tlsx
tlsx copied to clipboard
projectdiscovery
Issue with tls connection
$echo 172.67.210.144 | tlsx -v
_____ _ _____ __
|_ _| | / __\ \/ /
| | | |__\__ \> <
|_| |____|___/_/\_\ v1.0.9
projectdiscovery.io
[INF] Current tlsx version v1.0.9 (latest)
[INF] Processing input 172.67.210.144:443
[WRN] Could not connect input 172.67.210.144:443: [auto:RUNTIME] [ctls:RUNTIME] remote error: tls: handshake failure <- could not do handshake; [ztls:RUNTIME] remote error: handshake failure <- could not do tls handshake; [LibreSSL3.3.6,LibreSSL3.3.6:RUNTIME] failed to response from openssl <- Command: /usr/bin/openssl s_client -connect 172.67.210.144:443 -servername 172.67.210.144 -tls1_2 <- failed to parse openssl response. original response is:
{/usr/bin/openssl s_client -connect 172.67.210.144:443 -servername 172.67.210.144 -tls1_2 CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 224 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1686140786
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
8666559168:error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/9e200cfa-7d96-11ed-886f-a23c4f261b56/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:151:
} <- no server certificates found <- could not connect to host
Anything else?
SSL data from shodan - https://www.shodan.io/host/172.67.210.144#443
Curl:
curl -vv https://172.67.210.144:443
* Trying 172.67.210.144:443...
* Connected to 172.67.210.144 (172.67.210.144) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
Netcat
$ nc -v 172.67.210.144 443
Connection to 172.67.210.144 port 443 [tcp/https] succeeded!
You can use my website for testing
$ping 51pwn.com
64 bytes from 172.67.210.144: icmp_seq=0 ttl=47 time=236.726 ms
$openssl s_client -connect 172.67.210.144:443|openssl x509 -pubkey -noout
140704302261056:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1563:SSL alert number 40
unable to load certificate
140704302261056:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
@hktalent This is because of the missing sni value.
this works
echo 51pwn.com | tlsx -silent
51pwn.com:443
This doesn't
echo 172.67.210.144 | tlsx -silent
This works:
echo 172.67.210.144 | tlsx -silent -sni 51pwn.com
172.67.210.144:443 [51pwn.com]
same goes for the host from Shodan as well.
cc @RamanaReddy0M
@ehsandeep I know, but in practical situations, many times only have an IP address and no domain name
Thank you very much Looking forward to you reopening this issue
Until we can solve the problem of losing important information during SSL 1.3 based IP scanning
Any security scanning tool (tlsx, nuclei, etc.) will face such issues
Unable to scan directly through IP
Before scanning, it is necessary to accurately convert the IP address into a domain name, and then install a secure scanning facility
In order to achieve the final desired result
At the same time, another question arises, whether there are other domains and Subdomain using the same ip, and whether the current scanning task is completed for these "other domain names" facilities