Skip to content

/ nmap

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ncat: no way to specify/override SSL hostname #1927

Open
hlein opened this issue Feb 17, 2020 · 0 comments · May be fixed by #1928
Open

Ncat: no way to specify/override SSL hostname #1927

hlein opened this issue Feb 17, 2020 · 0 comments · May be fixed by #1928

Comments

@hlein
Copy link

@hlein hlein commented Feb 17, 2020

If you are connecting to a webserver by IP, you may want to specify the hostname in the TLS negotiation, especially if it has multiple vhosts using the same certificate with Subject Alternate Names and behaving differently depending on which name is supplied during TLS negotiation (before the submitted Host: header is read).

Since 5.50 or so, nmap has had a knob to specify the hostname to request during TLS/SNI negotiation, first called nsi_set_hostname and now called nsock_iod_set_hostname. This is accessible from NSE code, but not, I think, from ncat.

For example:

$ ncat --version
Ncat: Version 7.80 ( https://nmap.org/ncat )
$ echo -n -e 'GET / HTTP/1.0\r\nHost: servername\r\n\r\n' |
    ncat -n -v --ssl 10.1.2.3 443
HTTP/1.1 421 Misdirected Request
...
<h1>Misdirected Request</h1>
<p>The client needs a new connection for this
request as the requested host name does not match
the Server Name Indication (SNI) in use for this
connection.</p>

I have an old patch for this, will update and submit a PR.
hlein added a commit to hlein/nmap that referenced this issue Feb 17, 2020
@hlein
ncat: Added --ssl-servername option to specify hostname to request
Verified
This commit was signed with a verified signature.
hlein
GPG key ID: 6200F6E3781E3DD7 Learn about signing commits
93a95dd 
nsock_iod_set_hostname is accessible in nse code, but I could not find a
knob to use it with ncat.  This patch adds --ssl-servername to ncat.

With this patch, using the example from issue nmap#1927:

```
  $ echo -n -e 'GET / HTTP/1.0\r\nHost: servername\r\n\r\n' | \
      ncat -n -v --ssl --ssl-servername servername 10.1.2.3 443
  HTTP/1.1 200 OK
```

Signed-off-by: Hank Leininger <hlein@korelogic.com>
Closes: nmap#1927
@hlein hlein linked a pull request that will close this issue Feb 17, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

ncat: Added --ssl-servername option to specify hostname to request
1 participant
@hlein
You can’t perform that action at this time.