web-dev-qa-db-ja.com

SNIを必要とするサイトでMetasploit WMAPを実行する方法

申し訳ありませんが、これが明らかな質問である場合、ドキュメントは実際には少し薄いようです。 httpsバージョンにリダイレクトし、アクセスにSNIを必要とするサイトを(許可を得て)スキャンしようとしています。 WMAPはFQDNをIPアドレスに変換し、ホスト名を破棄するようです。これにより、スキャンが失敗したように見えます。以下の編集された筆記録。

msf > db_status 
[*] postgresql connected to msf
msf > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
msf > wmap_sites -a http://example.com/
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============

     Id  Host           Vhost          Port  Proto  # Pages  # Forms
     --  ----           -----          ----  -----  -------  -------
     0   1.2.3.4  1.2.3.4  443   https  0        0


[*] Available sites
===============

     Id  Host           Vhost          Port  Proto  # Pages  # Forms
     --  ----           -----          ----  -----  -------  -------
     0   1.2.3.4  1.2.3.4  443   https  0        0


msf > wmap_targets -t https://1.2.3.4/login
msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[-] NO WMAP NODES DEFINED. Executing local modules
[*] Testing target:
[*]     Site: 1.2.3.4 (1.2.3.4)
[*]     Port: 443 SSL: true
============================================================
[*] Testing started. 2018-10-15 18:42:22 +0200
[*] 
=[ SSL testing ]=
============================================================
[*] Module auxiliary/scanner/http/cert
[*] Module auxiliary/scanner/http/ssl

[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] 
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/open_proxy
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/admin/http/Tomcat_administration
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/admin/http/Tomcat_utf8_traversal
[*] Attempting to connect to 1.2.3.4:443
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/frontpage_login
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/Host_header_injection
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/options
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/robots_txt
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/scraper
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/svn_scanner
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/trace
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/vhost_scanner
[*]  >> Exception during launch from auxiliary/scanner/http/vhost_scanner: The following options failed to validate: DOMAIN.
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/webdav_scanner
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/webdav_website_content
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] 
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/dir_scanner
[*] Path: /
[*] Detecting error code
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/files_dir
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/http_put
[*] Path: /
[-] 1.2.3.4: Error: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[-] 1.2.3.4: File doesn't seem to exist. The upload probably failed
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Path: /
[-] Auxiliary failed: NameError uninitialized constant Errno::E877PIPE
[-] Call stack:
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb:113:in `rescue in run_Host'
[-]   /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb:55:in `run_Host'
[-]   /opt/metasploit-framework/embedded/framework/lib/msf/core/auxiliary/scanner.rb:135:in `block (2 levels) in run'
[-]   /opt/metasploit-framework/embedded/framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Path: /
[-] Blank or default PATH set.
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Path: /
[*] Starting scan with 0ms delay between requests
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/trace_axd
[*] Path: /
[*] Error: 1.2.3.4: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert internal error
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*] 
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/Rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*] 
=[ Query testing ]=
============================================================
[*] 
=[ General testing ]=
============================================================
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Launch completed in 10.537943124771118 seconds.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[*] Done.

明らかなことを逃したことがありますか、これはMetasploitの制限ですか?違いが出た場合は、Ubuntu 18.04でMetasploitのオープンソースリリースの最新のナイトリービルドを実行しています。アドバイスを事前にありがとう。

編集:明確にするために、ドメイン名を使用してターゲットを追加することはできません。これを行うと、エラーが発生します。

msf > wmap_targets -t http://example.com/login
[-] Error while running command wmap_targets: PG::InvalidTextRepresentation: ERROR:  invalid input syntax for type inet: "example.com"
: SELECT  "hosts".* FROM "hosts" WHERE "hosts"."workspace_id" = $1 AND "hosts"."address" = $2 LIMIT 1

ドメインではなくwmap_sites -lにリストされているIPアドレスをwmap_targetsに渡した場合にのみ、ターゲットとして正常に追加されます。

5
Kitserve

同じ問題を調査したところです。 vhosts(SNI)でサイト/ターゲットを追加するための構文は次のとおりです。

サイトを追加:

wmap_sites -a example.com,http://192.168.1.1

ターゲットを追加:

wmap_targets -t example.com,http://192.168.1.1
1
Mike Gaertner