Home > Security Tools, Tutorial, Uncategorized > Extracting Certs and Keys from .pfx and using with sqlmap

Extracting Certs and Keys from .pfx and using with sqlmap

June 5, 2013 Leave a comment Go to comments

I only had a .pfx file to work with and needed to extract the key and certificate in order to use sqlmap against a particular site. This site provided all the steps I needed to do that.

  1. Extract private key: 
    • openssl.exe pkcs12 -in file.pfx -nocerts -out privKey.pem
  2. Extract certificate: 
    • openssl.exe pkcs12 -in file.pfx -clcerts -nokeys -out cert.pem
  3. Remove password from private key: 
    • openssl.exe rsa -in privKey.pem -out private.pem

Once that is done run sqlmap with the following flags:

  • sqlmap -u https://www.targeturl.com --auth-cert privatekey.pem,cert.pem

To save time typing in the key and cert locations, if in windows you can just drag the file into the command prompt (not sure about linux/mac).

Option 2:

If you have your client cert loaded into Burp, you could just use the sqlmap option ‘–proxy=”http://localhost:8080″‘ and have sqlmap go through Burp and then not worry about extracting certs/keys.  This would have been easier, but I found out about it later.  Good to know for the future.

Categories: Security Tools, Tutorial, Uncategorized Tags: , , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: