Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNI problem? #573

Open
drwetter opened this issue Nov 15, 2018 · 8 comments
Open

SNI problem? #573

drwetter opened this issue Nov 15, 2018 · 8 comments

Comments

@drwetter
Copy link
Contributor

Hello there,

when I scan an own host where I set up a default IP, the banner and ports of the scan are ending up not at the virtual host I was aiming at, examples:

./nikto.pl    -host https://<FQDN>:443  -T x469 -Display E4                                                                                                                 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          <IP of FQDN>
+ Target Hostname:    <FQDN>
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=SH/ST= /O=Schlingel\xC3\x83\xC2\xB6l/CN=default.name
                   Ciphers:  ECDHE-ECDSA-AES256-GCM-SHA384
                   Issuer:   /C=OO/ST=Somewhere/L=Over/O=><script>alert(Hi)/CN=The Rainbow
+ Start Time:         2018-11-15 10:28:00 (GMT1)
---------------------------------------------------------------------------
+ Server: Never trust a banner

This is the default certificate on the IP address I configured. The certificate of the hostname is different. This must have been introduced somewhat recently.

During the scan I see also in the logfile for the default IP scans for variations of $hostname\.(sql|tar.gz|jks|war|lzma|tar|pem|cer) etc. which could be on purpose ending up here?

What about those:

AAA.BBB.CCC.DDD - - [15/Nov/2018:09:47:47 +0100] "PROPFIND / HTTP/1.1" 400 857 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:47:47 +0100] "TRACE / HTTP/1.0" 405 1452 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:47:47 +0100] "TRACK / HTTP/1.0" 405 1454 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:34 +0100] "GET /cgi.cgi/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 857 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:34 +0100] "GET /webcgi/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 859 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:34 +0100] "GET /cgi-914/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 857 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:34 +0100] "GET /cgi-915/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 857 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:34 +0100] "GET /bin/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 858 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:34 +0100] "GET /cgi/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 859 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:34 +0100] "GET /mpcgi/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 857 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:35 +0100] "GET /cgi-bin/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 857 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:35 +0100] "GET /ows-bin/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 858 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:35 +0100] "GET /cgi-sys/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 858 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:35 +0100] "GET /cgi-local/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 858 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:35 +0100] "GET /htbin/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 857 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:35 +0100] "GET /cgibin/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 859 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:35 +0100] "GET /cgis/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 857 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:35 +0100] "GET /scripts/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 857 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:35 +0100] "GET /cgi-win/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 858 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:36 +0100] "GET /fcgi-bin/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 858 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:36 +0100] "GET /cgi-exe/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 857 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:36 +0100] "GET /cgi-home/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 858 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:36 +0100] "GET /cgi-perl/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 857 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:36 +0100] "GET /scgi-bin/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 858 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:36 +0100] "GET /cgi-bin-sdb/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 858 "-" "-"
AAA.BBB.CCC.DDD - - [15/Nov/2018:09:48:36 +0100] "GET /cgi-mod/excite;IFS=\\\"$\\\";/bin/cat /etc/passwd" 400 859 "-" "-"

(the FF user-agent is the one I supplied here)

Is that deliberately scanned on the IP and not on the FQDN?
@sullo
Copy link
Owner

sullo commented Nov 19, 2018
edited
Loading

$hostname ones are from the 'hostfiles' plugin, which does scan by IP intentionally. This plugin came about because I found a site which had a tgz of the site available via the IP but not via the name. My SOP is to run against both if I have time (which I don't always).

You should be able to disable this (to verify) by doing:
-Plugins "@@DEFAULT;-sitefiles"

@sullo
Copy link
Owner

sullo commented Nov 19, 2018

@drwetter I'm not sure about the other situation--it is possibly due to SNI if you are using that, as I am unable to confirm but I do not have an SNI site handy.

I've dug into the code of LW and the SSL modules and didn't come back with a clear understanding of where/how SNI support may be lacking. So, if this is a public site that I can test against please email me and maybe we can do some testing.

@drwetter
Copy link
Contributor Author

$hostname ones are from the 'hostfiles' plugin, which does scan by IP intentionally.

Thanks. That part sounds reasonable to me. I was more thinking on the cgi paths (15/Nov/2018:09:48:34 --> 15/Nov/2018:09:48:36). Especially if those end up on the default host and not on the hostname provided. That could lead to false negatives.

@drwetter
Copy link
Contributor Author

drwetter commented Jan 8, 2019
edited
Loading

@drwetter I'm not sure about the other situation--it is possibly due to SNI if you are using that, as I am unable to confirm but I do not have an SNI site handy.

I've dug into the code of LW and the SSL modules and didn't come back with a clear understanding of where/how SNI support may be lacking. So, if this is a public site that I can test against please email me and maybe we can do some testing.

Currently I have a spare machine so I set up a host for you: zzabcde.testssl.sh (SSL Info shows the certificate on the IP address, not the one on the virtual host)

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          81.169.199.25
+ Target Hostname:    zzabcde.testssl.sh
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=SH/ST= /O=Schlingel\xC3\x83\xC2\xB6l/CN=default.name
                   Ciphers:  ECDHE-ECDSA-AES256-GCM-SHA384
                   Issuer:   /C=OO/ST=Somewhere/L=Over/O=><script>alert(Hi)/CN=The Rainbow
+ Start Time:         2019-01-08 11:31:13 (GMT1)
---------------------------------------------------------------------------

Let me know when you're done. By Saturday I need to shut it down.

@sullo
Copy link
Owner

sullo commented Jan 8, 2019

So I see the proper response for zzabcde.testssl.sh in the debug output when requesting /, and the proper 404 response that matches. The base w/o the hostname does not appear, however the base w/o hostname's 404 message is the same as with so that could be a challenge.

I am letting a rather large debug output file be created now. More analysis to come but so far it seems working ok--need to dive into that CGI business specifically.

Thanks for setting this up!

@drwetter
Copy link
Contributor Author

drwetter commented Jan 9, 2019

If I switch off the default IP the SSL Info is like this:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          81.169.199.25
+ Target Hostname:    zzabcde.testssl.sh
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /CN=zzabcde.testssl.sh
                   Altnames: zzabcde.testssl.sh
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
+ Start Time:         2019-01-09 09:33:53 (GMT1)
---------------------------------------------------------------------------

Params: ./nikto.pl -host https://zzabcde.testssl.sh:443

@drwetter
Copy link
Contributor Author

Don't know whether you're done? Just wanted to remind you that tomorrow I would need to decommission the machine.

@sullo
Copy link
Owner

sullo commented Jan 11, 2019 via email

@drwetter drwetter mentioned this issue Nov 21, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sullo @drwetter