Merge pull request #2328 from drwetter/w4ntun-merge
fixed DNS via Proxy
This commit is contained in:
commit
f95d0dd09a
|
@ -88,7 +88,7 @@ A typical internal conversion to testssl\.sh file format from nmap's grep(p)able
|
|||
.P
|
||||
\fB\-\-mx <domain|host>\fR tests all MX records (STARTTLS on port 25) from high to low priority, one after the other\.
|
||||
.P
|
||||
\fB\-\-ip <ip>\fR tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in \fB<URI>\fR\. IPv6 addresses need to be supplied in square brackets\. \fB\-\-ip=one\fR means: just test the first A record DNS returns (useful for multiple IPs)\. If \fB\-6\fR and \fB\-\-ip=one\fR was supplied an AAAA record will be picked if available\. The \fB\-\-ip\fR option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit \fB/etc/hosts\fR or \fB/c/Windows/System32/drivers/etc/hosts\fR\. \fB\-\-ip=proxy\fR tries a DNS resolution via proxy\.
|
||||
\fB\-\-ip <ip>\fR tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in \fB<URI>\fR\. IPv6 addresses need to be supplied in square brackets\. \fB\-\-ip=one\fR means: just test the first A record DNS returns (useful for multiple IPs)\. If \fB\-6\fR and \fB\-\-ip=one\fR was supplied an AAAA record will be picked if available\. The \fB\-\-ip\fR option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit \fB/etc/hosts\fR or \fB/c/Windows/System32/drivers/etc/hosts\fR\. \fB\-\-ip=proxy\fR tries a DNS resolution via proxy\. \fB\-\-ip=proxy\fR plus \fB\-\-nodns=min\fR is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records\.
|
||||
.P
|
||||
\fB\-\-proxy <host>:<port>\fR does ANY check via the specified proxy\. \fB\-\-proxy=auto\fR inherits the proxy setting from the environment\. The hostname supplied will be resolved to the first A record\. In addition if you want lookups via proxy you can specify \fBDNS_VIA_PROXY=true\fR\. OCSP revocation checking (\fB\-S \-\-phone\-out\fR) is not supported by OpenSSL via proxy\. As supplying a proxy is an indicator for port 80 and 443 outgoing being blocked in your network an OCSP revocation check won't be performed\. However if \fBIGN_OCSP_PROXY=true\fR has been supplied it will be tried directly\. Authentication to the proxy is not supported\. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported\.
|
||||
.P
|
||||
|
@ -102,7 +102,7 @@ A typical internal conversion to testssl\.sh file format from nmap's grep(p)able
|
|||
.P
|
||||
\fB\-\-assuming\-http\fR testssl\.sh normally does upfront an application protocol detection\. In cases where HTTP cannot be automatically detected you may want to use this option\. It enforces testssl\.sh not to skip HTTP specific tests (HTTP header) and to run a browser based client simulation\. Please note that sometimes also the severity depends on the application protocol, e\.g\. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server\.
|
||||
.P
|
||||
\fB\-n, \-\-nodns <min|none>\fR tells testssl\.sh which DNS lookups should be performed\. \fBmin\fR uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name\. \fBnone\fR performs no DNS lookups at all\. For the latter you either have to supply the IP address as a target, to use \fB\-\-ip\fR or have the IP address in \fB/etc/hosts\fR\. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups\. The latter can apply e\.g\. to some pentests\. In general this option could e\.g\. help you to avoid timeouts by DNS lookups\. \fBNODNS\fR is the environment variable for this\.
|
||||
\fB\-n, \-\-nodns <min|none>\fR tells testssl\.sh which DNS lookups should be performed\. \fBmin\fR uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name\. \fBnone\fR performs no DNS lookups at all\. For the latter you either have to supply the IP address as a target, to use \fB\-\-ip\fR or have the IP address in \fB/etc/hosts\fR\. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups\. The latter can apply e\.g\. to some pentests\. In general this option could e\.g\. help you to avoid timeouts by DNS lookups\. \fBNODNS\fR is the environment variable for this\. \fB\-\-nodns=min\fR plus \fB\-\-ip=proxy\fR is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records\.
|
||||
.P
|
||||
\fB\-\-sneaky\fR For HTTP header checks testssl\.sh uses normally the server friendly HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn't hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\.
|
||||
.P
|
||||
|
|
|
@ -200,7 +200,7 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
|
|||
|
||||
<p><code>--mx <domain|host></code> tests all MX records (STARTTLS on port 25) from high to low priority, one after the other.</p>
|
||||
|
||||
<p><code>--ip <ip></code> tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in <code><URI></code>. IPv6 addresses need to be supplied in square brackets. <code>--ip=one</code> means: just test the first A record DNS returns (useful for multiple IPs). If <code>-6</code> and <code>--ip=one</code> was supplied an AAAA record will be picked if available. The <code>--ip</code> option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit <code>/etc/hosts</code> or <code>/c/Windows/System32/drivers/etc/hosts</code>. <code>--ip=proxy</code> tries a DNS resolution via proxy.</p>
|
||||
<p><code>--ip <ip></code> tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in <code><URI></code>. IPv6 addresses need to be supplied in square brackets. <code>--ip=one</code> means: just test the first A record DNS returns (useful for multiple IPs). If <code>-6</code> and <code>--ip=one</code> was supplied an AAAA record will be picked if available. The <code>--ip</code> option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit <code>/etc/hosts</code> or <code>/c/Windows/System32/drivers/etc/hosts</code>. <code>--ip=proxy</code> tries a DNS resolution via proxy. <code>--ip=proxy</code> tries a DNS resolution via proxy. </code>--ip=proxy</code> plus <code>--nodns=min</code> is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records.</p>
|
||||
|
||||
<p><code>--proxy <host>:<port></code> does ANY check via the specified proxy. <code>--proxy=auto</code> inherits the proxy setting from the environment. The hostname supplied will be resolved to the first A record. In addition if you want lookups via proxy you can specify <code>DNS_VIA_PROXY=true</code>. OCSP revocation checking (<code>-S --phone-out</code>) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 outgoing being blocked in your network an OCSP revocation check won't be performed. However if <code>IGN_OCSP_PROXY=true</code> has been supplied it will be tried directly. Authentication to the proxy is not supported. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported.</p>
|
||||
|
||||
|
@ -217,7 +217,7 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
|
|||
<p><code>--assuming-http</code> testssl.sh normally does upfront an application protocol detection. In cases where HTTP cannot be automatically detected you may want to use this option. It enforces testssl.sh not to skip HTTP specific tests (HTTP header) and to run a browser based client simulation. Please note that sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.</p>
|
||||
|
||||
<p><code>-n, --nodns <min|none></code> tells testssl.sh which DNS lookups should be performed. <code>min</code> uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. <code>none</code> performs no DNS lookups at all. For the latter you either have to supply the IP address as a target, to use <code>--ip</code> or have the IP address
|
||||
in <code>/etc/hosts</code>. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentests. In general this option could e.g. help you to avoid timeouts by DNS lookups. <code>NODNS</code> is the environment variable for this.</p>
|
||||
in <code>/etc/hosts</code>. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentests. In general this option could e.g. help you to avoid timeouts by DNS lookups. <code>NODNS</code> is the environment variable for this. <code>--nodns=min</code> plus <code>--ip=proxy</code> is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records.</p>
|
||||
|
||||
<p><code>--sneaky</code> For HTTP header checks testssl.sh uses normally the server friendly HTTP user agent <code>TLS tester from ${URL}</code>. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via <code>SNEAKY=true</code>).</p>
|
||||
|
||||
|
|
|
@ -122,7 +122,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.
|
|||
|
||||
`--mx <domain|host>` tests all MX records (STARTTLS on port 25) from high to low priority, one after the other.
|
||||
|
||||
`--ip <ip>` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in `<URI>`. IPv6 addresses need to be supplied in square brackets. `--ip=one` means: just test the first A record DNS returns (useful for multiple IPs). If `-6` and `--ip=one` was supplied an AAAA record will be picked if available. The ``--ip`` option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy.
|
||||
`--ip <ip>` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in `<URI>`. IPv6 addresses need to be supplied in square brackets. `--ip=one` means: just test the first A record DNS returns (useful for multiple IPs). If `-6` and `--ip=one` was supplied an AAAA record will be picked if available. The ``--ip`` option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy. `--ip=proxy` plus `--nodns=min` is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records.
|
||||
|
||||
`--proxy <host>:<port>` does ANY check via the specified proxy. `--proxy=auto` inherits the proxy setting from the environment. The hostname supplied will be resolved to the first A record. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. OCSP revocation checking (`-S --phone-out`) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 outgoing being blocked in your network an OCSP revocation check won't be performed. However if `IGN_OCSP_PROXY=true` has been supplied it will be tried directly. Authentication to the proxy is not supported. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported.
|
||||
|
||||
|
@ -139,8 +139,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.
|
|||
|
||||
`--assuming-http` testssl.sh normally does upfront an application protocol detection. In cases where HTTP cannot be automatically detected you may want to use this option. It enforces testssl.sh not to skip HTTP specific tests (HTTP header) and to run a browser based client simulation. Please note that sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.
|
||||
|
||||
`-n, --nodns <min|none>` tells testssl.sh which DNS lookups should be performed. `min` uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. `none` performs no DNS lookups at all. For the latter you either have to supply the IP address as a target, to use `--ip` or have the IP address
|
||||
in `/etc/hosts`. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentests. In general this option could e.g. help you to avoid timeouts by DNS lookups. `NODNS` is the environment variable for this.
|
||||
`-n, --nodns <min|none>` tells testssl.sh which DNS lookups should be performed. `min` uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. `none` performs no DNS lookups at all. For the latter you either have to supply the IP address as a target, to use `--ip` or have the IP address in `/etc/hosts`. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentests. In general this option could e.g. help you to avoid timeouts by DNS lookups. `NODNS` is the environment variable for this. `--nodns=min` plus `--ip=proxy` is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records.
|
||||
|
||||
`--sneaky` For HTTP header checks testssl.sh uses normally the server friendly HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`).
|
||||
|
||||
|
|
69
testssl.sh
69
testssl.sh
|
@ -196,7 +196,7 @@ TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it
|
|||
CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your CA stores some place else
|
||||
EXPERIMENTAL=${EXPERIMENTAL:-false} # a development hook which allows us to disable code
|
||||
PROXY_WAIT=${PROXY_WAIT:-20} # waiting at max 20 seconds for socket reply through proxy
|
||||
DNS_VIA_PROXY=${DNS_VIA_PROXY:-true} # do DNS lookups via proxy. --ip=proxy reverses this
|
||||
DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # do DNS lookups via proxy. --ip=proxy reverses this
|
||||
IGN_OCSP_PROXY=${IGN_OCSP_PROXY:-false} # Also when --proxy is supplied it is ignored when testing for revocation via OCSP via --phone-out
|
||||
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
|
||||
MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket connects are reached we terminate
|
||||
|
@ -8857,7 +8857,7 @@ certificate_info() {
|
|||
local cn_finding trustfinding trustfinding_nosni
|
||||
local cnok="OK"
|
||||
local expfinding expok="OK"
|
||||
local -i ret=0
|
||||
local -i ret=0 tmp=0
|
||||
local json_postfix="" # string to place at the end of JSON IDs when there is more than one certificate
|
||||
local jsonID="" # string to place at beginning of JSON IDs
|
||||
local json_rating json_msg
|
||||
|
@ -9715,6 +9715,8 @@ certificate_info() {
|
|||
caa=""
|
||||
while [[ -z "$caa" ]] && [[ -n "$caa_node" ]]; do
|
||||
caa="$(get_caa_rr_record $caa_node)"
|
||||
tmp=${PIPESTATUS[@]}
|
||||
[[ $DEBUG -ge 4 ]] && echo "get_caa_rr_record: $tmp"
|
||||
[[ $caa_node =~ '.'$ ]] || caa_node+="."
|
||||
caa_node=${caa_node#*.}
|
||||
done
|
||||
|
@ -9736,6 +9738,9 @@ certificate_info() {
|
|||
elif [[ -n "$NODNS" ]]; then
|
||||
out "(instructed to minimize DNS queries)"
|
||||
fileout "${jsonID}${json_postfix}" "INFO" "check skipped as instructed"
|
||||
elif "$DNS_VIA_PROXY"; then
|
||||
out "(instructed to use the proxy for DNS only)"
|
||||
fileout "${jsonID}${json_postfix}" "INFO" "check skipped as instructed (proxy)"
|
||||
else
|
||||
pr_svrty_low "not offered"
|
||||
fileout "${jsonID}${json_postfix}" "LOW" "--"
|
||||
|
@ -20015,7 +20020,7 @@ find_openssl_binary() {
|
|||
HAS_ZLIB=false
|
||||
HAS_UDS=false
|
||||
HAS_UDS2=false
|
||||
TRUSTED1ST=""
|
||||
TRUSTED1ST=""
|
||||
HAS_ENABLE_PHA=false
|
||||
|
||||
$OPENSSL ciphers -s 2>&1 | grep -aiq "unknown option" || OSSL_CIPHERS_S="-s"
|
||||
|
@ -20337,7 +20342,8 @@ tuning / connect options (most also can be preset via environment variables):
|
|||
--proxy <host:port|auto> (experimental) proxy connects via <host:port>, auto: values from \$env (\$http(s)_proxy)
|
||||
-6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
|
||||
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
|
||||
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
|
||||
b) "one" means: just test the first DNS returns (useful for multiple IPs)
|
||||
c) "proxy" means: dns resolution via proxy. Needed when host has no DNS.
|
||||
-n, --nodns <min|none> if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records
|
||||
--sneaky leave less traces in target logs: user agent, referer
|
||||
--user-agent <user agent> set a custom user agent instead of the standard user agent
|
||||
|
@ -21055,7 +21061,8 @@ get_caa_rr_record() {
|
|||
|
||||
"$HAS_DIG_NOIDNOUT" && noidnout="+noidnout"
|
||||
|
||||
[[ -n "$NODNS" ]] && return 0 # if minimum DNS lookup was instructed, leave here
|
||||
[[ -n "$NODNS" ]] && return 2 # if minimum DNS lookup was instructed, leave here
|
||||
|
||||
# if there's a type257 record there are two output formats here, mostly depending on age of distribution
|
||||
# roughly that's the difference between text and binary format
|
||||
# 1) 'google.com has CAA record 0 issue "symantec.com"'
|
||||
|
@ -22069,12 +22076,19 @@ display_rdns_etc() {
|
|||
|
||||
datebanner() {
|
||||
local scan_time_f=""
|
||||
local node_banner=""
|
||||
|
||||
if [[ -n "PROXY" ]] && $DNS_VIA_PROXY;then
|
||||
node_banner="$NODE:$PORT"
|
||||
else
|
||||
node_banner="$NODEIP:$PORT ($NODE)"
|
||||
fi
|
||||
|
||||
if [[ "$1" =~ Done ]] ; then
|
||||
scan_time_f="$(printf "%04ss" "$SCAN_TIME")" # 4 digits because of windows
|
||||
pr_reverse "$1 $(date +%F) $(date +%T) [$scan_time_f] -->> $NODEIP:$PORT ($NODE) <<--"
|
||||
pr_reverse "$1 $(date +%F) $(date +%T) [$scan_time_f] -->> $node_banner <<--"
|
||||
else
|
||||
pr_reverse "$1 $(date +%F) $(date +%T) -->> $NODEIP:$PORT ($NODE) <<--"
|
||||
pr_reverse "$1 $(date +%F) $(date +%T) -->> $node_banner <<--"
|
||||
fi
|
||||
outln "\n"
|
||||
[[ "$1" =~ Start ]] && display_rdns_etc
|
||||
|
@ -23790,7 +23804,6 @@ lets_roll() {
|
|||
fi
|
||||
stopwatch initialized
|
||||
|
||||
[[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" $ERR_DNSLOOKUP
|
||||
nodeip_to_proper_ip6
|
||||
reset_hostdepended_vars
|
||||
determine_rdns # Returns always zero or has already exited if fatal error occurred
|
||||
|
@ -23993,26 +24006,30 @@ lets_roll() {
|
|||
[[ -z "$NODE" ]] && parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDRs and IP46ADDR is set now
|
||||
prepare_logging
|
||||
|
||||
if ! determine_ip_addresses; then
|
||||
fatal "No IP address could be determined" $ERR_DNSLOOKUP
|
||||
fi
|
||||
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check
|
||||
MULTIPLE_CHECKS=true
|
||||
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
|
||||
for ip in $IPADDRs; do
|
||||
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
||||
outln
|
||||
NODEIP="$ip"
|
||||
lets_roll "${STARTTLS_PROTOCOL}"
|
||||
RET=$((RET + $?)) # RET value per IP address
|
||||
done
|
||||
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
||||
outln
|
||||
pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs"
|
||||
else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied
|
||||
NODEIP="$IPADDRs"
|
||||
if [[ -n "$PROXY" ]] && $DNS_VIA_PROXY; then
|
||||
NODEIP="$NODE"
|
||||
lets_roll "${STARTTLS_PROTOCOL}"
|
||||
RET=$?
|
||||
else
|
||||
determine_ip_addresses
|
||||
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check
|
||||
MULTIPLE_CHECKS=true
|
||||
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
|
||||
for ip in $IPADDRs; do
|
||||
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
||||
outln
|
||||
NODEIP="$ip"
|
||||
lets_roll "${STARTTLS_PROTOCOL}"
|
||||
RET=$((RET + $?)) # RET value per IP address
|
||||
done
|
||||
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
||||
outln
|
||||
pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs"
|
||||
else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied
|
||||
NODEIP="$IPADDRs"
|
||||
lets_roll "${STARTTLS_PROTOCOL}"
|
||||
RET=$?
|
||||
fi
|
||||
fi
|
||||
|
||||
exit $RET
|
||||
|
|
Loading…
Reference in New Issue