Incorrect SSL info in scan #638
Comments
|
Are you using a single certificate with multiple names in the SAN?
I've just tested it against my box which has that, and Nikto shows the CN
for the certificate which is my primary site but not the SAN list which
includes the second site I scanned.
If this isn't the issue, I'm still going to put in a feature request, show
the SAN values as well as the CN in the SSL Info section.
…On Thu, 21 Nov 2019 at 08:31, Sumit Gupta ***@***.***> wrote:
I run nikto -h https://www.example.com it shows SSL info for some other
site on server [which is apparently the first Virtual host on server]. But
it is not showing the SSL info of URL I shared. We are using Let's encrypt
SSL for all sites. If I change order in my Virtual Host file and make scan
site as first it shows correct. But why Nikto is scanning SSL separately
probably based on IP address. Is there any option we can mark for shared
hosting?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#638?email_source=notifications&email_token=AAA4SWJFY34OIRLLVZQZYODQUZBOPA5CNFSM4JP6WT7KYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4H3A2RSA>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA4SWPJUWQYGKE6FHRB42DQUZBOPANCNFSM4JP6WT7A>
.
|
|
No, we create Virtual Host in Apache, and then when we run When we run site on browsers they all shows different certificate [different issue date etc] |
|
Reminds me on #573 |
|
I've not got a box with multiple certs on to test against, but I've just
watched some traffic, and all the TLS client hello messages contain the
correct SNI field so it looks like it is requesting the correct certificate
based on the host name.
This is going way overboard in debugging, but if you fancy having a look in
Wireshark to see what is going on, this is a Client Hello message which
should have the SNI field correctly set to the hostname you are requesting.
[image: image.png]
And then this is the cert that is returned. In my case, the CN isn't what
was requested as the host is in a SAN.
[image: image.png]
Check these out to see if the right certificate is requested and then
returned.
…On Thu, 21 Nov 2019 at 09:20, Sumit Gupta ***@***.***> wrote:
No, we create Virtual Host in Apache, and then when we run Certbot it ask
to choose site and whenever we put new site we get new SSL, which has
different dates for that Domain (or it's alias) so each virtual host get
its own certificate.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#638?email_source=notifications&email_token=AAA4SWMX5FUD5TG67EAPI53QUZHE7A5CNFSM4JP6WT7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEEZQYDI#issuecomment-556993549>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA4SWIQHH4RALVA7ZJV3S3QUZHE7ANCNFSM4JP6WT7A>
.
|
|
@digininja your images didn't come through. I am no expert and didn't exactly know how to run Wireshark. I am running WSL Kali with nikto form my win 10 machine to scan site. We have to provide security report to our customer and hence we are scanning site on live server. I cannot share server details to let anyone scan it. The CN We are getting in nikto output is for different domain, [first in list] |
|
I just see |
|
Here are the images.
Fire up Wireshark, get it sniffing on the main network interface Filter it to just show the IP that you are scanning with a filter of Start the scan and then stop it as soon as the SSL info is shown. Scroll up to the top of the capture and look for a Client Hello message. Expand that out and you should see something like the first screenshot. Look down a few packets and you should then see a Certificate packet. Expand that out and you'll see the second screenshot. The two packets marked in black in this screenshot are the two you want to look for.
|
|
Okay, I got wireshark running and capture for |
|
That will be the problem then. Without an SNI field, the web server doesn't know which site the connection is for so will return the default vhost. Make sure the Kali box is fully up to date and pull the latest Nikto from Github and try that. My guess is an old version of OpenSSL, or some other library which doesn't support SNI, is being used somewhere. |
|
I put in a couple of SNI patches to libwhisker about a year ago. Bearing in mind how poor Kali's patching is, I strongly suspect that they haven't been rolled upstream. I seriously don't recommend using Kali's packaged tools. |
|
Thanks for information, the problem is understood and I need to prepare other machine to test it out, so it might be a while for me to test. Thanks for information. |
|
Just try with the latest version from here, the changes @tautology0 put in place may be the ones you need. |
|
First, I was able to run with correct SSL info been displayed. Now, few things I notice (probably other thread should be created but anyways:)
Thanks for @digininja for your encouragement and clear guidance. |
|
Glad you got it working.
…On Thu, 21 Nov 2019, 12:28 Sumit Gupta, ***@***.***> wrote:
Closed #638 <#638>.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#638?email_source=notifications&email_token=AAA4SWKBSL65WXMAEI5ORWTQUZ5FHA5CNFSM4JP6WT7KYY3PNVWWK3TUL52HS4DFWZEXG43VMVCXMZLOORHG65DJMZUWGYLUNFXW5KTDN5WW2ZLOORPWSZGOVAGXFLA#event-2819453612>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA4SWJINL3FW5B5KWVSA5TQUZ5FHANCNFSM4JP6WT7A>
.
|
|
I’m not sure why it would do that by default—I’ll have to look. In the meantime try -Vhost to see of that helps to work as expected.
…Sent from my iPhone
On Nov 21, 2019, at 3:31 AM, Sumit Gupta ***@***.***> wrote:
I run nikto -h https://www.example.com it shows SSL info for some other site on server [which is apparently the first Virtual host on server]. But it is not showing the SSL info of URL I shared. We are using Let's encrypt SSL for all sites. If I change order in my Virtual Host file and make scan site as first it shows correct. But why Nikto is scanning SSL separately probably based on IP address. Is there any option we can mark for shared hosting?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
Or ignore me since I’m late to this party.
…Sent from my iPhone
On Nov 21, 2019, at 3:31 AM, Sumit Gupta ***@***.***> wrote:
I run nikto -h https://www.example.com it shows SSL info for some other site on server [which is apparently the first Virtual host on server]. But it is not showing the SSL info of URL I shared. We are using Let's encrypt SSL for all sites. If I change order in my Virtual Host file and make scan site as first it shows correct. But why Nikto is scanning SSL separately probably based on IP address. Is there any option we can mark for shared hosting?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
@sullo I already tried vhost option and it doesn't work, and your reply on close thread does means a lot as you been the author. I can now trust more on Nikto :). |
I run
nikto -h https://www.example.comit shows SSL info for some other site on server [which is apparently the first Virtual host on server]. But it is not showing the SSL info of URL I shared. We are using Let's encrypt SSL for all sites. If I change order in my Virtual Host file and make scan site as first it shows correct. But why Nikto is scanning SSL separately probably based on IP address. Is there any option we can mark for shared hosting?The text was updated successfully, but these errors were encountered: