Re: Evading Client-Certificate Authentication

From: Rogan Dawes (lists_at_NO_dawes.SPAM_za.net)
Date: 04/02/04

  • Next message: e247net: "MBSA scanner"
    Date: Fri, 02 Apr 2004 08:20:13 +0200
    To: Kevin Vanhaelen <blowfish448@hotmail.com>
    
    

    I have seen reports from the guys at SensePost[1] that they have a
    certificate generated by VeriSign or one of the other recognised CA's in
    the name of "Administrator", which they have used to gain access to
    various SSL-client-certificate-protected servers.

    In those cases, I guess that the webserver was configured to allow
    certificates that match existing accountnames on the server, and are
    signed by a recognised CA.

    This may be an approach that could could try, rather than getting the
    client to generate the certificate for you.

    Regards,

    Rogan

    [1] http://archives.neohapsis.com/archives/sf/pentest/2002-01/0098.html

    Kevin Vanhaelen wrote:
    > indeed it is during a blind penetration test that I found this web server.
    > In a next phase the customer will provide me with a temporary client
    > certificate
    > but I wanted to know how far I could get without. To simulate a
    > non-customer/
    > employee connecting to the server in question.
    >
    > Thanks,
    >
    > ~kevin
    >
    > ----- Original Message -----
    > From: "Imre Kertesz" <ikertesz@fastq.com>
    > To: <pen-test@securityfocus.com>; <webappsec@securityfocus.com>
    > Sent: Thursday, April 01, 2004 1:58 AM
    > Subject: Re: Evading Client-Certificate Authentication
    >
    >
    >
    >>Im not one to argue semantics, but "stumbling" upon a web server during
    >>a "sanctioned" penetration test doesn't happen unless the penetration
    >>test is blind .. or the customer forgot to set you up with a client
    >>certificate .. or the web server that you stumbled upon isn't within the
    >>scope of your sanctioned assessment. In all cases but the latter, the
    >>customer needs to generate a client certificate for you. They are
    >>probably running their own CA, which you may need to visit to generate a
    >>certificate request. The trick is to get a certificate that is
    >>EXPORTABLE so that you can fux0r it with openssl into PEM format that
    >>stunnel can use and viola - instant client certificate proxy. Once you
    >>have this client certificate / stunnel proxy, you might have to do some
    >>local DNS foo to make sure that the application recognizes your stunnel
    >>host as a legitimate target, but it should work fine.
    >>
    >>-I
    >>
    >>Kevin Vanhaelen wrote:
    >>
    >>
    >>>Hi to all,
    >>>
    >>>whilst in the middle of a Penetration Test I stumbled on a web server
    >
    > only
    >
    >>>serving SSL and demanding the client to present
    >>>a certificate to identify himself.
    >>>I tried to nikto it with sslproxy and browse the site thru paros both
    >
    > with a
    >
    >>>temporary Verisign personal certificate.
    >>>No such luck, the server keeps bouncing me off. Even vulnerability
    >
    > scanners
    >
    >>>like Nessus and Retina don't get passed
    >>>the port-scan portion.
    >>>
    >>>Does anyone have an idea to further assess this server? Am I looking at a
    >>>mission impossible here maybe?
    >>>
    >>>Thanks,
    >>>
    >>>~kevin
    >>>
    >>>
    >>>
    >>>
    >>
    >>--
    >>
    >>- - - -- - - - - - - - -- - --- --
    >>"If you sit quietly at the edge of a river, eventually
    >>you will see the bodies of your enemies float by"
    >>-A maxim of patience, author unknown
    >>
    >>Imre Kertesz
    >>PGP ID: 0xA5DD6F44
    >>
    >>
    >>
    >>
    >
    >
    >

    -- 
    Rogan Dawes
    email: lists AT dawes DOT za DOT net
    "Using encryption on the Internet is the equivalent of arranging an
    armored car to deliver credit card information from someone living
    in a cardboard box to someone living on a park bench."
    - Gene Spafford
    ---------------------------------------------------------------------------
    You're a pen tester, but is google.com still your R&D team?
    Now you can get trustworthy commercial-grade exploits and the latest
    techniques from a world-class research group.
    www.coresecurity.com/promos/sf_ept1
    ----------------------------------------------------------------------------
    

  • Next message: e247net: "MBSA scanner"

    Relevant Pages

    • Re: [opensuse] Apache 2.4.6 on OpenSuse 13.1: ssl_error_rx_record_too_long and ERR_SSL_PROTOCOL_ERRO
      ... to the server's key and certificate, as well as to my rootCA ... The web server DOES start, ... virtual host that is supposed to be using SSL, ... # List the ciphers that the client is permitted to negotiate. ...
      (SuSE)
    • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
      ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: LDP client authentication fails
      ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
      (microsoft.public.windows.server.active_directory)
    • Re: SSL & Man In the Middle Attack
      ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
      (comp.security.misc)
    • Re: activesync issue
      ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
      (microsoft.public.windows.server.sbs)