WebApp Sec mailing list archives
Re: Evading Client-Certificate Authentication
From: danielrm26 <danielrm26 () yahoo com>
Date: Mon, 5 Apr 2004 00:50:47 -0400
On Mar 31, 2004, at 3:43 PM, Kevin Vanhaelen wrote:
whilst in the middle of a Penetration Test I stumbled on a web server onlyserving SSL and demanding the client to present a certificate to identify himself.I tried to nikto it with sslproxy and browse the site thru paros both with atemporary Verisign personal certificate.No such luck, the server keeps bouncing me off. Even vulnerability scannerslike Nessus and Retina don't get passed the port-scan portion.Does anyone have an idea to further assess this server? Am I looking at amission impossible here maybe?
I'd say, without knowing too much about this, that it is possible that only a few clients are trusted -- and therefore only a few client certs -- rather than a large swath of people via the CA that issued the cert. I am not saying not to try what has been suggested by others in terms of spoofing, but I am just saying that if only specific certs are allowed then you'll be barking up the wrong tree. If, for example, it's some sort of intranet site, then everyone who's supposed to have access could have a cert -- and no one else.
I do agree that regardless of how it's configured, finding out as much as you can about the type and version of the web server is going to be your best bet. You may be able to attack it successfully in other ways if you know exactly what it is.
Regards, -danielrm26
Current thread:
- Re: Evading Client-Certificate Authentication Imre Kertesz (Mar 31)
- Re: Evading Client-Certificate Authentication Kevin Vanhaelen (Apr 01)
- Re: Evading Client-Certificate Authentication Rogan Dawes (Apr 02)
- <Possible follow-ups>
- Re: Evading Client-Certificate Authentication Jason (Apr 01)
- RE: Evading Client-Certificate Authentication Rob Shein (Apr 01)
- Re: Evading Client-Certificate Authentication danielrm26 (Apr 04)
- RE: Evading Client-Certificate Authentication email lists (Apr 07)
- Re: Evading Client-Certificate Authentication Kevin Vanhaelen (Apr 01)