Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Evading Client-Certificate Authentication
From: Imre Kertesz <ikertesz () fastq com>
Date: Wed, 31 Mar 2004 16:58:43 -0700

Im not one to argue semantics, but "stumbling" upon a web server during a "sanctioned" penetration test doesn't happen unless the penetration test is blind .. or the customer forgot to set you up with a client certificate .. or the web server that you stumbled upon isn't within the scope of your sanctioned assessment. In all cases but the latter, the customer needs to generate a client certificate for you. They are probably running their own CA, which you may need to visit to generate a certificate request. The trick is to get a certificate that is EXPORTABLE so that you can fux0r it with openssl into PEM format that stunnel can use and viola - instant client certificate proxy. Once you have this client certificate / stunnel proxy, you might have to do some local DNS foo to make sure that the application recognizes your stunnel host as a legitimate target, but it should work fine.


Kevin Vanhaelen wrote:

Hi to all,

whilst in the middle of a Penetration Test I stumbled on a web server only
serving SSL and demanding the client to present
a certificate to identify himself.
I tried to nikto it with sslproxy and browse the site thru paros both with a
temporary Verisign personal certificate.
No such luck, the server keeps bouncing me off. Even vulnerability scanners
like Nessus and Retina don't get passed
the port-scan portion.

Does anyone have an idea to further assess this server? Am I looking at a
mission impossible here maybe?




-· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --·
"If you sit quietly at the edge of a river, eventually
you will see the bodies of your enemies float by" -A maxim of patience, author unknown

Imre Kertesz
PGP ID:         0xA5DD6F44

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]