From: Rogan Dawes (lists@NO_dawes.SPAM_za.net)
Date: Fri Apr 02 2004 - 01:20:13 EST
I have seen reports from the guys at SensePost[1] that they have a
certificate generated by VeriSign or one of the other recognised CA's in
the name of "Administrator", which they have used to gain access to
various SSL-client-certificate-protected servers.
In those cases, I guess that the webserver was configured to allow
certificates that match existing accountnames on the server, and are
signed by a recognised CA.
This may be an approach that could could try, rather than getting the
client to generate the certificate for you.
Regards,
Rogan
[1] http://archives.neohapsis.com/archives/sf/pentest/2002-01/0098.html
Kevin Vanhaelen wrote:
> indeed it is during a blind penetration test that I found this web server.
> In a next phase the customer will provide me with a temporary client
> certificate
> but I wanted to know how far I could get without. To simulate a
> non-customer/
> employee connecting to the server in question.
>
> Thanks,
>
> ~kevin
>
> ----- Original Message -----
> From: "Imre Kertesz" <ikertesz@fastq.com>
> To: <pen-test@securityfocus.com>; <webappsec@securityfocus.com>
> Sent: Thursday, April 01, 2004 1:58 AM
> Subject: Re: Evading Client-Certificate Authentication
>
>
>
>>Im not one to argue semantics, but "stumbling" upon a web server during
>>a "sanctioned" penetration test doesn't happen unless the penetration
>>test is blind .. or the customer forgot to set you up with a client
>>certificate .. or the web server that you stumbled upon isn't within the
>>scope of your sanctioned assessment. In all cases but the latter, the
>>customer needs to generate a client certificate for you. They are
>>probably running their own CA, which you may need to visit to generate a
>>certificate request. The trick is to get a certificate that is
>>EXPORTABLE so that you can fux0r it with openssl into PEM format that
>>stunnel can use and viola - instant client certificate proxy. Once you
>>have this client certificate / stunnel proxy, you might have to do some
>>local DNS foo to make sure that the application recognizes your stunnel
>>host as a legitimate target, but it should work fine.
>>
>>-I
>>
>>Kevin Vanhaelen wrote:
>>
>>
>>>Hi to all,
>>>
>>>whilst in the middle of a Penetration Test I stumbled on a web server
>
> only
>
>>>serving SSL and demanding the client to present
>>>a certificate to identify himself.
>>>I tried to nikto it with sslproxy and browse the site thru paros both
>
> with a
>
>>>temporary Verisign personal certificate.
>>>No such luck, the server keeps bouncing me off. Even vulnerability
>
> scanners
>
>>>like Nessus and Retina don't get passed
>>>the port-scan portion.
>>>
>>>Does anyone have an idea to further assess this server? Am I looking at a
>>>mission impossible here maybe?
>>>
>>>Thanks,
>>>
>>>~kevin
>>>
>>>
>>>
>>>
>>
>>--
>>
>>-· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --·
>>"If you sit quietly at the edge of a river, eventually
>>you will see the bodies of your enemies float by"
>>-A maxim of patience, author unknown
>>
>>Imre Kertesz
>>PGP ID: 0xA5DD6F44
>>
>>
>>
>>
>
>
>
-- Rogan Dawes email: lists AT dawes DOT za DOT net "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench." - Gene Spafford --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:52 EDT