Re: Evading Client-Certificate Authentication

From: Imre Kertesz (ikertesz@fastq.com)
Date: Wed Mar 31 2004 - 18:58:43 EST

• Next message: Skip Carter: "Re: Evading Client-Certificate Authentication"
• Previous message: Jeff Bryner: "RE: How to evade white spaces in a SQL injection"
• In reply to: Kevin Vanhaelen: "Evading Client-Certificate Authentication"
• Next in thread: Skip Carter: "Re: Evading Client-Certificate Authentication"
• Maybe reply: Skip Carter: "Re: Evading Client-Certificate Authentication"
• Maybe reply: Rogan Dawes: "Re: Evading Client-Certificate Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Im not one to argue semantics, but "stumbling" upon a web server during
a "sanctioned" penetration test doesn't happen unless the penetration
test is blind .. or the customer forgot to set you up with a client
certificate .. or the web server that you stumbled upon isn't within the
scope of your sanctioned assessment. In all cases but the latter, the
customer needs to generate a client certificate for you. They are
probably running their own CA, which you may need to visit to generate a
certificate request. The trick is to get a certificate that is
EXPORTABLE so that you can fux0r it with openssl into PEM format that
stunnel can use and viola - instant client certificate proxy. Once you
have this client certificate / stunnel proxy, you might have to do some
local DNS foo to make sure that the application recognizes your stunnel
host as a legitimate target, but it should work fine.

-I

Kevin Vanhaelen wrote:

>Hi to all,
>
>whilst in the middle of a Penetration Test I stumbled on a web server only
>serving SSL and demanding the client to present
>a certificate to identify himself.
>I tried to nikto it with sslproxy and browse the site thru paros both with a
>temporary Verisign personal certificate.
>No such luck, the server keeps bouncing me off. Even vulnerability scanners
>like Nessus and Retina don't get passed
>the port-scan portion.
>
>Does anyone have an idea to further assess this server? Am I looking at a
>mission impossible here maybe?
>
>Thanks,
>
>~kevin
>
>
>
>

-- 
-· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --·
"If you sit quietly at the edge of a river, eventually
you will see the bodies of your enemies float by" 
-A maxim of patience, author unknown
Imre Kertesz
PGP ID: 	0xA5DD6F44
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------

• Next message: Skip Carter: "Re: Evading Client-Certificate Authentication"
• Previous message: Jeff Bryner: "RE: How to evade white spaces in a SQL injection"
• In reply to: Kevin Vanhaelen: "Evading Client-Certificate Authentication"
• Next in thread: Skip Carter: "Re: Evading Client-Certificate Authentication"
• Maybe reply: Skip Carter: "Re: Evading Client-Certificate Authentication"
• Maybe reply: Rogan Dawes: "Re: Evading Client-Certificate Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT