NFAL – Episode Three: Testing websites while on locked down clients

Or… Yet Another GPO Bypass Technique.

On occasion I get given the task of testing a client’s website using the terminal provided by said client in order to in the client’s words “Prove what a malicious user can do with the tools we give them”.

So in order to not drive myself mental trying to pentest a web app manually in IE, without being able to change any settings. I work out a way to get burpsuite on the box.

The beautiful thing about burpsuite being that it’s JAVA and java.exe happens to be one chuffing huge hole with endpoint protection mechanisms and application whitelisting.

Okay so problem 1 solved.

Onto problem 2 now, they lock down their “connections” tab in internet settings but as we already know how to bypass whatever pre-existing proxy connection they have and replace it with our own burpsuite details using a little VBA and the techniques given in this post this is no longer a problem.

Problems always come in threes so what is problem 3 you ask?

This:

IE: "You Shall Not Pass!!!" Me: O RLY?
IE: “You Shall Not Pass!!!”
Me: O RLY?

Or more specifically, the distinct lack of a “continue” link to allow us to ignore the self signed cert warning and continue with our traffic being intercepted by our burpsuite proxy.

This situation is actually a product of the following GPO setting:

It took me far too long to find this damn setting in GPO :)
It took me far too long to find this damn setting in GPO :)

Anyone who’s been around any length of time with IE probably already knows that this error page is a resource loaded from a local dll. This is true for every “friendly http error” message you get in IE.

Question is, how does the DLL know not to show the “continue” message?

It does it by a variable within the URI, what variable? the “PreventIgnoreCertErrors” variable. This variable is usually not shown with the error message unless the GPO setting is set to enabled.

IE: YA RLY!
IE: YA RLY!

So you know what is coming next, yup. Copy Pasta my friends, So copy & paste and remember to change the damn variable to 0 before taking a screenshot 😉

WHAAARRRGARBBBBLLL!
WHAAARRRGARBBBBLLL!

and hit enter.

Open Sesame
My mind’s telling me no, but my body, my body is telling me yessss!!!

And finally, do what the message says, click continue…

IE: NO WAI!!!! Me: Ya... Wai.
IE: NO WAI!!!!
Me: Ya… Wai.

Voila! Now you can test with your self-signed burp certificates or bypass yet another security control (that is actually a fairly wise one to have) on your network.

1 thought on “NFAL – Episode Three: Testing websites while on locked down clients”

  1. Incidentally the website featured in the screenshots is not a client of mine. It’s the first hit in google when you search for “testing self-signed ssl certificates” and given as an example link.

Leave a Reply