Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

about disable ssl cert check / accept low strength certificate encryption #676

Open
c2xusnpq6 opened this issue Dec 19, 2020 · 53 comments
Open
Labels
enhancement New feature or request in review Should this be accepted? Priority: Low

Comments

@c2xusnpq6
Copy link

圖片
tsl1.0 --tlsv1.0 or -1 ?

$ curl -h | sed -ne '/--tlsv/p'
 -1, --tlsv1 Use TLSv1.0 or greater
     --tlsv1.0 Use TLSv1.0
     --tlsv1.1 Use TLSv1.1
     --tlsv1.2 Use TLSv1.2
     --tlsv1.3 Use TLSv1.3 
@shelld3v
Copy link
Collaborator

I think dirsearch disabled certificate check by default

@c2xusnpq6
Copy link
Author

I think dirsearch disabled certificate check by default

or... how do i force the use of tls v1.0?

@shelld3v
Copy link
Collaborator

Well, it's not important, we can request without cert check, so tls v1.0 or no cert has no impact

@c2xusnpq6
Copy link
Author

c2xusnpq6 commented Dec 23, 2020

Well, it's not important, we can request without cert check, so tls v1.0 or no cert has no impact

but... i can't do the test... with this
圖片

@c2xusnpq6
Copy link
Author

firefox: SEC_ERROR_UNKNOWN_ISSUER @shelld3v @maurosoria

@c2xusnpq6
Copy link
Author

c2xusnpq6 commented Dec 23, 2020

curl:

# curl -v "https://xx.xx.xx.xx/" -H "Host: xxxx.xx" -k
*   Trying xx.xx.xx.xx:443...
* Connected to xx.xx.xx.xx (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

@shelld3v @maurosoria

@c2xusnpq6
Copy link
Author

c2xusnpq6 commented Dec 23, 2020

curl with -1:

curl -v "https://xx.xx.xx.xx/" -H "Host: hidden.hidden" -k -1
*   Trying xx.xx.xx.xx:443...
* Connected to xx.xx.xx.xx (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server key exchange (12):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / ECDHE-RSA-AES256-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: O=CloudFlare, Inc.; OU=CloudFlare Origin CA; CN=CloudFlare Origin Certificate
*  start date: Oct  6 06:08:00 2020 GMT
*  expire date: Oct  3 06:08:00 2035 GMT
*  issuer: C=US; O=CloudFlare, Inc.; OU=CloudFlare Origin SSL Certificate Authority; L=San Francisco; ST=California
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> Host: hidden.hidden
> User-Agent: curl/7.72.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Cache-Control: private
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/7.hidden
< X-AspNet-Version: 2.0.hidden
< X-Powered-By: ASP.NET
< Date: Wed, 23 Dec 2020 07:55:33 GMT
< Content-Length: 2363
<

...

@shelld3v @maurosoria

@shelld3v
Copy link
Collaborator

I don't know what are you tesing?

@c2xusnpq6
Copy link
Author

c2xusnpq6 commented Dec 29, 2020

@shelld3v I need something like -1 and -k ^^''

 -1, --tlsv1         Use TLSv1.0 or greater
     --tlsv1.0       Use TLSv1.0 or greater
     --tlsv1.1       Use TLSv1.1 or greater
     --tlsv1.2       Use TLSv1.2 or greater
     --tlsv1.3       Use TLSv1.3 or greater

 -k, --insecure      Allow insecure server connections when using SSL

@shelld3v
Copy link
Collaborator

shelld3v commented Dec 29, 2020

-k is available by default!

@shelld3v
Copy link
Collaborator

And I think -1 is not important

@c2xusnpq6
Copy link
Author

c2xusnpq6 commented Dec 29, 2020

I can't start the test, if I don't get -1
(Of course I tried before submitting here...)

@shelld3v
Copy link
Collaborator

I can't understand what you tried to say. If you select a low strength encryption certificate website and try brute-forcing it with dirsearch, you will see that it works fluently!!

@c2xusnpq6
Copy link
Author

Of course I tried before submitting here...

@c2xusnpq6
Copy link
Author

It needed to be TLS1.0...

@c2xusnpq6
Copy link
Author

And I can't scan that old website with dirsearch...

@shelld3v
Copy link
Collaborator

And I can't scan that old website with dirsearch...

What is the error traceback?

@c2xusnpq6
Copy link
Author

c2xusnpq6 commented Dec 30, 2020

@shelld3v

sudo python3 dirsearch.py --max-retries 3 --random-user-agent --full-url -e hidden --timeout 10 -w "hidden" -r -R 10 -t 10 -u "https://xx.xx.xx.xx/"

  _|. _ _  _  _  _ _|_    v0.4.1
 (_||| _) (/_(_|| (_| )

Extensions: hidden | HTTP method: GET | Threads: 10 | Wordlist size: 278071

Error Log: /root/dirsearch/logs/errors-hidden.log

Target: https://xx.xx.xx.xx/

There was a problem in the request to: https://xx.xx.xx.xx:443/

Task Completed

@shelld3v
Copy link
Collaborator

Were you able to visit https://xx.xx.xx.xx:443/ from your browser?

@c2xusnpq6
Copy link
Author

c2xusnpq6 commented Dec 31, 2020

Were you able to visit https://xx.xx.xx.xx:443/ from your browser?

I told u before bro.... ^^'' it's ok, but you need to click the ~ignore button

Firefox:
圖片
SEC_ERROR_UNKNOWN_ISSUER

@c2xusnpq6
Copy link
Author

c2xusnpq6 commented Dec 31, 2020

It needs -1 I pretty sure that…

@c2xusnpq6
Copy link
Author

@shelld3v

@shelld3v
Copy link
Collaborator

shelld3v commented Jan 7, 2021

I have no idea why should I do this! People haven't seen any problem with SSL in dirsearch for years, so I don't know why you are facing this. I even don't know is it an SSL problem or not, and how to fix this (I disabled cert check, what else to do?)! I maybe need to investigate more!!

@c2xusnpq6
Copy link
Author

c2xusnpq6 commented Jan 14, 2021

With and without -1:
#676 (comment)
#676 (comment)

with -1: it works
without -1: it doesn't

@shelld3v

@shelld3v
Copy link
Collaborator

Hi, sorry for being so late! I am trying to find a way to fix this.

@shelld3v
Copy link
Collaborator

Hi, can you give me any website that has a low strength certificate? So I can do more tests for my fix!!

@c2xusnpq6
Copy link
Author

Hi, can you give me any website that has a low strength certificate? So I can do more tests for my fix!!

send me ur email addr then~ thx ^^

@oldlazycat
Copy link

Is the problem solved, and how?I have the same problem here, macos big sur, version 0.4.1, example:
python dirsearch.py -u https://xx.x.x.x:8081/

|. _ _ _ _ _ | v0.4.1
(
||| ) (/(|| (| )

Extensions: php, asp, aspx, jsp, html, htm, js | HTTP method: GET | Threads: 20 | Wordlist size: 11793

Error Log: XXX/dirsearch-0.4.1-alpha/logs/errors-21-01-21_15-30-04.log

Target: https://xx.xx.xx.xx:8081/

There was a problem in the request to: https://xx.xx.xx.xx:8081

Task Completed

@shelld3v
Copy link
Collaborator

Hey @oldlazycat, I don't think port 8081 is served for HTTPS service! Try http://xx.xx.xx.xx:8081

@oldlazycat
Copy link

Hey @oldlazycat, I don't think port 8081 is served for HTTPS service! Try http://xx.xx.xx.xx:8081

It doesn't have to be port 443, you can specify any port, and it is https://xx.xx.xx.xx:8081

@shelld3v
Copy link
Collaborator

It doesn't have to be port 443, you can specify any port, and it is https://xx.xx.xx.xx:8081

Try opening https://xx.xx.xx.xx:8081 in your browser and you will know it is HTTP or HTTPS

@oldlazycat
Copy link

图片

@c2xusnpq6
Copy link
Author

bruh....

@shelld3v
Copy link
Collaborator

Hi, sorry, but I haven't found a fix that can fit all the requirements yet (this may need a lot of updates), and I am in my break, so I can't fix it now. I hope I can get back soon!! Meanwhile, you can hack other things, right ;)

Happy Lunar New Year! (not yet, but will be soon)

@c2xusnpq6
Copy link
Author

it's fine~ thx ^^

@maurosoria
Copy link
Owner

Hello folks,

If you can give me at least one host with the same issue, I'd probably be able to fix it.

You can write me via email or twitter.

Regards,
Mauro

@maurosoria maurosoria added bug Something isn't working enhancement New feature or request labels Jan 27, 2021
@c2xusnpq6
Copy link
Author

Hello folks,

If you can give me at least one host with the same issue, I'd probably be able to fix it.

You can write me via email or twitter.

Regards,
Mauro

Can I get your email address? THX

@c2xusnpq6
Copy link
Author

ping? @maurosoria

@maurosoria
Copy link
Owner

You should be able to see it in my profile

maurosoria at protonmail dot com

@c2xusnpq6
Copy link
Author

@shelld3v
Copy link
Collaborator

https://stackoverflow.com/questions/62306296/how-to-use-tls-1-0-with-python-3-8

From that link, you can fix this with pip install urllib3[secure]

@c2xusnpq6
Copy link
Author

I'll take a look later, THX!

@c2xusnpq6
Copy link
Author

c2xusnpq6 commented Apr 21, 2021

# sudo python3 -m pip install urllib3[secure]
Requirement already satisfied: urllib3[secure] in /usr/local/lib/python3.9/dist-packages (1.24.3)
Requirement already satisfied: certifi in /usr/local/lib/python3.9/dist-packages (from urllib3[secure]) (2020.12.5)
Requirement already satisfied: ipaddress in /usr/local/lib/python3.9/dist-packages (from urllib3[secure]) (1.0.23)
Requirement already satisfied: idna>=2.0.0 in /usr/local/lib/python3.9/dist-packages (from urllib3[secure]) (2.8)
Requirement already satisfied: cryptography>=1.3.4 in /usr/local/lib/python3.9/dist-packages (from urllib3[secure]) (3.3.1)
Requirement already satisfied: pyOpenSSL>=0.14 in /usr/local/lib/python3.9/dist-packages (from urllib3[secure]) (20.0.1)
Requirement already satisfied: six>=1.4.1 in /usr/local/lib/python3.9/dist-packages (from cryptography>=1.3.4->urllib3[secure]) (1.15.0)
Requirement already satisfied: cffi>=1.12 in /usr/local/lib/python3.9/dist-packages (from cryptography>=1.3.4->urllib3[secure]) (1.14.4)
Requirement already satisfied: pycparser in /usr/local/lib/python3.9/dist-packages (from cffi>=1.12->cryptography>=1.3.4->urllib3[secure]) (2.20)

🤔

@shelld3v
Copy link
Collaborator

Hi @c2xusnpq6, sorry for the late response.

Look at this: https://stackoverflow.com/a/38502727/12238982

I'm suspecting that the issue you facing does not relate to SSL/TLS. @c2xusnpq6 @oldlazycat If one of u can give me the target, I will be happy and try my best to solve your problems.

Thanks

@shelld3v
Copy link
Collaborator

Hi @c2xusnpq6, I have delayed for so long, so made a fix locally. But I need to test this fix first, can you give a target that uses TLSv1?

@shelld3v shelld3v added in review Should this be accepted? and removed bug Something isn't working labels May 17, 2021
@c2xusnpq6
Copy link
Author

I'm sorry, I forgot the target IP... maybe next time... you can close this issue😅thx

@shelld3v
Copy link
Collaborator

No problem, I will keep this issue open until you find that IP

@adfoster-r7
Copy link

I ran into this issue against an older iis server; you can replicate the issue locally by setting up a tls1 server:

# Create certs:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

# Create a tls1 only server with openssl:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -tls1

Verify curl works with the explicit tls1 flag:

curl -v https://localhost:44330/ -k --tlsv1

Example of the dirsearch error when scanning the tls1 server:

Target: https://localhost:44330/                                                                           
                                                                                                          
SSL Error connecting to server. Try the -b flag to connect by hostname

Task Completed

Work around patch I applied locally to make it work (on a slightly older dirsearch version):

diff --git a/lib/connection/Requester.py b/lib/connection/Requester.py
index c3b2068..de08517 100755
--- a/lib/connection/Requester.py
+++ b/lib/connection/Requester.py
@@ -26,9 +26,21 @@ import urllib.parse
 import urllib.request
 
 import thirdparty.requests as requests
+from requests.adapters import HTTPAdapter
+from requests.packages.urllib3.poolmanager import PoolManager
 from .RequestException import *
 from .Response import *
+import ssl
 
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+class MyAdapter(HTTPAdapter):
+    def init_poolmanager(self, connections, maxsize, block=False):
+        self.poolmanager = PoolManager(num_pools=connections,
+                                       maxsize=maxsize,
+                                       block=block,
+                                       ssl_version=ssl.PROTOCOL_TLSv1)
 
 class Requester(object):
     headers = {
@@ -111,6 +123,7 @@ class Requester(object):
         self.randomAgents = None
         self.requestByHostname = requestByHostname
         self.session = requests.Session()
+        self.session.mount('https://', MyAdapter())
 
     def setHeader(self, header, content):
         self.headers[header] = content

@shelld3v
Copy link
Collaborator

@adfoster-r7 Thanks for your effort, I have actually made the same fix locally already but haven't pushed it to the code yet because I didn't have any target to test, now I can:)

@shelld3v shelld3v added this to the v0.4.4 milestone Sep 19, 2022
@shelld3v
Copy link
Collaborator

shelld3v commented Oct 2, 2022

@adfoster-r7 Do you know how to host a TLSv1.2-only server?

@adfoster-r7
Copy link

Should be the same as the steps above but just with the -tls1_2 flag:

# Create certs:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

# Create a tls1 only server with openssl:
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -tls1_2

Verifying:

$ curl -v https://127.0.0.1:44330 -k

...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
SSL-Session:
    Protocol  : TLSv1.2
...

Or with sslscan:

➜  ~ sslscan 192.168.123.1:44330
Version: 2.0.12-static
OpenSSL 1.1.1n-dev  xx XXX xxxx

Connected to 192.168.123.1

Testing SSL server 192.168.123.1 on port 44330 using SNI name 192.168.123.1

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled    <---
TLSv1.3   disabled

@shelld3v
Copy link
Collaborator

shelld3v commented Oct 8, 2022

@adfoster-r7 Can you check if the issue is still reproducible with dirsearch v0.4.3?

@shelld3v
Copy link
Collaborator

shelld3v commented Nov 3, 2022

@adfoster-r7 I can't reproduce the issue now, can you check if the issue is still there in the latest version of dirsearch (v0.4.3)?

@shelld3v shelld3v removed this from the v0.4.4 milestone Oct 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request in review Should this be accepted? Priority: Low
Projects
None yet
Development

No branches or pull requests

6 participants
@maurosoria @oldlazycat @shelld3v @adfoster-r7 @c2xusnpq6 and others