Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Evading Client-Certificate Authentication

Re: Evading Client-Certificate Authentication

From: Kevin Vanhaelen <blowfish448_at_hotmail.com>
Date: Thu, 1 Apr 2004 07:17:50 +0200

indeed it is during a blind penetration test that I found this web server.
In a next phase the customer will provide me with a temporary client
certificate
but I wanted to know how far I could get without. To simulate a
non-customer/
employee connecting to the server in question.

Thanks,

~kevin

----- Original Message -----
From: "Imre Kertesz" <ikertesz_at_fastq.com>
To: <pen-test_at_securityfocus.com>; <webappsec_at_securityfocus.com>
Sent: Thursday, April 01, 2004 1:58 AM
Subject: Re: Evading Client-Certificate Authentication

> Im not one to argue semantics, but "stumbling" upon a web server during
> a "sanctioned" penetration test doesn't happen unless the penetration
> test is blind .. or the customer forgot to set you up with a client
> certificate .. or the web server that you stumbled upon isn't within the
> scope of your sanctioned assessment. In all cases but the latter, the
> customer needs to generate a client certificate for you. They are
> probably running their own CA, which you may need to visit to generate a
> certificate request. The trick is to get a certificate that is
> EXPORTABLE so that you can fux0r it with openssl into PEM format that
> stunnel can use and viola - instant client certificate proxy. Once you
> have this client certificate / stunnel proxy, you might have to do some
> local DNS foo to make sure that the application recognizes your stunnel
> host as a legitimate target, but it should work fine.
>
> -I
>
> Kevin Vanhaelen wrote:
>
> >Hi to all,
> >
> >whilst in the middle of a Penetration Test I stumbled on a web server
only
> >serving SSL and demanding the client to present
> >a certificate to identify himself.
> >I tried to nikto it with sslproxy and browse the site thru paros both
with a
> >temporary Verisign personal certificate.
> >No such luck, the server keeps bouncing me off. Even vulnerability
scanners
> >like Nessus and Retina don't get passed
> >the port-scan portion.
> >
> >Does anyone have an idea to further assess this server? Am I looking at a
> >mission impossible here maybe?
> >
> >Thanks,
> >
> >~kevin
> >
> >
> >
> >
>
> --
>
> -ˇ ˇ ˇˇˇ- ˇ ˇ-ˇ ˇ--ˇ ˇ - ˇ- -ˇˇˇ ˇˇ- ˇ-ˇ -ˇ ˇˇ -ˇ --ˇ -ˇˇ --- --ˇ
> "If you sit quietly at the edge of a river, eventually
> you will see the bodies of your enemies float by"
> -A maxim of patience, author unknown
>
> Imre Kertesz
> PGP ID: 0xA5DD6F44
>
>
>
>
Received on Apr 01 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]