web-dev-qa-db-fra.com

Comment exécuter métasploit wmap sur site qui nécessite SNI

Toutes mes excuses si cette question évidente, la documentation semble être un peu mince sur le sol. Je tente de numériser (avec la permission) un site qui redirige vers sa version HTTPS et nécessite l'accès SNI. WMAP convertit le FQDN en une adresse IP et semble jeter le nom d'hôte. Cela semble causer l'échec du scan. Transcription expurgée ci-dessous.

msf > db_status 
[*] postgresql connected to msf
msf > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf > wmap_sites -a http://example.com/
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============

     Id  Host           Vhost          Port  Proto  # Pages  # Forms
     --  ----           -----          ----  -----  -------  -------
     0   1.2.3.4  1.2.3.4  443   https  0        0


[*] Available sites
===============

     Id  Host           Vhost          Port  Proto  # Pages  # Forms
     --  ----           -----          ----  -----  -------  -------
     0   1.2.3.4  1.2.3.4  443   https  0        0


msf > wmap_targets -t https://1.2.3.4/login
msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*]     Site: 1.2.3.4 (1.2.3.4)
[*]     Port: 443 SSL: true
============================================================
[*] Testing started. 2018-10-15 18:42:22 +0200
[*] 
=[ SSL testing ]=
============================================================
[*] Module auxiliary/scanner/http/cert
[*] Module auxiliary/scanner/http/ssl

[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] 
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/open_proxy
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/admin/http/Tomcat_administration
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/admin/http/Tomcat_utf8_traversal
[*] Attempting to connect to 1.2.3.4:443
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/frontpage_login
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/Host_header_injection
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/options
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/robots_txt
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/scraper
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/svn_scanner
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/trace
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/vhost_scanner
[*]  >> Exception during launch from auxiliary/scanner/http/vhost_scanner: The following options failed to validate: DOMAIN.
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/webdav_scanner
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/webdav_website_content
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] 
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/dir_scanner
[*] Path: /
[*] Detecting error code
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/files_dir
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/http_put
[*] Path: /
[-] 1.2.3.4: Error: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[-] 1.2.3.4: File doesn't seem to exist. The upload probably failed
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Path: /
[-] Auxiliary failed: NameError uninitialized constant Errno::E877PIPE
[-] Call stack:
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb:113:in `rescue in run_Host'
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb:55:in `run_Host'
[-]   /opt/metasploit-framework/embedded/framework/lib/msf/core/auxiliary/scanner.rb:135:in `block (2 levels) in run'
[-]   /opt/metasploit-framework/embedded/framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Path: /
[*] Starting scan with 0ms delay between requests
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/trace_axd
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*] 
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/Rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*] 
=[ Query testing ]=
============================================================
[*] 
=[ General testing ]=
============================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Launch completed in 10.537943124771118 seconds.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[*] Done.

Ai-je manqué quelque chose d'évident, ou est-ce une limitation de métasploit? Si cela fait une différence, je suis la dernière construction nocturne de la version open source de Metasploit sur Ubuntu 18.04. Merci d'avance pour tout conseil.

EDIT: Juste pour clarifier, je ne parviens pas à ajouter la cible via son nom de domaine. Cela entraîne une erreur:

msf > wmap_targets -t http://example.com/login
[-] Error while running command wmap_targets: PG::InvalidTextRepresentation: ERROR:  invalid input syntax for type inet: "example.com"
: SELECT  "hosts".* FROM "hosts" WHERE "hosts"."workspace_id" = $1 AND "hosts"."address" = $2 LIMIT 1

Il ne l'ajoute que comme une cible si je passe l'adresse IP, comme indiqué par wmap_sites -l, à wmap_targets au lieu du domaine.

tlspenetration-testmetasploit
5
Kitserve

Je viens de rechercher le même problème; La syntaxe d'ajout de sites/cibles avec Vhosts (SNI) est la suivante:

Ajouter un site:

wmap_sites -a example.com,http://192.168.1.1

Ajouter la cible:

wmap_targets -t example.com,http://192.168.1.1
1
Mike Gaertner