mailing list archives
Re: Evading Client-Certificate Authentication
From: danielrm26 <danielrm26 () yahoo com>
Date: Mon, 5 Apr 2004 00:50:47 -0400
On Mar 31, 2004, at 3:43 PM, Kevin Vanhaelen wrote:
whilst in the middle of a Penetration Test I stumbled on a web server
serving SSL and demanding the client to present
a certificate to identify himself.
I tried to nikto it with sslproxy and browse the site thru paros both
temporary Verisign personal certificate.
No such luck, the server keeps bouncing me off. Even vulnerability
like Nessus and Retina don't get passed
the port-scan portion.
Does anyone have an idea to further assess this server? Am I looking
mission impossible here maybe?
I'd say, without knowing too much about this, that it is possible that
only a few clients are trusted -- and therefore only a few client certs
-- rather than a large swath of people via the CA that issued the cert.
I am not saying not to try what has been suggested by others in terms
of spoofing, but I am just saying that if only specific certs are
allowed then you'll be barking up the wrong tree. If, for example,
it's some sort of intranet site, then everyone who's supposed to have
access could have a cert -- and no one else.
I do agree that regardless of how it's configured, finding out as much
as you can about the type and version of the web server is going to be
your best bet. You may be able to attack it successfully in other ways
if you know exactly what it is.