Home > Security Tools, Tutorial, Uncategorized > Extracting Certs and Keys from .pfx and using with sqlmap

Extracting Certs and Keys from .pfx and using with sqlmap

I only had a .pfx file to work with and needed to extract the key and certificate in order to use sqlmap against a particular site. This site provided all the steps I needed to do that.

  1. Extract private key:
    • openssl.exe pkcs12 -in file.pfx -nocerts -out privKey.pem
  2. Extract certificate:
    • openssl.exe pkcs12 -in file.pfx -clcerts -nokeys -out cert.pem
  3. Remove password from private key:
    • openssl.exe rsa -in privKey.pem -out private.pem

Once that is done run sqlmap with the following flags:

  • sqlmap -u https://www.targeturl.com --auth-cert privatekey.pem,cert.pem

To save time typing in the key and cert locations, if in windows you can just drag the file into the command prompt (not sure about linux/mac).

Option 2:

If you have your client cert loaded into Burp, you could just use the sqlmap option ‘–proxy=”http://localhost:8080″‘ and have sqlmap go through Burp and then not worry about extracting certs/keys.  This would have been easier, but I found out about it later.  Good to know for the future.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: