Merge pull request #2328 from drwetter/w4ntun-merge

fixed DNS via Proxy
This commit is contained in:
Dirk Wetter 2023-03-23 14:31:17 +01:00 committed by GitHub
commit f95d0dd09a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 49 additions and 33 deletions

View File

@ -88,7 +88,7 @@ A typical internal conversion to testssl\.sh file format from nmap's grep(p)able
.P
\fB\-\-mx <domain|host>\fR tests all MX records (STARTTLS on port 25) from high to low priority, one after the other\.
.P
\fB\-\-ip <ip>\fR tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in \fB<URI>\fR\. IPv6 addresses need to be supplied in square brackets\. \fB\-\-ip=one\fR means: just test the first A record DNS returns (useful for multiple IPs)\. If \fB\-6\fR and \fB\-\-ip=one\fR was supplied an AAAA record will be picked if available\. The \fB\-\-ip\fR option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit \fB/etc/hosts\fR or \fB/c/Windows/System32/drivers/etc/hosts\fR\. \fB\-\-ip=proxy\fR tries a DNS resolution via proxy\.
\fB\-\-ip <ip>\fR tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in \fB<URI>\fR\. IPv6 addresses need to be supplied in square brackets\. \fB\-\-ip=one\fR means: just test the first A record DNS returns (useful for multiple IPs)\. If \fB\-6\fR and \fB\-\-ip=one\fR was supplied an AAAA record will be picked if available\. The \fB\-\-ip\fR option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit \fB/etc/hosts\fR or \fB/c/Windows/System32/drivers/etc/hosts\fR\. \fB\-\-ip=proxy\fR tries a DNS resolution via proxy\. \fB\-\-ip=proxy\fR plus \fB\-\-nodns=min\fR is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records\.
.P
\fB\-\-proxy <host>:<port>\fR does ANY check via the specified proxy\. \fB\-\-proxy=auto\fR inherits the proxy setting from the environment\. The hostname supplied will be resolved to the first A record\. In addition if you want lookups via proxy you can specify \fBDNS_VIA_PROXY=true\fR\. OCSP revocation checking (\fB\-S \-\-phone\-out\fR) is not supported by OpenSSL via proxy\. As supplying a proxy is an indicator for port 80 and 443 outgoing being blocked in your network an OCSP revocation check won't be performed\. However if \fBIGN_OCSP_PROXY=true\fR has been supplied it will be tried directly\. Authentication to the proxy is not supported\. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported\.
.P
@ -102,7 +102,7 @@ A typical internal conversion to testssl\.sh file format from nmap's grep(p)able
.P
\fB\-\-assuming\-http\fR testssl\.sh normally does upfront an application protocol detection\. In cases where HTTP cannot be automatically detected you may want to use this option\. It enforces testssl\.sh not to skip HTTP specific tests (HTTP header) and to run a browser based client simulation\. Please note that sometimes also the severity depends on the application protocol, e\.g\. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server\.
.P
\fB\-n, \-\-nodns <min|none>\fR tells testssl\.sh which DNS lookups should be performed\. \fBmin\fR uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name\. \fBnone\fR performs no DNS lookups at all\. For the latter you either have to supply the IP address as a target, to use \fB\-\-ip\fR or have the IP address in \fB/etc/hosts\fR\. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups\. The latter can apply e\.g\. to some pentests\. In general this option could e\.g\. help you to avoid timeouts by DNS lookups\. \fBNODNS\fR is the environment variable for this\.
\fB\-n, \-\-nodns <min|none>\fR tells testssl\.sh which DNS lookups should be performed\. \fBmin\fR uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name\. \fBnone\fR performs no DNS lookups at all\. For the latter you either have to supply the IP address as a target, to use \fB\-\-ip\fR or have the IP address in \fB/etc/hosts\fR\. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups\. The latter can apply e\.g\. to some pentests\. In general this option could e\.g\. help you to avoid timeouts by DNS lookups\. \fBNODNS\fR is the environment variable for this\. \fB\-\-nodns=min\fR plus \fB\-\-ip=proxy\fR is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records\.
.P
\fB\-\-sneaky\fR For HTTP header checks testssl\.sh uses normally the server friendly HTTP user agent \fBTLS tester from ${URL}\fR\. With this option your traces are less verbose and a Firefox user agent is being used\. Be aware that it doesn't hide your activities\. That is just not possible (environment preset via \fBSNEAKY=true\fR)\.
.P

View File

@ -200,7 +200,7 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
<p><code>--mx &lt;domain|host&gt;</code> tests all MX records (STARTTLS on port 25) from high to low priority, one after the other.</p>
<p><code>--ip &lt;ip&gt;</code> tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in <code>&lt;URI&gt;</code>. IPv6 addresses need to be supplied in square brackets. <code>--ip=one</code> means: just test the first A record DNS returns (useful for multiple IPs). If <code>-6</code> and <code>--ip=one</code> was supplied an AAAA record will be picked if available. The <code>--ip</code> option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit <code>/etc/hosts</code> or <code>/c/Windows/System32/drivers/etc/hosts</code>. <code>--ip=proxy</code> tries a DNS resolution via proxy.</p>
<p><code>--ip &lt;ip&gt;</code> tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in <code>&lt;URI&gt;</code>. IPv6 addresses need to be supplied in square brackets. <code>--ip=one</code> means: just test the first A record DNS returns (useful for multiple IPs). If <code>-6</code> and <code>--ip=one</code> was supplied an AAAA record will be picked if available. The <code>--ip</code> option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit <code>/etc/hosts</code> or <code>/c/Windows/System32/drivers/etc/hosts</code>. <code>--ip=proxy</code> tries a DNS resolution via proxy. <code>--ip=proxy</code> tries a DNS resolution via proxy. </code>--ip=proxy</code> plus <code>--nodns=min</code> is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records.</p>
<p><code>--proxy &lt;host&gt;:&lt;port&gt;</code> does ANY check via the specified proxy. <code>--proxy=auto</code> inherits the proxy setting from the environment. The hostname supplied will be resolved to the first A record. In addition if you want lookups via proxy you can specify <code>DNS_VIA_PROXY=true</code>. OCSP revocation checking (<code>-S --phone-out</code>) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 outgoing being blocked in your network an OCSP revocation check won't be performed. However if <code>IGN_OCSP_PROXY=true</code> has been supplied it will be tried directly. Authentication to the proxy is not supported. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported.</p>
@ -217,7 +217,7 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
<p><code>--assuming-http</code> testssl.sh normally does upfront an application protocol detection. In cases where HTTP cannot be automatically detected you may want to use this option. It enforces testssl.sh not to skip HTTP specific tests (HTTP header) and to run a browser based client simulation. Please note that sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.</p>
<p><code>-n, --nodns &lt;min|none&gt;</code> tells testssl.sh which DNS lookups should be performed. <code>min</code> uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. <code>none</code> performs no DNS lookups at all. For the latter you either have to supply the IP address as a target, to use <code>--ip</code> or have the IP address
in <code>/etc/hosts</code>. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentests. In general this option could e.g. help you to avoid timeouts by DNS lookups. <code>NODNS</code> is the environment variable for this.</p>
in <code>/etc/hosts</code>. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentests. In general this option could e.g. help you to avoid timeouts by DNS lookups. <code>NODNS</code> is the environment variable for this. <code>--nodns=min</code> plus <code>--ip=proxy</code> is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records.</p>
<p><code>--sneaky</code> For HTTP header checks testssl.sh uses normally the server friendly HTTP user agent <code>TLS tester from ${URL}</code>. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via <code>SNEAKY=true</code>).</p>

View File

@ -122,7 +122,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.
`--mx <domain|host>` tests all MX records (STARTTLS on port 25) from high to low priority, one after the other.
`--ip <ip>` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in `<URI>`. IPv6 addresses need to be supplied in square brackets. `--ip=one` means: just test the first A record DNS returns (useful for multiple IPs). If `-6` and `--ip=one` was supplied an AAAA record will be picked if available. The ``--ip`` option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy.
`--ip <ip>` tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in `<URI>`. IPv6 addresses need to be supplied in square brackets. `--ip=one` means: just test the first A record DNS returns (useful for multiple IPs). If `-6` and `--ip=one` was supplied an AAAA record will be picked if available. The ``--ip`` option might be also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit `/etc/hosts` or `/c/Windows/System32/drivers/etc/hosts`. `--ip=proxy` tries a DNS resolution via proxy. `--ip=proxy` plus `--nodns=min` is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records.
`--proxy <host>:<port>` does ANY check via the specified proxy. `--proxy=auto` inherits the proxy setting from the environment. The hostname supplied will be resolved to the first A record. In addition if you want lookups via proxy you can specify `DNS_VIA_PROXY=true`. OCSP revocation checking (`-S --phone-out`) is not supported by OpenSSL via proxy. As supplying a proxy is an indicator for port 80 and 443 outgoing being blocked in your network an OCSP revocation check won't be performed. However if `IGN_OCSP_PROXY=true` has been supplied it will be tried directly. Authentication to the proxy is not supported. Proxying via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is supported.
@ -139,8 +139,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.
`--assuming-http` testssl.sh normally does upfront an application protocol detection. In cases where HTTP cannot be automatically detected you may want to use this option. It enforces testssl.sh not to skip HTTP specific tests (HTTP header) and to run a browser based client simulation. Please note that sometimes also the severity depends on the application protocol, e.g. SHA1 signed certificates, the lack of any SAN matches and some vulnerabilities will be punished harder when checking a web server as opposed to a mail server.
`-n, --nodns <min|none>` tells testssl.sh which DNS lookups should be performed. `min` uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. `none` performs no DNS lookups at all. For the latter you either have to supply the IP address as a target, to use `--ip` or have the IP address
in `/etc/hosts`. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentests. In general this option could e.g. help you to avoid timeouts by DNS lookups. `NODNS` is the environment variable for this.
`-n, --nodns <min|none>` tells testssl.sh which DNS lookups should be performed. `min` uses only forward DNS resolution (A and AAAA record or MX record) and skips CAA lookups and PTR records from the IP address back to a DNS name. `none` performs no DNS lookups at all. For the latter you either have to supply the IP address as a target, to use `--ip` or have the IP address in `/etc/hosts`. The use of the switch is only useful if you either can't or are not willing to perform DNS lookups. The latter can apply e.g. to some pentests. In general this option could e.g. help you to avoid timeouts by DNS lookups. `NODNS` is the environment variable for this. `--nodns=min` plus `--ip=proxy` is useful for situations with no local DNS as there'll be no DNS timeouts when trying to resolve CAA, TXT and MX records.
`--sneaky` For HTTP header checks testssl.sh uses normally the server friendly HTTP user agent `TLS tester from ${URL}`. With this option your traces are less verbose and a Firefox user agent is being used. Be aware that it doesn't hide your activities. That is just not possible (environment preset via `SNEAKY=true`).

View File

@ -196,7 +196,7 @@ TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it
CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your CA stores some place else
EXPERIMENTAL=${EXPERIMENTAL:-false} # a development hook which allows us to disable code
PROXY_WAIT=${PROXY_WAIT:-20} # waiting at max 20 seconds for socket reply through proxy
DNS_VIA_PROXY=${DNS_VIA_PROXY:-true} # do DNS lookups via proxy. --ip=proxy reverses this
DNS_VIA_PROXY=${DNS_VIA_PROXY:-false} # do DNS lookups via proxy. --ip=proxy reverses this
IGN_OCSP_PROXY=${IGN_OCSP_PROXY:-false} # Also when --proxy is supplied it is ignored when testing for revocation via OCSP via --phone-out
HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-5} # we wait this long before killing the process to retrieve a service banner / http header
MAX_SOCKET_FAIL=${MAX_SOCKET_FAIL:-2} # If this many failures for TCP socket connects are reached we terminate
@ -8857,7 +8857,7 @@ certificate_info() {
local cn_finding trustfinding trustfinding_nosni
local cnok="OK"
local expfinding expok="OK"
local -i ret=0
local -i ret=0 tmp=0
local json_postfix="" # string to place at the end of JSON IDs when there is more than one certificate
local jsonID="" # string to place at beginning of JSON IDs
local json_rating json_msg
@ -9715,6 +9715,8 @@ certificate_info() {
caa=""
while [[ -z "$caa" ]] && [[ -n "$caa_node" ]]; do
caa="$(get_caa_rr_record $caa_node)"
tmp=${PIPESTATUS[@]}
[[ $DEBUG -ge 4 ]] && echo "get_caa_rr_record: $tmp"
[[ $caa_node =~ '.'$ ]] || caa_node+="."
caa_node=${caa_node#*.}
done
@ -9736,6 +9738,9 @@ certificate_info() {
elif [[ -n "$NODNS" ]]; then
out "(instructed to minimize DNS queries)"
fileout "${jsonID}${json_postfix}" "INFO" "check skipped as instructed"
elif "$DNS_VIA_PROXY"; then
out "(instructed to use the proxy for DNS only)"
fileout "${jsonID}${json_postfix}" "INFO" "check skipped as instructed (proxy)"
else
pr_svrty_low "not offered"
fileout "${jsonID}${json_postfix}" "LOW" "--"
@ -20015,7 +20020,7 @@ find_openssl_binary() {
HAS_ZLIB=false
HAS_UDS=false
HAS_UDS2=false
TRUSTED1ST=""
TRUSTED1ST=""
HAS_ENABLE_PHA=false
$OPENSSL ciphers -s 2>&1 | grep -aiq "unknown option" || OSSL_CIPHERS_S="-s"
@ -20337,7 +20342,8 @@ tuning / connect options (most also can be preset via environment variables):
--proxy <host:port|auto> (experimental) proxy connects via <host:port>, auto: values from \$env (\$http(s)_proxy)
-6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
b) "one" means: just test the first DNS returns (useful for multiple IPs)
c) "proxy" means: dns resolution via proxy. Needed when host has no DNS.
-n, --nodns <min|none> if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records
--sneaky leave less traces in target logs: user agent, referer
--user-agent <user agent> set a custom user agent instead of the standard user agent
@ -21055,7 +21061,8 @@ get_caa_rr_record() {
"$HAS_DIG_NOIDNOUT" && noidnout="+noidnout"
[[ -n "$NODNS" ]] && return 0 # if minimum DNS lookup was instructed, leave here
[[ -n "$NODNS" ]] && return 2 # if minimum DNS lookup was instructed, leave here
# if there's a type257 record there are two output formats here, mostly depending on age of distribution
# roughly that's the difference between text and binary format
# 1) 'google.com has CAA record 0 issue "symantec.com"'
@ -22069,12 +22076,19 @@ display_rdns_etc() {
datebanner() {
local scan_time_f=""
local node_banner=""
if [[ -n "PROXY" ]] && $DNS_VIA_PROXY;then
node_banner="$NODE:$PORT"
else
node_banner="$NODEIP:$PORT ($NODE)"
fi
if [[ "$1" =~ Done ]] ; then
scan_time_f="$(printf "%04ss" "$SCAN_TIME")" # 4 digits because of windows
pr_reverse "$1 $(date +%F) $(date +%T) [$scan_time_f] -->> $NODEIP:$PORT ($NODE) <<--"
pr_reverse "$1 $(date +%F) $(date +%T) [$scan_time_f] -->> $node_banner <<--"
else
pr_reverse "$1 $(date +%F) $(date +%T) -->> $NODEIP:$PORT ($NODE) <<--"
pr_reverse "$1 $(date +%F) $(date +%T) -->> $node_banner <<--"
fi
outln "\n"
[[ "$1" =~ Start ]] && display_rdns_etc
@ -23790,7 +23804,6 @@ lets_roll() {
fi
stopwatch initialized
[[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" $ERR_DNSLOOKUP
nodeip_to_proper_ip6
reset_hostdepended_vars
determine_rdns # Returns always zero or has already exited if fatal error occurred
@ -23993,26 +24006,30 @@ lets_roll() {
[[ -z "$NODE" ]] && parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDRs and IP46ADDR is set now
prepare_logging
if ! determine_ip_addresses; then
fatal "No IP address could be determined" $ERR_DNSLOOKUP
fi
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check
MULTIPLE_CHECKS=true
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
for ip in $IPADDRs; do
draw_line "-" $((TERM_WIDTH * 2 / 3))
outln
NODEIP="$ip"
lets_roll "${STARTTLS_PROTOCOL}"
RET=$((RET + $?)) # RET value per IP address
done
draw_line "-" $((TERM_WIDTH * 2 / 3))
outln
pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs"
else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied
NODEIP="$IPADDRs"
if [[ -n "$PROXY" ]] && $DNS_VIA_PROXY; then
NODEIP="$NODE"
lets_roll "${STARTTLS_PROTOCOL}"
RET=$?
else
determine_ip_addresses
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check
MULTIPLE_CHECKS=true
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
for ip in $IPADDRs; do
draw_line "-" $((TERM_WIDTH * 2 / 3))
outln
NODEIP="$ip"
lets_roll "${STARTTLS_PROTOCOL}"
RET=$((RET + $?)) # RET value per IP address
done
draw_line "-" $((TERM_WIDTH * 2 / 3))
outln
pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs"
else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied
NODEIP="$IPADDRs"
lets_roll "${STARTTLS_PROTOCOL}"
RET=$?
fi
fi
exit $RET