6

Apologies if this an obvious question, documentation seems to be a bit thin on the ground. I'm attempting to scan (with permission) a site that redirects to its https version, and requires SNI to access. WMAP converts the FQDN to an IP address and seems to throw away the hostname. This appears to cause the scan to fail. Redacted transcript below.

msf > db_status 
[*] postgresql connected to msf
msf > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf > wmap_sites -a http://example.com/
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============

     Id  Host           Vhost          Port  Proto  # Pages  # Forms
     --  ----           -----          ----  -----  -------  -------
     0   1.2.3.4  1.2.3.4  443   https  0        0


[*] Available sites
===============

     Id  Host           Vhost          Port  Proto  # Pages  # Forms
     --  ----           -----          ----  -----  -------  -------
     0   1.2.3.4  1.2.3.4  443   https  0        0


msf > wmap_targets -t https://1.2.3.4/login
msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*]     Site: 1.2.3.4 (1.2.3.4)
[*]     Port: 443 SSL: true
============================================================
[*] Testing started. 2018-10-15 18:42:22 +0200
[*] 
=[ SSL testing ]=
============================================================
[*] Module auxiliary/scanner/http/cert
[*] Module auxiliary/scanner/http/ssl

[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] 
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/open_proxy
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/admin/http/tomcat_administration
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Attempting to connect to 1.2.3.4:443
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/frontpage_login
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/host_header_injection
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/options
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/robots_txt
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/scraper
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/svn_scanner
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/trace
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/vhost_scanner
[*]  >> Exception during launch from auxiliary/scanner/http/vhost_scanner: The following options failed to validate: DOMAIN.
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/webdav_scanner
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/webdav_website_content
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] 
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/dir_scanner
[*] Path: /
[*] Detecting error code
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/files_dir
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/http_put
[*] Path: /
[-] 1.2.3.4: Error: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[-] 1.2.3.4: File doesn't seem to exist. The upload probably failed
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Path: /
[-] Auxiliary failed: NameError uninitialized constant Errno::E877PIPE
[-] Call stack:
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb:113:in `rescue in run_host'
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb:55:in `run_host'
[-]   /opt/metasploit-framework/embedded/framework/lib/msf/core/auxiliary/scanner.rb:135:in `block (2 levels) in run'
[-]   /opt/metasploit-framework/embedded/framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Path: /
[*] Starting scan with 0ms delay between requests
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/trace_axd
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*] 
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*] 
=[ Query testing ]=
============================================================
[*] 
=[ General testing ]=
============================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Launch completed in 10.537943124771118 seconds.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[*] Done.

Have I missed something obvious, or is this a limitation of Metasploit? In case it makes a difference, I'm running the latest nightly build of the open source release of Metasploit on Ubuntu 18.04. Thanks in advance for any advice.

EDIT: Just to clarify, I am unable to add the target via its domain name. Doing so results in an error:

msf > wmap_targets -t http://example.com/login
[-] Error while running command wmap_targets: PG::InvalidTextRepresentation: ERROR:  invalid input syntax for type inet: "example.com"
: SELECT  "hosts".* FROM "hosts" WHERE "hosts"."workspace_id" = $1 AND "hosts"."address" = $2 LIMIT 1

It only successfully adds it as a target if I pass the IP address, as listed by wmap_sites -l, to wmap_targets instead of the domain.

Kitserve
  • 63
  • 1
  • 5
  • 1
    Seems you're setting the target URL with an IP. Wmap_targets -t https://1.2.3.4/login. We're you using a domain? When you post examples use example.com for domains. It's a reserved domain to he used in examples. – Daisetsu Oct 15 '18 at 23:14
  • Thanks for your response. As I thought I'd explained in my question (maybe not clearly enough), I add the site using the domain, not the IP address: `wmap_sites -a http://example.com/`. However, WMAP seems to translate that into an IP address, as demonstrated by the output of `wmap_sites -l`. When I try to add a target, I **have** to add it via an IP address, i.e. `wmap_targets -t 1.2.3.4/login`. I'll update the question to reflect this. – Kitserve Oct 16 '18 at 08:41

1 Answers1

3

Just researched the same issue; the syntax for adding sites/targets with vhosts (SNI) is:

Add site:

wmap_sites -a example.com,http://192.168.1.1

Add target:

wmap_targets -t example.com,http://192.168.1.1
Mike Gaertner
  • 46
  • 3