WebApp Sec: Re: Evading Client-Certificate Authentication

[Rogan Dawes <lists () NO_dawes SPAM_za net>]

I have seen reports from the guys at SensePost[1] that they have a 
certificate generated by VeriSign or one of the other recognised CA's in 
the name of "Administrator", which they have used to gain access to 
various SSL-client-certificate-protected servers.
In those cases, I guess that the webserver was configured to allow 
certificates that match existing accountnames on the server, and are 
signed by a recognised CA.
This may be an approach that could could try, rather than getting the 
client to generate the certificate for you.
Regards,

Rogan

[1] http://archives.neohapsis.com/archives/sf/pentest/2002-01/0098.html

Kevin Vanhaelen wrote:
> indeed it is during a blind penetration test that I found this web server.
> In a next phase the customer will provide me with a temporary client
> certificate
> but I wanted to know how far I could get without. To simulate a
> non-customer/
> employee connecting to the server in question.
>
> Thanks,
>
> ~kevin
>
> ----- Original Message ----- 
> From: "Imre Kertesz" <ikertesz () fastq com>
> To: <pen-test () securityfocus com>; <webappsec () securityfocus com>
> Sent: Thursday, April 01, 2004 1:58 AM
> Subject: Re: Evading Client-Certificate Authentication
>
>
>
> > Im not one to argue semantics, but "stumbling" upon a web server during
> > a "sanctioned" penetration test doesn't happen unless the penetration
> > test is blind .. or the customer forgot to set you up with a client
> > certificate .. or the web server that you stumbled upon isn't within the
> > scope of your sanctioned assessment.  In all cases but the latter, the
> > customer needs to generate a client certificate for you. They are
> > probably running their own CA, which you may need to visit to generate a
> > certificate request. The trick is to get a certificate that is
> > EXPORTABLE so that you can fux0r it with openssl into PEM format that
> > stunnel can use and viola - instant client certificate proxy.  Once you
> > have this client certificate / stunnel proxy, you might have to do some
> > local DNS foo to make sure that the application recognizes your stunnel
> > host as a legitimate target, but it should work fine.
> >
> > -I
> >
> > Kevin Vanhaelen wrote:
> >
> >
> > > Hi to all,
> > >
> > > whilst in the middle of a Penetration Test I stumbled on a web server
> only
>
> > > serving SSL and demanding the client to present
> > > a certificate to identify himself.
> > > I tried to nikto it with sslproxy and browse the site thru paros both
> with a
>
> > > temporary Verisign personal certificate.
> > > No such luck, the server keeps bouncing me off. Even vulnerability
> scanners
>
> > > like Nessus and Retina don't get passed
> > > the port-scan portion.
> > >
> > > Does anyone have an idea to further assess this server? Am I looking at a
> > > mission impossible here maybe?
> > >
> > > Thanks,
> > >
> > > ~kevin
> > --
> >
> > -· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --·
> > "If you sit quietly at the edge of a river, eventually
> > you will see the bodies of your enemies float by"
> > -A maxim of patience, author unknown
> >
> > Imre Kertesz
> > PGP ID: 0xA5DD6F44
--
Rogan Dawes
email: lists AT dawes DOT za DOT net

"Using encryption on the Internet is the equivalent of arranging an
armored car to deliver credit card information from someone living
in a cardboard box to someone living on a park bench."
- Gene Spafford