not available
- Re: Evading Client-Certificate Authentication Imre Kertesz (Mar 31)
- Re: Evading Client-Certificate Authentication Skip Carter (Mar 31)
- Re: Evading Client-Certificate Authentication Jason (Apr 01)
- <Possible follow-ups>
- Re: Evading Client-Certificate Authentication Brad Showalter (Apr 22)