mailing list archives
Re: Evading Client-Certificate Authentication
From: "Kevin Vanhaelen" <blowfish448 () hotmail com>
Date: Thu, 1 Apr 2004 07:17:50 +0200
indeed it is during a blind penetration test that I found this web server.
In a next phase the customer will provide me with a temporary client
but I wanted to know how far I could get without. To simulate a
employee connecting to the server in question.
----- Original Message -----
From: "Imre Kertesz" <ikertesz () fastq com>
To: <pen-test () securityfocus com>; <webappsec () securityfocus com>
Sent: Thursday, April 01, 2004 1:58 AM
Subject: Re: Evading Client-Certificate Authentication
Im not one to argue semantics, but "stumbling" upon a web server during
a "sanctioned" penetration test doesn't happen unless the penetration
test is blind .. or the customer forgot to set you up with a client
certificate .. or the web server that you stumbled upon isn't within the
scope of your sanctioned assessment. In all cases but the latter, the
customer needs to generate a client certificate for you. They are
probably running their own CA, which you may need to visit to generate a
certificate request. The trick is to get a certificate that is
EXPORTABLE so that you can fux0r it with openssl into PEM format that
stunnel can use and viola - instant client certificate proxy. Once you
have this client certificate / stunnel proxy, you might have to do some
local DNS foo to make sure that the application recognizes your stunnel
host as a legitimate target, but it should work fine.
Kevin Vanhaelen wrote:
Hi to all,
whilst in the middle of a Penetration Test I stumbled on a web server
serving SSL and demanding the client to present
a certificate to identify himself.
I tried to nikto it with sslproxy and browse the site thru paros both
temporary Verisign personal certificate.
No such luck, the server keeps bouncing me off. Even vulnerability
like Nessus and Retina don't get passed
the port-scan portion.
Does anyone have an idea to further assess this server? Am I looking at a
mission impossible here maybe?
-· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --·
"If you sit quietly at the edge of a river, eventually
you will see the bodies of your enemies float by"
-A maxim of patience, author unknown
PGP ID: 0xA5DD6F44