Penetration Testing mailing list archives

Re: Evading Client-Certificate Authentication

From: Skip Carter <skip () taygeta com>
Date: Wed, 31 Mar 2004 15:23:02 -0800

whilst in the middle of a Penetration Test I stumbled on a web server only
serving SSL and demanding the client to present
a certificate to identify himself.

...

Does anyone have an idea to further assess this server? Am I looking at a
mission impossible here maybe?



   Its likely that the server not only expects a certificate from the
client, but that it be signed by a PARTICULAR CA (maybe a local/private one).
You might need to figure out a way to get such a certificate (via social
engineering perhaps ?).




Skip



-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940

Attachment: _bin
Description:

Current thread:

Evading Client-Certificate Authentication Kevin Vanhaelen (Mar 31)
- Re: Evading Client-Certificate Authentication Imre Kertesz (Mar 31)
  - Message not available
    - Re: Evading Client-Certificate Authentication Rogan Dawes (Apr 02)
- Re: Evading Client-Certificate Authentication Skip Carter (Mar 31)
- Re: Evading Client-Certificate Authentication Jason (Apr 01)
- <Possible follow-ups>
- Re: Evading Client-Certificate Authentication Brad Showalter (Apr 22)