Re: Evading Client-Certificate Authentication
From: Skip Carter (skip_at_taygeta.com)
Date: 04/01/04
- Next in thread: Rogan Dawes: "Re: Evading Client-Certificate Authentication"
- Maybe reply: Imre Kertesz: "Re: Evading Client-Certificate Authentication"
- Maybe reply: Rogan Dawes: "Re: Evading Client-Certificate Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Kevin Vanhaelen" <blowfish448@hotmail.com> Date: Wed, 31 Mar 2004 15:23:02 -0800
> whilst in the middle of a Penetration Test I stumbled on a web server only
> serving SSL and demanding the client to present
> a certificate to identify himself.
...
> Does anyone have an idea to further assess this server? Am I looking at a
> mission impossible here maybe?
Its likely that the server not only expects a certificate from the
client, but that it be signed by a PARTICULAR CA (maybe a local/private one).
You might need to figure out a way to get such a certificate (via social
engineering perhaps ?).
Skip
-- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip@taygeta.com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940
- application/pgp-signature attachment: stored
- Next in thread: Rogan Dawes: "Re: Evading Client-Certificate Authentication"
- Maybe reply: Imre Kertesz: "Re: Evading Client-Certificate Authentication"
- Maybe reply: Rogan Dawes: "Re: Evading Client-Certificate Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
