Re: Evading Client-Certificate Authentication

From: Rogan Dawes (lists_at_NO_dawes.SPAM_za.net)
Date: 04/02/04

  • Next message: e247net: "MBSA scanner" 
    Date: Fri, 02 Apr 2004 08:20:13 +0200
To: Kevin Vanhaelen <blowfish448@hotmail.com>

    I have seen reports from the guys at SensePost[1] that they have a
    certificate generated by VeriSign or one of the other recognised CA's in
    the name of "Administrator", which they have used to gain access to
    various SSL-client-certificate-protected servers.

    In those cases, I guess that the webserver was configured to allow
    certificates that match existing accountnames on the server, and are
    signed by a recognised CA.

    This may be an approach that could could try, rather than getting the
    client to generate the certificate for you.

    Regards,

    Rogan

    [1] http://archives.neohapsis.com/archives/sf/pentest/2002-01/0098.html

    Kevin Vanhaelen wrote:
    > indeed it is during a blind penetration test that I found this web server.
    > In a next phase the customer will provide me with a temporary client
    > certificate
    > but I wanted to know how far I could get without. To simulate a
    > non-customer/
    > employee connecting to the server in question.
    >
    > Thanks,
    >
    > ~kevin
    >
    > ----- Original Message -----
    > From: "Imre Kertesz" <ikertesz@fastq.com>
    > To: <pen-test@securityfocus.com>; <webappsec@securityfocus.com>
    > Sent: Thursday, April 01, 2004 1:58 AM
    > Subject: Re: Evading Client-Certificate Authentication
    >
    >
    >
    >>Im not one to argue semantics, but "stumbling" upon a web server during
    >>a "sanctioned" penetration test doesn't happen unless the penetration
    >>test is blind .. or the customer forgot to set you up with a client
    >>certificate .. or the web server that you stumbled upon isn't within the
    >>scope of your sanctioned assessment. In all cases but the latter, the
    >>customer needs to generate a client certificate for you. They are
    >>probably running their own CA, which you may need to visit to generate a
    >>certificate request. The trick is to get a certificate that is
    >>EXPORTABLE so that you can fux0r it with openssl into PEM format that
    >>stunnel can use and viola - instant client certificate proxy. Once you
    >>have this client certificate / stunnel proxy, you might have to do some
    >>local DNS foo to make sure that the application recognizes your stunnel
    >>host as a legitimate target, but it should work fine.
    >>
    >>-I
    >>
    >>Kevin Vanhaelen wrote:
    >>
    >>
    >>>Hi to all,
    >>>
    >>>whilst in the middle of a Penetration Test I stumbled on a web server
    >
    > only
    >
    >>>serving SSL and demanding the client to present
    >>>a certificate to identify himself.
    >>>I tried to nikto it with sslproxy and browse the site thru paros both
    >
    > with a
    >
    >>>temporary Verisign personal certificate.
    >>>No such luck, the server keeps bouncing me off. Even vulnerability
    >
    > scanners
    >
    >>>like Nessus and Retina don't get passed
    >>>the port-scan portion.
    >>>
    >>>Does anyone have an idea to further assess this server? Am I looking at a
    >>>mission impossible here maybe?
    >>>
    >>>Thanks,
    >>>
    >>>~kevin
    >>>
    >>>
    >>>
    >>>
    >>
    >>--
    >>
    >>-· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --·
    >>"If you sit quietly at the edge of a river, eventually
    >>you will see the bodies of your enemies float by"
    >>-A maxim of patience, author unknown
    >>
    >>Imre Kertesz
    >>PGP ID: 0xA5DD6F44
    >>
    >>
    >>
    >>
    >
    >
    > 

    -- 
Rogan Dawes
email: lists AT dawes DOT za DOT net
"Using encryption on the Internet is the equivalent of arranging an
armored car to deliver credit card information from someone living
in a cardboard box to someone living on a park bench."
- Gene Spafford
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
  • Next message: e247net: "MBSA scanner"

    Relevant Pages

    • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
      ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: LDP client authentication fails
      ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
      (microsoft.public.windows.server.active_directory)
    • Re: SSL & Man In the Middle Attack
      ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
      (comp.security.misc)
    • Re: activesync issue
      ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
      (microsoft.public.windows.server.sbs)
    • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
      ... order to detect we are connected to the wrong server (even though its SSL ... certificate is OK and valid by Verisign); we would need a client certificate. ... this can be detected by SSL/HTTPS client in ...
      (microsoft.public.dotnet.framework.aspnet.security)