Things can get trickier. What if the site requires a client certificate? In
many cases you have a webserver that requires a client certificate, and
would respond like this:
HTTP Error 403
403.7 Forbidden: Client certificate required
This error occurs when the resource you are attempting to access requires your
browser to have a client Secure Sockets Layer (SSL) certificate that the
server recognizes. This is used for authenticating you as a valid user of the
resource.
The Common Name (CN) of the client certificate is mapped to a user on the NT
server, and access rights on the server are given according to the user
name. Again, it is beyond the scope of the document to explain the inner
workings of IIS servers or PKI. The reader should understand that if a
webserver trusts a public CA (such as Verisign) and relies on a client
certificate's CN to authenticate the user it can be exploited. Let us see
how we will exploit this.
The first step would be to obtain a class 1 client certificate from
Verisign. Go to http://digitalid.verisign.com. Apply for a class 1 personal
certificate. In the firstname field enter a name - this name will be the CN
of the client certificate and as such a firstname of "administrator" would
not be a bad choice. Leave the lastname blank. Follow all the steps - the
email thing, the "install new client certificate etc". At the end of all of
this you should have a client certificate installed in your browser. You now
want to use this client certificate with the SSLproxy, so it has to be
exported. Export the cert as a PKCS12 package and save it to file with a P12
extension. The SSLproxypackage cannot read PKCS12 cert packages so you have
to convert it. We use OpenSSLto convert the cert to something more
portable:
# openssl pkcs12 -in mycert.p12 -clcerts
The openSSL PKCS12 module ask for 3 passwords or PINs - the first one is the
current PIN/password that you chose for your cert - the second two are the
new PIN/password for the cert. The output of the command looks like this:
Enter Import Password:
MAC verified OK
Bag Attributes friendlyName: administrator's VeriSign, Inc. ID
localKeyID: 2C A7 F4 B2 E7 98 CE 80 CA 12 F2 0C 1D E5 25 D3 DE 06 F0 86
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,17A295CBFA235CE5
SmFYIhSdmA7c9pT+ScpzNuGD3QHo999ugVBcWDHnNlBmDXFYY2+Zepgx9dLnrw8E
EeV8YutU/0dvQwlCvENVp3vgEQ9ca1xeskPBIxBoitWxGWWGnAq/Z/KHhDuISNQU
rqDmEP9szmlZIH3tjzjNh+yWcvzXOhJb1wGLqnwx6lTlK88Se4rY4d2AyEEe8nzP
YcDRIFy+Gw4ZLAcplotOYj6uN13NKobfy6Gs2v0adY0/Bqg91AFDP4VynPn7ptsC
Ez2Nz6n3zXO+4AozJxuPyXxt0So6/4hX7E9aEuFxrpUnW9xcxGMmcPd8gBY2wtTb
k9jBYKz2d3k/EtYpdbVWgFwWjurzt5VX4WtEE78gLDw/BzPuq2wq9ZtGHYDNonBK
tQpCpnmiPGxvFCYyvHgnFhht59C4nrXZ+hO8jwZ62shnWSnUYM73MyMqJoKVwQTP
j4a6P0dSbQX+9u2fBIkMYIC2RYoPTA7Nv2OQZWLf4EeiI+Y1xvDQwfEhHkCdA/bc
cd5EqvYpH+yJxGjivl47DJNtUuPWWgLH5iYFMQEEolv9iXsUsT9ycOtUMdpbjRMW
v09BHDmC0pkn3HbvrBmE0UzHX6nDb8H5lpXDd/D2OLOqwMInXgaUnSA/fPGDP0xo
Gzpm+Hqb77n2REv46gnzARWtxCXFSFBP0Ck5eGQD8Ah5/T+kJQt3bVI72YT8+GY6
7uuoYrVVyjtqG57CCYtXCZL3W1SV2hUGUD7VPZFiq7u0LHYLM+bB2z+9STcAQDJY
AWU/XJSNL3Ba7xfOsxklfRFtjrvkLs0jY/GRBTizufQHnVIJQwH3Ag==
-----END RSA PRIVATE KEY-----
Bag Attributes
friendlyName: administrator's VeriSign, Inc. ID
localKeyID: 2C A7 F4 B2 E7 98 CE 80 CA 12 F2 0C 1D E5 25 D3 DE 06 F0 86
subject=/O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA
Incorp. by Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 -
Netscape/CN=administrator/Email=roelof@sensepost.com
issuer= /O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA
Incorp. By Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona Not
Validated
-----BEGIN CERTIFICATE-----
MIID+DCCA2GgAwIBAgIQfvf0Rx3VZ3jAV3CIxZt2/jANBgkqhkiG9w0BAQQFADCB
zDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy
dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y
eS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1Zl
cmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEg
Tm90IFZhbGlkYXRlZDAeFw0wMDA4MTgwMDAwMDBaFw0wMDEwMTcyMzU5NTlaMIIB
BzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy
dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y
eS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBl
cnNvbmEgTm90IFZhbGlkYXRlZDEmMCQGA1UECxMdRGlnaXRhbCBJRCBDbGFzcyAx
IC0gTmV0c2NhcGUxFjAUBgNVBAMUDWFkbWluaXN0cmF0b3IxIzAhBgkqhkiG9w0B
CQEWFHJvZWxvZkBzZW5zZXBvc3QuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQCuzCptG2BoEqAp8rz6V/SlABacd2hxEbbbnya/KlrtYb9JI3msRlQiCGaq
6dvunApS4DwEnqvukWDpMLzX8hwqFrFsH5ael5xGjWuJKGhS867nWNYF2XahTeUT
9Sms73BRCO3/HbxObeKLfvGsV/WsH6A1JTBiqO3YCj6+OLRL0wIDAQABo4GcMIGZ
MAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcBCDAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBEGCWCGSAGG+EIBAQQE
AwIHgDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9j
bGFzczEuY3JsMA0GCSqGSIb3DQEBBAUAA4GBABbGIo0RoPwCTUq4tQQC9mkKH1Us
TwKiE82ncbCELjGfOsW84Ud6W73ZwK1boDsV5jvs/wyiU3TUoqSoX/hoP2BJeSYm
E8yi99tS5phKyHNK+FIVtL60vp59QdUQ6141gdUUGlgLpOLeL8iACXpbgnIWyhw1
P6QDY1kLWUBdT2E5
-----END CERTIFICATE-----
You will see a certificate, and a private key, both PEM encoded. Take these
PEM encoded blocks, and cut & paste them to a file - both of them in one
file - the order does not matter. Let us assume you call the file
mycert.pem. This is your client cert and key. BTW - I would gladly give you
the password for the above cert - the only problem is that it is only valid
for 60 days, and by the time you read this its probably expired already. The
next step is to fire up the SSL proxy to use your client cert, while still
verifying the server cert. We start SSLproxyas follows:
# sslproxy -L 127.0.0.1 -l 7117 -R 168.xxx.240.30 -r 443 -v Class3.pem -c
mycert.pem
Enter PEM pass phrase:[enter you PIN here]
proxy ready, listening for connections Now test if the server accepts the public signed client certificate by
typing http://127.0.0.1:7117 on your browser. Should this work we can now
scan 127.0.0.1 on port 7117, and SSLproxywill happily pass along our client
cert in every request.
many cases you have a webserver that requires a client certificate, and
would respond like this:
HTTP Error 403
403.7 Forbidden: Client certificate required
This error occurs when the resource you are attempting to access requires your
browser to have a client Secure Sockets Layer (SSL) certificate that the
server recognizes. This is used for authenticating you as a valid user of the
resource.
The Common Name (CN) of the client certificate is mapped to a user on the NT
server, and access rights on the server are given according to the user
name. Again, it is beyond the scope of the document to explain the inner
workings of IIS servers or PKI. The reader should understand that if a
webserver trusts a public CA (such as Verisign) and relies on a client
certificate's CN to authenticate the user it can be exploited. Let us see
how we will exploit this.
The first step would be to obtain a class 1 client certificate from
Verisign. Go to http://digitalid.verisign.com. Apply for a class 1 personal
certificate. In the firstname field enter a name - this name will be the CN
of the client certificate and as such a firstname of "administrator" would
not be a bad choice. Leave the lastname blank. Follow all the steps - the
email thing, the "install new client certificate etc". At the end of all of
this you should have a client certificate installed in your browser. You now
want to use this client certificate with the SSLproxy, so it has to be
exported. Export the cert as a PKCS12 package and save it to file with a P12
extension. The SSLproxypackage cannot read PKCS12 cert packages so you have
to convert it. We use OpenSSLto convert the cert to something more
portable:
# openssl pkcs12 -in mycert.p12 -clcerts
The openSSL PKCS12 module ask for 3 passwords or PINs - the first one is the
current PIN/password that you chose for your cert - the second two are the
new PIN/password for the cert. The output of the command looks like this:
Enter Import Password:
MAC verified OK
Bag Attributes friendlyName: administrator's VeriSign, Inc. ID
localKeyID: 2C A7 F4 B2 E7 98 CE 80 CA 12 F2 0C 1D E5 25 D3 DE 06 F0 86
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,17A295CBFA235CE5
SmFYIhSdmA7c9pT+ScpzNuGD3QHo999ugVBcWDHnNlBmDXFYY2+Zepgx9dLnrw8E
EeV8YutU/0dvQwlCvENVp3vgEQ9ca1xeskPBIxBoitWxGWWGnAq/Z/KHhDuISNQU
rqDmEP9szmlZIH3tjzjNh+yWcvzXOhJb1wGLqnwx6lTlK88Se4rY4d2AyEEe8nzP
YcDRIFy+Gw4ZLAcplotOYj6uN13NKobfy6Gs2v0adY0/Bqg91AFDP4VynPn7ptsC
Ez2Nz6n3zXO+4AozJxuPyXxt0So6/4hX7E9aEuFxrpUnW9xcxGMmcPd8gBY2wtTb
k9jBYKz2d3k/EtYpdbVWgFwWjurzt5VX4WtEE78gLDw/BzPuq2wq9ZtGHYDNonBK
tQpCpnmiPGxvFCYyvHgnFhht59C4nrXZ+hO8jwZ62shnWSnUYM73MyMqJoKVwQTP
j4a6P0dSbQX+9u2fBIkMYIC2RYoPTA7Nv2OQZWLf4EeiI+Y1xvDQwfEhHkCdA/bc
cd5EqvYpH+yJxGjivl47DJNtUuPWWgLH5iYFMQEEolv9iXsUsT9ycOtUMdpbjRMW
v09BHDmC0pkn3HbvrBmE0UzHX6nDb8H5lpXDd/D2OLOqwMInXgaUnSA/fPGDP0xo
Gzpm+Hqb77n2REv46gnzARWtxCXFSFBP0Ck5eGQD8Ah5/T+kJQt3bVI72YT8+GY6
7uuoYrVVyjtqG57CCYtXCZL3W1SV2hUGUD7VPZFiq7u0LHYLM+bB2z+9STcAQDJY
AWU/XJSNL3Ba7xfOsxklfRFtjrvkLs0jY/GRBTizufQHnVIJQwH3Ag==
-----END RSA PRIVATE KEY-----
Bag Attributes
friendlyName: administrator's VeriSign, Inc. ID
localKeyID: 2C A7 F4 B2 E7 98 CE 80 CA 12 F2 0C 1D E5 25 D3 DE 06 F0 86
subject=/O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA
Incorp. by Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 -
Netscape/CN=administrator/Email=roelof@sensepost.com
issuer= /O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA
Incorp. By Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona Not
Validated
-----BEGIN CERTIFICATE-----
MIID+DCCA2GgAwIBAgIQfvf0Rx3VZ3jAV3CIxZt2/jANBgkqhkiG9w0BAQQFADCB
zDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy
dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y
eS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1Zl
cmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEg
Tm90IFZhbGlkYXRlZDAeFw0wMDA4MTgwMDAwMDBaFw0wMDEwMTcyMzU5NTlaMIIB
BzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy
dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y
eS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBl
cnNvbmEgTm90IFZhbGlkYXRlZDEmMCQGA1UECxMdRGlnaXRhbCBJRCBDbGFzcyAx
IC0gTmV0c2NhcGUxFjAUBgNVBAMUDWFkbWluaXN0cmF0b3IxIzAhBgkqhkiG9w0B
CQEWFHJvZWxvZkBzZW5zZXBvc3QuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQCuzCptG2BoEqAp8rz6V/SlABacd2hxEbbbnya/KlrtYb9JI3msRlQiCGaq
6dvunApS4DwEnqvukWDpMLzX8hwqFrFsH5ael5xGjWuJKGhS867nWNYF2XahTeUT
9Sms73BRCO3/HbxObeKLfvGsV/WsH6A1JTBiqO3YCj6+OLRL0wIDAQABo4GcMIGZ
MAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcBCDAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBEGCWCGSAGG+EIBAQQE
AwIHgDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9j
bGFzczEuY3JsMA0GCSqGSIb3DQEBBAUAA4GBABbGIo0RoPwCTUq4tQQC9mkKH1Us
TwKiE82ncbCELjGfOsW84Ud6W73ZwK1boDsV5jvs/wyiU3TUoqSoX/hoP2BJeSYm
E8yi99tS5phKyHNK+FIVtL60vp59QdUQ6141gdUUGlgLpOLeL8iACXpbgnIWyhw1
P6QDY1kLWUBdT2E5
-----END CERTIFICATE-----
You will see a certificate, and a private key, both PEM encoded. Take these
PEM encoded blocks, and cut & paste them to a file - both of them in one
file - the order does not matter. Let us assume you call the file
mycert.pem. This is your client cert and key. BTW - I would gladly give you
the password for the above cert - the only problem is that it is only valid
for 60 days, and by the time you read this its probably expired already. The
next step is to fire up the SSL proxy to use your client cert, while still
verifying the server cert. We start SSLproxyas follows:
# sslproxy -L 127.0.0.1 -l 7117 -R 168.xxx.240.30 -r 443 -v Class3.pem -c
mycert.pem
Enter PEM pass phrase:[enter you PIN here]
proxy ready, listening for connections Now test if the server accepts the public signed client certificate by
typing http://127.0.0.1:7117 on your browser. Should this work we can now
scan 127.0.0.1 on port 7117, and SSLproxywill happily pass along our client
cert in every request.
No comments:
Post a Comment