scan over p12 cert only website
hi All,
i'm trying to use arachni scan on a p12 cert only domain ,
via web browser and also using owasp zap the system work properly
and i scannable .
the problem with arachni:
i migrated the p12 cert to pem (seem supported from the
documentation) the pem file contain private and public key with
passprhrase (i tried with and without)
here the command :
arachni --http-ssl-key /home/fnigi/domain/cert.pem
--http-ssl-key-password PASSWORD --http-ssl-key-type pem --checks=*
--scope-auto-redundant --audit-forms --audit-cookies-extensively
--audit-headers --audit-json --audit-ui-forms
--audit-with-extra-parameter --audit-include-vector --audit-links
--report-save-path /home/fnigi/ https://WEBSITE.TLD/
--output-verbose
the system don't want to go further and it fail on ssl where is
the error?
i used openssl pkcs12 -in cert.p12 -out cert.pem to convert
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 03 Jun, 2016 02:57 PM
Hello,
Can you try specifying the certs and keys individually with each option with files that only include them rather than combine them?
Also, what error are you seeing with your current configuration?
You can try using
--output-debug=5
to get more information about what's going on.On a different note, the
--audit-include-vector
option requires an argument and is used to whitelist input vectors by name, i.e. only input vectors whose names match the given pattern will be checked.Cheers
2 Posted by fabio nigi on 03 Jun, 2016 03:40 PM
hi Tasos,
i tried to split the cert
and modify the url in this way:
arachni https://website.com/ --authorized-by [email blocked] --http-ssl-certificate /home/fnigi/vfwfsdata/publiccert.pem --http-ssl-certificate-type pem --http-ssl-key /home/fnigi/vfwfsdata/privatekey.pem --http-ssl-key-type pem http-ssl-key-password PASSWORD --checks=* --scope-auto-redundant --audit-forms --audit-cookies-extensively --audit-headers --audit-json --audit-ui-forms --audit-with-extra-parameter --audit-links --report-save-path /home/fnigi/ --output-verbose --output-debug=5
i used this openssl pkcs12 -in myP12File.p12 -nocerts -out privateKey.pem
and openssl pkcs12 -in myP12File.p12 -clcerts -nokeys -out publicCert.pem
to generate the key (the key work properly in browser)
the log with debug=5:
it's going ok till header's check but it fail here
[!!!!] [http/client#global_on_complete:586] Client: Performer: # [!!!!] [http/client#global_on_complete:587] Client: Status: 0 [!!!!] [http/client#global_on_complete:588] Client: Code: ssl_connect_error [!!!!] [http/client#global_on_complete:589] Client: Message: SSL connect error [!!!!] [http/client#global_on_complete:590] Client: URL: https://THESITE.COM/ [!!!!] [http/client#global_on_complete:591] Client: Headers:
[!!!!] [http/client#global_on_complete:592] Client: Parsed headers: {} [!!!!] [http/client#global_on_complete:600] Client: ------------ [-] Retrying for: https://THESITE.COM/ [SSL connect error] [!!!!] [http/client#global_on_complete:584] Client: ------------ [!!!!] [http/client#global_on_complete:585] Client: Got response for request ID#: 9
[!!!!] [http/client#global_on_complete:586] Client: Performer: #
Support Staff 3 Posted by Tasos Laskos on 03 Jun, 2016 03:42 PM
http-ssl-key-password
needs to be--http-ssl-key-password
.4 Posted by fabio nigi on 03 Jun, 2016 03:56 PM
sorry Tasos a simple typo it's still failing
[!!!!] [http/client#global_on_complete:592] Client: Parsed headers: {} [!!!!] [http/client#global_on_complete:600] Client: ------------ [-] [framework/parts/data#pop_page_from_url_queue:147] Giving up trying to audit: https://WEBSITE.COM/ [-] [framework/parts/data#pop_page_from_url_queue:148] Couldn't get a response after 5 tries: SSL connect error. [!!!!] [http/client#global_on_complete:584] Client: ------------ [!!!!] [http/client#global_on_complete:585] Client: Got response for request ID#: 11
[!!!!] [http/client#global_on_complete:586] Client: Performer: # [!!!!] [http/client#global_on_complete:587] Client: Status: 0 [!!!!] [http/client#global_on_complete:588] Client: Code: ssl_connect_error [!!!!] [http/client#global_on_complete:589] Client: Message: SSL connect error [!!!!] [http/client#global_on_complete:590] Client: URL: https://WEBSITE.COM/ [!!!!] [http/client#global_on_complete:591] Client: Headers:
[!!!!] [http/client#global_on_complete:592] Client: Parsed headers: {} [!!!!] [http/client#global_on_complete:600] Client: ------------ [!!] [http/proxy_server#shutdown:68] ProxyServer: Shutting down.. [!!!] [http/proxy_server/connection#on_close:178] Connection: Closed because: [NilClass] [!!] [http/proxy_server#shutdown:73] ProxyServer: Shutdown. [!!] [http/proxy_server#shutdown:68] ProxyServer: Shutting down.. [!!!] [http/proxy_server/connection#on_close:178] Connection: Closed because: [NilClass] [!!] [http/proxy_server#shutdown:73] ProxyServer: Shutdown. [!!] [http/proxy_server#shutdown:68] ProxyServer: Shutting down.. [!!!] [http/proxy_server/connection#on_close:178] Connection: Closed because: [NilClass] [!!] [http/proxy_server#shutdown:73] ProxyServer: Shutdown. [!!] [http/proxy_server#shutdown:68] ProxyServer: Shutting down.. [!!!] [http/proxy_server/connection#on_close:178] Connection: Closed because: [NilClass] [!!] [http/proxy_server#shutdown:73] ProxyServer: Shutdown. [!!] [http/proxy_server#shutdown:68] ProxyServer: Shutting down.. [!!!] [http/proxy_server/connection#on_close:178] Connection: Closed because: [NilClass] [!!] [http/proxy_server#shutdown:73] ProxyServer: Shutdown. [!!] [http/proxy_server#shutdown:68] ProxyServer: Shutting down.. [!!!] [http/proxy_server/connection#on_close:178] Connection: Closed because: [NilClass] [!!] [http/proxy_server#shutdown:73] ProxyServer: Shutdown. [!] [plugin/manager#block:161] [!] [plugin/manager#block:162] Waiting on 4 plugins to finish: [!] [plugin/manager#block:163] healthmap, timing_attacks, discovery, uniformity [!] [plugin/manager#block:164]
Support Staff 5 Posted by Tasos Laskos on 04 Jun, 2016 12:09 PM
Can you try connecting to the site via
curl
with the same certs and keys that you used for Arachni?6 Posted by fabio nigi on 05 Jun, 2016 06:38 AM
Hi Tasos,
thanks for the tip! i checked with curl and i was missing the CA i added to the command --http-ssl-ca ./ca.pem and now is properly scanning!
thanks
Fabio
Support Staff 7 Posted by Tasos Laskos on 05 Jun, 2016 06:41 AM
Glad you got it working. :)
Tasos Laskos closed this discussion on 05 Jun, 2016 06:41 AM.