# The following property specifies where the TrustStore file # containing the trusted CA certificates or trusted certificates # can be found. javax.net.ssl.trustStore=cert/clientTrustStore.jks
An SSL trust store is basically a container that includes all the server certificates that are trusted by the client.
This client was making a SSL connection to an endpoint web service. To be able to put myself in the middle of the protocol, I had to add Burp's CA certificate into this trust store.
1. Brute force the truststore password.
Here, a good old bash loop calling keytool with a dictionary file did the trick:
$ for pwd in $(cat ~/pentest/dictionary/most_used_pwd.txt); do (keytool -list -keystore cert/clientTrustStore.jks -storepass $pwd 2>/dev/null) && echo FOUND PASSWORD $pwd; done keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect Keystore type: JKS Keystore provider: SUN Your keystore contains 5 entries (hidden), 06/06/2013, trustedCertEntry, Certificate fingerprint (MD5): 8D:B8:(hidden):41:1B (hidden), 25/02/2014, trustedCertEntry, Certificate fingerprint (MD5): 15:37:(hidden):25:E9 (hidden), 02/04/2014, trustedCertEntry, Certificate fingerprint (MD5): E4:61:(hidden):59:BE (hidden), 06/06/2013, trustedCertEntry, Certificate fingerprint (MD5): 32:DE:(hidden):BB:4D (hidden), 25/02/2014, trustedCertEntry, Certificate fingerprint (MD5): CB:17:(hidden):FA:1C FOUND PASSWORD password
2. Add Burp's CA certificate to the trust store
Well, ok, here the password was "password". So I could list the contents of my client trust store. Now, adding burp's root CA is easy. Just create a listener within Burp, use that as a proxy, browse to any https website, display the certificate chain. Save the root CA certificate to a file.
Then, to add this root CA to your trust store:
keytool -import -keystore cert/clientTrustStore.jks -file PortSwiggerCA.cer -storepass password
3. Start playing
To confirm whether your certificate has correctly been added to the trust store, list its contents with the keytool "-list" command used in the bruteforce above:
$ keytool -list -keystore cert/clientTrustStore.jks -storepass password Keystore type: JKS Keystore provider: SUN Your keystore contains 6 entries (hidden), 06/06/2013, trustedCertEntry, Certificate fingerprint (MD5): 8D:B8:(hidden):41:1B (hidden), 25/02/2014, trustedCertEntry, Certificate fingerprint (MD5): 15:37:(hidden):25:E9 (hidden), 02/04/2014, trustedCertEntry, Certificate fingerprint (MD5): E4:61:(hidden):59:BE (hidden), 06/06/2013, trustedCertEntry, Certificate fingerprint (MD5): 32:DE:(hidden):BB:4D (hidden), 25/02/2014, trustedCertEntry, Certificate fingerprint (MD5): CB:17:(hidden):FA:1C portswiggerca, 02/04/2014, trustedCertEntry, Certificate fingerprint (MD5): E4:61:D7:52:FB:7A:28:61:71:0F:FF:09:9A:47:59:BENow you can proxy your client app through Burp and start playing with the protocol!
No comments:
Post a Comment