WebApp Sec mailing list archives
Re: Evading Client-Certificate Authentication
From: "Kevin Vanhaelen" <blowfish448 () hotmail com>
Date: Thu, 1 Apr 2004 07:17:50 +0200
indeed it is during a blind penetration test that I found this web server. In a next phase the customer will provide me with a temporary client certificate but I wanted to know how far I could get without. To simulate a non-customer/ employee connecting to the server in question. Thanks, ~kevin ----- Original Message ----- From: "Imre Kertesz" <ikertesz () fastq com> To: <pen-test () securityfocus com>; <webappsec () securityfocus com> Sent: Thursday, April 01, 2004 1:58 AM Subject: Re: Evading Client-Certificate Authentication
Im not one to argue semantics, but "stumbling" upon a web server during a "sanctioned" penetration test doesn't happen unless the penetration test is blind .. or the customer forgot to set you up with a client certificate .. or the web server that you stumbled upon isn't within the scope of your sanctioned assessment. In all cases but the latter, the customer needs to generate a client certificate for you. They are probably running their own CA, which you may need to visit to generate a certificate request. The trick is to get a certificate that is EXPORTABLE so that you can fux0r it with openssl into PEM format that stunnel can use and viola - instant client certificate proxy. Once you have this client certificate / stunnel proxy, you might have to do some local DNS foo to make sure that the application recognizes your stunnel host as a legitimate target, but it should work fine. -I Kevin Vanhaelen wrote:Hi to all, whilst in the middle of a Penetration Test I stumbled on a web server
only
serving SSL and demanding the client to present a certificate to identify himself. I tried to nikto it with sslproxy and browse the site thru paros both
with a
temporary Verisign personal certificate. No such luck, the server keeps bouncing me off. Even vulnerability
scanners
like Nessus and Retina don't get passed the port-scan portion. Does anyone have an idea to further assess this server? Am I looking at a mission impossible here maybe? Thanks, ~kevin-- -· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --· "If you sit quietly at the edge of a river, eventually you will see the bodies of your enemies float by" -A maxim of patience, author unknown Imre Kertesz PGP ID: 0xA5DD6F44
Current thread:
- Re: Evading Client-Certificate Authentication Imre Kertesz (Mar 31)
- Re: Evading Client-Certificate Authentication Kevin Vanhaelen (Apr 01)
- Re: Evading Client-Certificate Authentication Rogan Dawes (Apr 02)
- <Possible follow-ups>
- Re: Evading Client-Certificate Authentication Jason (Apr 01)
- RE: Evading Client-Certificate Authentication Rob Shein (Apr 01)
- Re: Evading Client-Certificate Authentication danielrm26 (Apr 04)
- RE: Evading Client-Certificate Authentication email lists (Apr 07)
- Re: Evading Client-Certificate Authentication Kevin Vanhaelen (Apr 01)