Smart Tokens

This has been tested with SafeNet tokens

Install

Arch

In order to make them work on Arch, install the following packages:

  • Opensc - Smart card tools and libraries
  • Openct - Driver implementations for smart cards
  • SAC-core - Safenet Authentication Client for Alladin eToken core package
yay -S opensc openct sac-core

On mint, and probably other ubuntu based distros

  • pcscd
  • opensc
apt install opensc pcscd

Usage

Start the service

sudo systemctl start pcscd.service

You could obviously enable if you’re going to use it regularly

With this you should be able to detect the token, plug it and run the following command:

opensc-tool -l

Hopefully you’ll see something like this:

# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             [eToken name]

Setting up in Firefox

the token needs to be inserted before starting Firefox, otherwise it will crash

  1. Open the Firefox preferences dialog
  2. Choose “Privacy and Security” > “Certificates” > “Security Devices”
  3. Choose “Load”
  4. Enter a name for the security module, such as “Local PKCS#11”
  5. Choose “Browse…” and load “/usr/lib/libeTPkcs11.so”

Note that the libeTPkcs11.so file is provided by SAC-core

Setting up in Burp

  1. Go to “Project Options” -> TLS
  2. Add a new Client certificate
  3. Select Hardware token and a host name if possible
  4. Choose “Manually select library” and load “/usr/lib/libeTPkcs11.so”
  5. Enter the password and click refresh
  6. Add the necessary cert

If there are different certs for different domains, I haven’t found a better way of working out which cert should be used than using Firefox and making a note of the one it asks you to use.

Useful resources:

  • https://www.adaltas.com/en/2019/07/12/mount-aladdin-etoken-in-firefox-on-archlinux/
  • https://medium.com/adaltas/mount-aladdin-etoken-in-firefox-on-archlinux-a78d4313664a
  • https://isea.utoronto.ca/configuring-firefox-use-etoken/

Tags

  • Authentication
  • Pentesting