Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Evading Client-Certificate Authentication
From: danielrm26 <danielrm26 () yahoo com>
Date: Mon, 5 Apr 2004 00:50:47 -0400

On Mar 31, 2004, at 3:43 PM, Kevin Vanhaelen wrote:

whilst in the middle of a Penetration Test I stumbled on a web server only
serving SSL and demanding the client to present
a certificate to identify himself.
I tried to nikto it with sslproxy and browse the site thru paros both with a
temporary Verisign personal certificate.
No such luck, the server keeps bouncing me off. Even vulnerability scanners
like Nessus and Retina don't get passed
the port-scan portion.

Does anyone have an idea to further assess this server? Am I looking at a
mission impossible here maybe?

I'd say, without knowing too much about this, that it is possible that only a few clients are trusted -- and therefore only a few client certs -- rather than a large swath of people via the CA that issued the cert. I am not saying not to try what has been suggested by others in terms of spoofing, but I am just saying that if only specific certs are allowed then you'll be barking up the wrong tree. If, for example, it's some sort of intranet site, then everyone who's supposed to have access could have a cert -- and no one else.

I do agree that regardless of how it's configured, finding out as much as you can about the type and version of the web server is going to be your best bet. You may be able to attack it successfully in other ways if you know exactly what it is.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]