WebApp Sec: Re: Evading Client-Certificate Authentication

[Imre Kertesz <ikertesz () fastq com>]

Im not one to argue semantics, but "stumbling" upon a web server during 
a "sanctioned" penetration test doesn't happen unless the penetration 
test is blind .. or the customer forgot to set you up with a client 
certificate .. or the web server that you stumbled upon isn't within the 
scope of your sanctioned assessment.  In all cases but the latter, the 
customer needs to generate a client certificate for you. They are 
probably running their own CA, which you may need to visit to generate a 
certificate request. The trick is to get a certificate that is 
EXPORTABLE so that you can fux0r it with openssl into PEM format that 
stunnel can use and viola - instant client certificate proxy.  Once you 
have this client certificate / stunnel proxy, you might have to do some 
local DNS foo to make sure that the application recognizes your stunnel 
host as a legitimate target, but it should work fine.
-I

Kevin Vanhaelen wrote:

> Hi to all,
>
> whilst in the middle of a Penetration Test I stumbled on a web server only
> serving SSL and demanding the client to present
> a certificate to identify himself.
> I tried to nikto it with sslproxy and browse the site thru paros both with a
> temporary Verisign personal certificate.
> No such luck, the server keeps bouncing me off. Even vulnerability scanners
> like Nessus and Retina don't get passed
> the port-scan portion.
>
> Does anyone have an idea to further assess this server? Am I looking at a
> mission impossible here maybe?
>
> Thanks,
>
> ~kevin
>
>
>  
--

-· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --·
"If you sit quietly at the edge of a river, eventually
you will see the bodies of your enemies float by" 
-A maxim of patience, author unknown
Imre Kertesz
PGP ID:         0xA5DD6F44