Re: Evading Client-Certificate Authentication

[danielrm26 <danielrm26 () yahoo com>]

On Mar 31, 2004, at 3:43 PM, Kevin Vanhaelen wrote:

> whilst in the middle of a Penetration Test I stumbled on a web server 
> only
> serving SSL and demanding the client to present
> a certificate to identify himself.
> I tried to nikto it with sslproxy and browse the site thru paros both 
> with a
> temporary Verisign personal certificate.
> No such luck, the server keeps bouncing me off. Even vulnerability 
> scanners
> like Nessus and Retina don't get passed
> the port-scan portion.
>
> Does anyone have an idea to further assess this server? Am I looking 
> at a
> mission impossible here maybe?

I'd say, without knowing too much about this, that it is possible that 
only a few clients are trusted -- and therefore only a few client certs 
-- rather than a large swath of people via the CA that issued the cert. 
 I am not saying not to try what has been suggested by others in terms 
of spoofing, but I am just saying that if only specific certs are 
allowed then you'll be barking up the wrong tree.  If, for example, 
it's some sort of intranet site, then everyone who's supposed to have 
access could have a cert -- and no one else.

I do agree that regardless of how it's configured, finding out as much 
as you can about the type and version of the web server is going to be 
your best bet.  You may be able to attack it successfully in other ways 
if you know exactly what it is.

Regards,

-danielrm26