Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Evading Client-Certificate Authentication
From: Rogan Dawes <lists () NO_dawes SPAM_za net>
Date: Fri, 02 Apr 2004 08:20:13 +0200

I have seen reports from the guys at SensePost[1] that they have a certificate generated by VeriSign or one of the other recognised CA's in the name of "Administrator", which they have used to gain access to various SSL-client-certificate-protected servers.

In those cases, I guess that the webserver was configured to allow certificates that match existing accountnames on the server, and are signed by a recognised CA.

This may be an approach that could could try, rather than getting the client to generate the certificate for you.



[1] http://archives.neohapsis.com/archives/sf/pentest/2002-01/0098.html

Kevin Vanhaelen wrote:
indeed it is during a blind penetration test that I found this web server.
In a next phase the customer will provide me with a temporary client
but I wanted to know how far I could get without. To simulate a
employee connecting to the server in question.



----- Original Message ----- From: "Imre Kertesz" <ikertesz () fastq com>
To: <pen-test () securityfocus com>; <webappsec () securityfocus com>
Sent: Thursday, April 01, 2004 1:58 AM
Subject: Re: Evading Client-Certificate Authentication

Im not one to argue semantics, but "stumbling" upon a web server during
a "sanctioned" penetration test doesn't happen unless the penetration
test is blind .. or the customer forgot to set you up with a client
certificate .. or the web server that you stumbled upon isn't within the
scope of your sanctioned assessment.  In all cases but the latter, the
customer needs to generate a client certificate for you. They are
probably running their own CA, which you may need to visit to generate a
certificate request. The trick is to get a certificate that is
EXPORTABLE so that you can fux0r it with openssl into PEM format that
stunnel can use and viola - instant client certificate proxy.  Once you
have this client certificate / stunnel proxy, you might have to do some
local DNS foo to make sure that the application recognizes your stunnel
host as a legitimate target, but it should work fine.


Kevin Vanhaelen wrote:

Hi to all,

whilst in the middle of a Penetration Test I stumbled on a web server


serving SSL and demanding the client to present
a certificate to identify himself.
I tried to nikto it with sslproxy and browse the site thru paros both

with a

temporary Verisign personal certificate.
No such luck, the server keeps bouncing me off. Even vulnerability


like Nessus and Retina don't get passed
the port-scan portion.

Does anyone have an idea to further assess this server? Am I looking at a
mission impossible here maybe?




-· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --·
"If you sit quietly at the edge of a river, eventually
you will see the bodies of your enemies float by"
-A maxim of patience, author unknown

Imre Kertesz
PGP ID: 0xA5DD6F44

Rogan Dawes
email: lists AT dawes DOT za DOT net

"Using encryption on the Internet is the equivalent of arranging an
armored car to deliver credit card information from someone living
in a cardboard box to someone living on a park bench."
- Gene Spafford

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]