Prevent scanning of https when no site exists
Cyb3rC3lt opened this issue · comments
Hi Tib3rius,
I noticed also today that Autorecon seems to scan port 443 and although the port has no site it continues to do a full feroxbuster on it and weirdly even returns 200 codes on many non existant webpages.
200 332l 569w 10051c https://10.11.1.115/manual/index
Then when you visit them in a browser they don't exist as per the screenshot. Maybe a little check could be included here similar to WinRM to avoid long running directory busting.
Thanks a lot
That doesn't mean the site doesn't exist, it means your browser can't set up an SSL connection. It's likely using SSLv2 or something really old, or it's trying to use a cipher that your browser doesn't like. Can you share the sslscan output from AutoRecon for that port, because that should tell me more info.
If Nmap identified it as HTTP, it likely managed to connect and get a response from an HTTP request, but Nmap is more forgiving with SSL connections.
Ah yes you could be right, maybe it is a non-issue and these old OSCP lab machines aren't relavent nowadays.
Anyway here are my scans of that box and feel free to close if this issue is not needed.
Thanks
NMAP output:
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.0.40 ((Red Hat Linux))
| ssl-cert: Subject: commonName=redhat/organizationName=ACME LOCAL LTD/stateOrProvinceName=Berkshire/countryName=GB/emailAddress=bob@acme.com/organizationalUnitName=MARKETING/localityName=Newbury
| Issuer: commonName=redhat/organizationName=ACME LOCAL LTD/stateOrProvinceName=Berkshire/countryName=GB/emailAddress=bob@acme.com/organizationalUnitName=MARKETING/localityName=Newbury
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2007-01-16T14:54:43
| Not valid after: 2008-01-16T14:54:43
| MD5: e900 ada0 dfea 0408 06cd ddee 15fd 7d8b
| SHA-1: 3b9a 70e7 870e 11b8 a221 5af7 bae9 dd03 ce90 3cbc
| -----BEGIN CERTIFICATE-----
| MIIDgzCCAuygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBjjELMAkGA1UEBhMCR0Ix
| EjAQBgNVBAgTCUJlcmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMO
| QUNNRSBMT0NBTCBMVEQxEjAQBgNVBAsTCU1BUktFVElORzEPMA0GA1UEAxMGcmVk
| aGF0MRswGQYJKoZIhvcNAQkBFgxib2JAYWNtZS5jb20wHhcNMDcwMTE2MTQ1NDQz
| WhcNMDgwMTE2MTQ1NDQzWjCBjjELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtz
| aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOQUNNRSBMT0NBTCBMVEQx
| EjAQBgNVBAsTCU1BUktFVElORzEPMA0GA1UEAxMGcmVkaGF0MRswGQYJKoZIhvcN
| AQkBFgxib2JAYWNtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMRD
| 0vy4uZz1lnlfh2bzTgArxS0sdOjdJh06Zd3dXmP9bTZwEimXZ1K6fg0wa+qmuTfn
| eKdDsFVUbAl5Ecx5ovbxPfA6RwlTeLJ9E+I1ugizHasFZYM0/xmzUl4FEftVfgPa
| 0uuKX8Z+RkzBajHLj0clotgmQPn719o/tgHU8DpxAgMBAAGjge4wgeswHQYDVR0O
| BBYEFGijV7H5GV+Il9uGefjvjTDSxc4JMIG7BgNVHSMEgbMwgbCAFGijV7H5GV+I
| l9uGefjvjTDSxc4JoYGUpIGRMIGOMQswCQYDVQQGEwJHQjESMBAGA1UECBMJQmVy
| a3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5BQ01FIExPQ0FMIExU
| RDESMBAGA1UECxMJTUFSS0VUSU5HMQ8wDQYDVQQDEwZyZWRoYXQxGzAZBgkqhkiG
| 9w0BCQEWDGJvYkBhY21lLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
| BAUAA4GBAHN9rvmYb0fJjcs8eI6p0uheZAQ2OvQ7UunSCpWsFAwLQC6oi7IYhMcp
| +DGB0RweEQnhZyyf9HA81WtpLK7vyGIZotFqxfQMEBZa5iGObZHoyY3pWTXElKMx
| aRN/IulZMXFWw66x9+sh0RlNHBIKluH5cLzRWuH5jXnSQ9rJGSi2
|-----END CERTIFICATE-----
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
|_ssl-date: 2022-07-29T08:03:24+00:00; +6s from scanner time.
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
|http-server-header: Apache/2.0.40 (Red Hat Linux)
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
SSL Scan:
Version: 2.0.11-static OpenSSL 1.1.1n-dev xx XXX xxxx Connected to 10.11.1.115 Testing SSL server 10.11.1.115 on port 443 using SNI name 10.11.1.115 SSL/TLS Protocols: SSLv2 enabled SSLv3 enabled TLSv1.0 enabled TLSv1.1 disabled TLSv1.2 disabled TLSv1.3 disabled TLS Fallback SCSV: Server does not support TLS Fallback SCSV TLS renegotiation: Insecure session renegotiation supported TLS Compression: Compression disabled Heartbleed: TLSv1.0 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted TLSv1.0 112 bits DHE-RSA-DES-CBC3-SHA DHE 1024 bits Accepted TLSv1.0 256 bits AES256-SHA Accepted TLSv1.0 128 bits AES128-SHA Accepted TLSv1.0 128 bits RC4-SHA Accepted TLSv1.0 128 bits RC4-MD5 Accepted TLSv1.0 112 bits DES-CBC3-SHA Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_RC4_40_MD5 Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_DES40_CBC_SHA Accepted TLSv1.0 56 bits TLS_RSA_WITH_DES_CBC_SHA Accepted TLSv1.0 40 bits TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA Accepted TLSv1.0 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA SSL Certificate: Certificate blob: -----BEGIN CERTIFICATE----- MIIDgzCCAuygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBjjELMAkGA1UEBhMCR0Ix EjAQBgNVBAgTCUJlcmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMO QUNNRSBMT0NBTCBMVEQxEjAQBgNVBAsTCU1BUktFVElORzEPMA0GA1UEAxMGcmVk aGF0MRswGQYJKoZIhvcNAQkBFgxib2JAYWNtZS5jb20wHhcNMDcwMTE2MTQ1NDQz WhcNMDgwMTE2MTQ1NDQzWjCBjjELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtz aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOQUNNRSBMT0NBTCBMVEQx EjAQBgNVBAsTCU1BUktFVElORzEPMA0GA1UEAxMGcmVkaGF0MRswGQYJKoZIhvcN AQkBFgxib2JAYWNtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMRD 0vy4uZz1lnlfh2bzTgArxS0sdOjdJh06Zd3dXmP9bTZwEimXZ1K6fg0wa+qmuTfn eKdDsFVUbAl5Ecx5ovbxPfA6RwlTeLJ9E+I1ugizHasFZYM0/xmzUl4FEftVfgPa 0uuKX8Z+RkzBajHLj0clotgmQPn719o/tgHU8DpxAgMBAAGjge4wgeswHQYDVR0O BBYEFGijV7H5GV+Il9uGefjvjTDSxc4JMIG7BgNVHSMEgbMwgbCAFGijV7H5GV+I l9uGefjvjTDSxc4JoYGUpIGRMIGOMQswCQYDVQQGEwJHQjESMBAGA1UECBMJQmVy a3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5BQ01FIExPQ0FMIExU RDESMBAGA1UECxMJTUFSS0VUSU5HMQ8wDQYDVQQDEwZyZWRoYXQxGzAZBgkqhkiG 9w0BCQEWDGJvYkBhY21lLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB BAUAA4GBAHN9rvmYb0fJjcs8eI6p0uheZAQ2OvQ7UunSCpWsFAwLQC6oi7IYhMcp +DGB0RweEQnhZyyf9HA81WtpLK7vyGIZotFqxfQMEBZa5iGObZHoyY3pWTXElKMx aRN/IulZMXFWw66x9+sh0RlNHBIKluH5cLzRWuH5jXnSQ9rJGSi2 -----END CERTIFICATE----- Version: 2 Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: /C=GB/ST=Berkshire/L=Newbury/O=ACME LOCAL LTD/OU=MARKETING/CN=redhat/emailAddress=bob@acme.com Not valid before: Jan 16 14:54:43 2007 GMT Not valid after: Jan 16 14:54:43 2008 GMT Subject: /C=GB/ST=Berkshire/L=Newbury/O=ACME LOCAL LTD/OU=MARKETING/CN=redhat/emailAddress=bob@acme.com Public Key Algorithm: NULL RSA Public Key: (1024 bit) RSA Public-Key: (1024 bit) Modulus: 00:c4:43:d2:fc:b8:b9:9c:f5:96:79:5f:87:66:f3: 4e:00:2b:c5:2d:2c:74:e8:dd:26:1d:3a:65:dd:dd: 5e:63:fd:6d:36:70:12:29:97:67:52:ba:7e:0d:30: 6b:ea:a6:b9:37:e7:78:a7:43:b0:55:54:6c:09:79: 11:cc:79:a2:f6:f1:3d:f0:3a:47:09:53:78:b2:7d: 13:e2:35:ba:08:b3:1d
Yeah it looks like I was right in my suspicions. Based on the SSL Scan:
SSL/TLS Protocols:
SSLv2 enabled
SSLv3 enabled
TLSv1.0 enabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 disabled
So only browsers that support TLSv1.0 and below will be able to connect to the site. Most modern browsers disabled TLSv1.0 and lower support in 2020 because it's over 20 years old now: https://www.zdnet.com/article/chrome-edge-ie-firefox-and-safari-to-disable-tls-1-0-and-tls-1-1-in-2020/
You can of course re-enable the protocol in most browsers if you really need it (which you probably want to do here so you can solve the box).
Also just for future reference, if Nmap is able to grab the HTTP banner (i.e. Apache httpd 2.0.40) and even the title of the page:
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
It means it's definitely a web server. Nmap just doesn't care about older SSL/TLS protocols because people aren't using it to browse sites. If you try to connect to a non-HTTP port using a browser, you'll get some other kind of error, possibly a connection timeout or reset.