mailing list archives
Re: Evading Client-Certificate Authentication
From: Rogan Dawes <lists () NO_dawes SPAM_za net>
Date: Fri, 02 Apr 2004 08:20:13 +0200
I have seen reports from the guys at SensePost that they have a
certificate generated by VeriSign or one of the other recognised CA's in
the name of "Administrator", which they have used to gain access to
various SSL-client-certificate-protected servers.
In those cases, I guess that the webserver was configured to allow
certificates that match existing accountnames on the server, and are
signed by a recognised CA.
This may be an approach that could could try, rather than getting the
client to generate the certificate for you.
Kevin Vanhaelen wrote:
indeed it is during a blind penetration test that I found this web server.
In a next phase the customer will provide me with a temporary client
but I wanted to know how far I could get without. To simulate a
employee connecting to the server in question.
----- Original Message -----
From: "Imre Kertesz" <ikertesz () fastq com>
To: <pen-test () securityfocus com>; <webappsec () securityfocus com>
Sent: Thursday, April 01, 2004 1:58 AM
Subject: Re: Evading Client-Certificate Authentication
Im not one to argue semantics, but "stumbling" upon a web server during
a "sanctioned" penetration test doesn't happen unless the penetration
test is blind .. or the customer forgot to set you up with a client
certificate .. or the web server that you stumbled upon isn't within the
scope of your sanctioned assessment. In all cases but the latter, the
customer needs to generate a client certificate for you. They are
probably running their own CA, which you may need to visit to generate a
certificate request. The trick is to get a certificate that is
EXPORTABLE so that you can fux0r it with openssl into PEM format that
stunnel can use and viola - instant client certificate proxy. Once you
have this client certificate / stunnel proxy, you might have to do some
local DNS foo to make sure that the application recognizes your stunnel
host as a legitimate target, but it should work fine.
Kevin Vanhaelen wrote:
Hi to all,
whilst in the middle of a Penetration Test I stumbled on a web server
serving SSL and demanding the client to present
a certificate to identify himself.
I tried to nikto it with sslproxy and browse the site thru paros both
temporary Verisign personal certificate.
No such luck, the server keeps bouncing me off. Even vulnerability
like Nessus and Retina don't get passed
the port-scan portion.
Does anyone have an idea to further assess this server? Am I looking at a
mission impossible here maybe?
-· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --·
"If you sit quietly at the edge of a river, eventually
you will see the bodies of your enemies float by"
-A maxim of patience, author unknown
PGP ID: 0xA5DD6F44
email: lists AT dawes DOT za DOT net
"Using encryption on the Internet is the equivalent of arranging an
armored car to deliver credit card information from someone living
in a cardboard box to someone living on a park bench."
- Gene Spafford