Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ncat: no way to specify/override SSL hostname #1927

Closed
hlein opened this issue Feb 17, 2020 · 0 comments
Closed

Ncat: no way to specify/override SSL hostname #1927

hlein opened this issue Feb 17, 2020 · 0 comments
Assignees
Labels

Comments

@hlein
Copy link

@hlein hlein commented Feb 17, 2020

If you are connecting to a webserver by IP, you may want to specify the hostname in the TLS negotiation, especially if it has multiple vhosts using the same certificate with Subject Alternate Names and behaving differently depending on which name is supplied during TLS negotiation (before the submitted Host: header is read).

Since 5.50 or so, nmap has had a knob to specify the hostname to request during TLS/SNI negotiation, first called nsi_set_hostname and now called nsock_iod_set_hostname. This is accessible from NSE code, but not, I think, from ncat.

For example:

$ ncat --version
Ncat: Version 7.80 ( https://nmap.org/ncat )
$ echo -n -e 'GET / HTTP/1.0\r\nHost: servername\r\n\r\n' |
    ncat -n -v --ssl 10.1.2.3 443
HTTP/1.1 421 Misdirected Request
...
<h1>Misdirected Request</h1>
<p>The client needs a new connection for this
request as the requested host name does not match
the Server Name Indication (SNI) in use for this
connection.</p>

I have an old patch for this, will update and submit a PR.

hlein added a commit to hlein/nmap that referenced this issue Feb 17, 2020
nsock_iod_set_hostname is accessible in nse code, but I could not find a
knob to use it with ncat.  This patch adds --ssl-servername to ncat.

With this patch, using the example from issue nmap#1927:

```
  $ echo -n -e 'GET / HTTP/1.0\r\nHost: servername\r\n\r\n' | \
      ncat -n -v --ssl --ssl-servername servername 10.1.2.3 443
  HTTP/1.1 200 OK
```

Signed-off-by: Hank Leininger <hlein@korelogic.com>
Closes: nmap#1927
@nnposter nnposter self-assigned this Jul 20, 2020
@nmap-bot nmap-bot closed this in 7d6cf3a Aug 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants
You can’t perform that action at this time.