I found it amusing that one of the major changes in the new PCI 2.0 regulation requires that any vulnerabilities with a CVSS score > 4 must be remediated (6.2). It is amusing because what good does it do to require companies to perform vulnerability scanning, if remediation is not enforced, which was the case with the previous version of PCI DSS (11.2).
I digress. Often I am required to confirm an identified vulnerability or validate a fix for a web server. For example, checking to see if TRACK/TRACE is enabled/disabled or HOST header is set for name based virtual hosts. These checks are easy to perform on a non-SSL web server (HTTP) using Telnet, but Telnet cannot be used against an SSL enabled web server (HTTPS).
# telnet ssl.somehost.com 443
Trying 10.10.3.93...
Connected to ssl.somehost.com.
Escape character is '^]'.
GET / HTTP/1.1
Connection closed by foreign host.
Trying 10.10.3.93...
Connected to ssl.somehost.com.
Escape character is '^]'.
GET / HTTP/1.1
Connection closed by foreign host.
Telnet-SSL
The connection fails because telnet lacks SSL support. You can verify this on Linux using the ‘ldd’ tool.
# ldd /usr/bin/telnet
linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb76c8000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb75da000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb75b3000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb75a4000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb744a000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7446000)
/lib/ld-linux.so.2 (0xb7711000)
linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb76c8000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb75da000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb75b3000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb75a4000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb744a000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7446000)
/lib/ld-linux.so.2 (0xb7711000)
The good news is that there is an SSL enabled version of telnet, called telnet-ssl (netkit-telnet-ssl). In the following examples, I am using the BackTrack 4 distribution.
# apt-get install telnet-ssl
# ldd /usr/bin/telnet
linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb76cb000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7684000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7537000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb7449000)
[snip]
# ldd /usr/bin/telnet
linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb76cb000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7684000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7537000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb7449000)
[snip]
# ls -l `which telnet`
lrwxrwxrwx 1 root root 24 Dec 1 10:48 /usr/bin/telnet -> /etc/alternatives/telnet
# ls -l /etc/alternatives/telnet
lrwxrwxrwx 1 root root 19 Dec 1 10:48 /etc/alternatives/telnet -> /usr/bin/telnet-ssl
lrwxrwxrwx 1 root root 24 Dec 1 10:48 /usr/bin/telnet -> /etc/alternatives/telnet
# ls -l /etc/alternatives/telnet
lrwxrwxrwx 1 root root 19 Dec 1 10:48 /etc/alternatives/telnet -> /usr/bin/telnet-ssl
# telnet -z ssl ssl.somehost.com 443
Trying 10.10.3.93...
Connected to ssl.somehost.com.
Escape character is '^]'.
GET / HTTP/1.1
HOST: ssl.somehost.com
Trying 10.10.3.93...
Connected to ssl.somehost.com.
Escape character is '^]'.
GET / HTTP/1.1
HOST: ssl.somehost.com
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Thu, 11 Nov 2010 15:08:59 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/7.5
Date: Wed, 01 Dec 2010 17:07:40 GMT
Content-Length: 519
[snip]
Content-Type: text/html
Last-Modified: Thu, 11 Nov 2010 15:08:59 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/7.5
Date: Wed, 01 Dec 2010 17:07:40 GMT
Content-Length: 519
[snip]
Metasploit
Another alternative to installing netkit-telnet-ssl is to use Metasploit itself. Of course Metasploit might be an overkill if all you want to do is perform simple tests like the one above. In the case of BackTrack 4 distribution, Metasploit comes installed by default.
msf > connect -s ssl.somehost.com 443
[*] Connected to ssl.somehost.com:443
GET / HTTP/1.1
HOST: ssl.somehost.com
GET / HTTP/1.1
HOST: ssl.somehost.com
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Thu, 11 Nov 2010 15:08:59 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/7.5
Date: Wed, 01 Dec 2010 17:07:40 GMT
Content-Length: 519
[snip]
Content-Type: text/html
Last-Modified: Thu, 11 Nov 2010 15:08:59 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/7.5
Date: Wed, 01 Dec 2010 17:07:40 GMT
Content-Length: 519
[snip]
If you know of any standard tools on Linux and Windows or any 3rd party tools for Windows, which can do the same, please leave a comment.
Cheers,
VVK
No comments:
Post a Comment