-
-
Notifications
You must be signed in to change notification settings - Fork 510
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE REQUEST] DNS SAN collection or scope creep? #572
Comments
Also, regarding your previous note- you can reach me at |
haha, agreed. at least for feroxbuster, i don't like the idea of wandering off the specified path.
appreciate that! Overall, I like the idea of grabbing this information and using it to alter the wordlist. I'm working on some (long-term) stuff where this would be better suited, so would like to pin the issue, but don't plan on taking action on it in the near future. As to the info that (likely) wouldn't be useful for strictly content discovery, I'm not sure the current underlying client even supports gathering that kind of thing. Tbh, it may not even support getting cert/san info. Once the newer stuff is closer to being ready, this idea is likely to have a home (same client issue may or may not exist, that's a separate beast, lol) |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
forgot to actually pin the issue |
I'm thinking that it really doesn't make much sense to investigate this any further as a function of feroxbuster You can keep it open if you really want to look into it, but I'm convinced it's not the right place to do this at all Only took me 2 years to come to that conclusion 😂 Will defer to you on closure, but I personally probably won't get enough use out of it to justify the effort |
Is your feature request related to a problem? Please describe.
Right now, with respect to SSL/TLS,
feroxbuster
supports what is necessary to do its job- the ability to either continue when a cert (is expired|has name mismatch|...) which is all that's typically included (or needed) in directory enumeration toolsIn other words, this isn't a problem
Describe the solution you'd like
I was considering today that it might be useful in some cases to capture the DNS SAN values from the certificate, and either:
1 - Using DNS SAN to enhance the wordlist dynamically
In many cases, using the FQDN (as specified at runtime as part of the URL) to enhance the wordlist is effective enough already. This is especially true if there is only one DNS SAN entry, the SAN value matches the FQDN , and the FQDN (as opposed to the IP address) was specified as the target. In this case it offers practically no benefits to users
In other cases, there is a bit to gain from grabbing the DNS SAN values and using some values derived from them as URL paths. One example that is somewhat common for me- enumerating on a host using the IP address instead of the DNS name, as part of a very large batch of endpoints- especially when the certificate has a large amount of DNS SAN values, and various substrings of those names are present as directories- usually because one of the DNS SAN values contains a substring that is the name of an API/application, very contrived example, "lolapi.whatever.com", where /api/lol might exist on the server as an endpoint
2- Logging certificate information as an line in the output file
This is more of a convenience than anything else. It's the sort of thing that I think would be worthwhile to implement only if it's very simple and non-invasive. It can be useful sometimes to see what other (likely) virtual hosts are present in the context of enumeration findings.
Describe alternatives you've considered
There are many tools intended to gather and parse SSL/TLS protocol and certificate info already. If you have a list of URLs, you should have no problem feeding them to these tools
For example,
zgrab2
not only grabs the cert information but it parses it and breaks out all of the standard values and many of the more common extensions into a structured format. It also captures protocol handshake info, even down to the post-handshake negotiated master session keyTools like
testssl.sh
can also do quite a bit in this area. And of course, there's alwaysopenssl s_client -connect ... | openssl x509 -text
which is enough to get all of the fields for a certificate. If you do some ugly parsing you can even get some protocol info (-msg -debug -state ...
Point being there are plenty of ways to get all sorts of SSL/TLS protocol and certificate data. Capturing this data is not a groundbreaking capability, but it would be "nice" to have
Additional context
I think it may be a slippery slope to go deeply into the SSL/TLS protocol info or the certificate info. I do, however, think that there may be an opportunity to grab some basic info, since it should be available via some interface (maybe, I don't know how abstracted the SSL/TLS interface that you're using is)
If you wanted to consider this at all, I would imagine the following as potentially of interest for the purposes of logging to the output file:
To be clear, I'll say this is in my "what do you think about this?" category of issues, not the "this would be a game-changing feature" category- so please don't feel you need to put too much consideration into it, especially if your gut says you don't want to go down this road at all
Implementation-wise, I imagine for simplicity you would have a separate connection done at the start of the the session, dedicated to getting this data. You could piggyback on the first of the enumeration requests, but that might add a little complexity or uglyness. I'll leave that to you
The text was updated successfully, but these errors were encountered: