From 13e9e9d822686b846428fa01470425095bc59194 Mon Sep 17 00:00:00 2001 From: Tarun Koyalwar Date: Tue, 6 Dec 2022 00:49:01 +0530 Subject: [PATCH 1/2] bug fix resolvedIP and others --- pkg/tlsx/clients/clients.go | 13 +++++--- pkg/tlsx/openssl/openssl.go | 10 ++---- pkg/tlsx/tls/tls.go | 10 ++---- pkg/tlsx/tlsx.go | 8 +++++ pkg/tlsx/tlsx_test.go | 63 +++++++++++++++++++++++++++++++++++++ pkg/tlsx/ztls/ztls.go | 10 ++---- 6 files changed, 88 insertions(+), 26 deletions(-) create mode 100644 pkg/tlsx/tlsx_test.go diff --git a/pkg/tlsx/clients/clients.go b/pkg/tlsx/clients/clients.go index ba54b36f..7db9d4cd 100644 --- a/pkg/tlsx/clients/clients.go +++ b/pkg/tlsx/clients/clients.go @@ -21,9 +21,8 @@ import ( "github.com/projectdiscovery/fastdialer/fastdialer" "github.com/projectdiscovery/goflags" - ztls "github.com/zmap/zcrypto/tls" stringsutil "github.com/projectdiscovery/utils/strings" - + ztls "github.com/zmap/zcrypto/tls" ) // Implementation is an interface implemented by TLSX client @@ -313,10 +312,14 @@ func IsMisMatchedCert(host string, alternativeNames []string) bool { return true } -// IsTLSRevoked returns true if the certificate has been revoked +// IsTLSRevoked returns true if the certificate has been revoked or failed to parse func IsTLSRevoked(cert *x509.Certificate) bool { - zcert, _ := zx509.ParseCertificate(cert.Raw) - return IsZTLSRevoked(zcert) + zcert, err := zx509.ParseCertificate(cert.Raw) + if err != nil { + return true + } else { + return IsZTLSRevoked(zcert) + } } // IsZTLSRevoked returns true if the certificate has been revoked diff --git a/pkg/tlsx/openssl/openssl.go b/pkg/tlsx/openssl/openssl.go index 22334695..ea1af51f 100644 --- a/pkg/tlsx/openssl/openssl.go +++ b/pkg/tlsx/openssl/openssl.go @@ -92,13 +92,9 @@ func (c *Client) ConnectWithOptions(hostname, ip, port string, options clients.C } defer rawConn.Close() - var resolvedIP string - if ip != "" { - resolvedIP = ip - } else if iputil.IsIP(hostname) { - resolvedIP = hostname - } else { - resolvedIP = c.dialer.GetDialedIP(hostname) + resolvedIP, _, err := net.SplitHostPort(rawConn.RemoteAddr().String()) + if err != nil { + return nil, err } conn, err := openssl.Client(rawConn, opensslCtx) diff --git a/pkg/tlsx/tls/tls.go b/pkg/tlsx/tls/tls.go index 837b5228..a33c59c9 100644 --- a/pkg/tlsx/tls/tls.go +++ b/pkg/tlsx/tls/tls.go @@ -118,13 +118,9 @@ func (c *Client) ConnectWithOptions(hostname, ip, port string, options clients.C return nil, fmt.Errorf("could not connect to %s", address) } - var resolvedIP string - if ip != "" { - resolvedIP = ip - } else if iputil.IsIP(hostname) { - resolvedIP = hostname - } else { - resolvedIP = c.dialer.GetDialedIP(hostname) + resolvedIP, _, err := net.SplitHostPort(rawConn.RemoteAddr().String()) + if err != nil { + return nil, err } config := c.tlsConfig diff --git a/pkg/tlsx/tlsx.go b/pkg/tlsx/tlsx.go index 2530ab0e..80c058d3 100644 --- a/pkg/tlsx/tlsx.go +++ b/pkg/tlsx/tlsx.go @@ -4,6 +4,7 @@ import ( "strconv" "github.com/pkg/errors" + "github.com/projectdiscovery/fastdialer/fastdialer" "github.com/projectdiscovery/tlsx/pkg/tlsx/auto" "github.com/projectdiscovery/tlsx/pkg/tlsx/clients" "github.com/projectdiscovery/tlsx/pkg/tlsx/jarm" @@ -24,6 +25,13 @@ func New(options *clients.Options) (*Service, error) { service := &Service{ options: options, } + if options.Fastdialer == nil { + var err error + options.Fastdialer, err = fastdialer.NewDialer(fastdialer.DefaultOptions) + if err != nil { + return nil, err + } + } var err error switch options.ScanMode { case "ztls": diff --git a/pkg/tlsx/tlsx_test.go b/pkg/tlsx/tlsx_test.go new file mode 100644 index 00000000..027bc71a --- /dev/null +++ b/pkg/tlsx/tlsx_test.go @@ -0,0 +1,63 @@ +package tlsx_test + +import ( + "errors" + "testing" + + "github.com/projectdiscovery/fastdialer/fastdialer" + "github.com/projectdiscovery/tlsx/pkg/tlsx" + "github.com/projectdiscovery/tlsx/pkg/tlsx/clients" + "github.com/projectdiscovery/tlsx/pkg/tlsx/openssl" + iputil "github.com/projectdiscovery/utils/ip" +) + +func TestResolvedIP(t *testing.T) { + + allmodes := []string{"ctls", "ztls", "openssl", "auto"} + targethostname := "projectdiscovery.io" + targets, err := getDNSdata(targethostname) + if err != nil { + t.Fatalf("failed to get dns data: %v", err) + } + + for _, mode := range allmodes { + client, err := tlsx.New(&clients.Options{ + ScanMode: mode, + Retries: 3, + }) + if errors.Is(err, openssl.ErrNotSupported) { + t.Logf("openssl not available skipping..") + continue + } + if err != nil { + t.Fatalf("failed to create new client for %v mode: %v", mode, err) + } + for _, target := range targets { + resp, err := client.ConnectWithOptions(targethostname, target, "443", clients.ConnectOptions{}) + if err != nil { + t.Fatalf("failed to get response from tlsx client: %v", err) + } + if !iputil.IsIP(resp.IP) { + t.Fatalf("expected ip address for %v but got %v for mode %v", target, resp.IP, mode) + } + } + } + +} + +func getDNSdata(hostname string) ([]string, error) { + targets := []string{} + fd, err := fastdialer.NewDialer(fastdialer.DefaultOptions) + if err != nil { + return targets, err + } + dnsData, err := fd.GetDNSData(hostname) + if err != nil { + return targets, err + } + targets = append(targets, hostname) + targets = append(targets, dnsData.A...) + targets = append(targets, dnsData.AAAA...) + + return targets, nil +} diff --git a/pkg/tlsx/ztls/ztls.go b/pkg/tlsx/ztls/ztls.go index 92c8c3be..1d0d2f15 100644 --- a/pkg/tlsx/ztls/ztls.go +++ b/pkg/tlsx/ztls/ztls.go @@ -139,13 +139,9 @@ func (c *Client) ConnectWithOptions(hostname, ip, port string, options clients.C return nil, fmt.Errorf("could not connect to %s", address) } - var resolvedIP string - if ip != "" { - resolvedIP = ip - } else if iputil.IsIP(hostname) { - resolvedIP = hostname - } else { - resolvedIP = c.dialer.GetDialedIP(hostname) + resolvedIP, _, err := net.SplitHostPort(conn.RemoteAddr().String()) + if err != nil { + return nil, err } config := c.tlsConfig From a4a8c5a3c23e21d85a44111eaec3eccdcfe19291 Mon Sep 17 00:00:00 2001 From: mzack Date: Thu, 8 Dec 2022 01:35:05 +0100 Subject: [PATCH 2/2] fixing target + making ipv6 optional (not supported in gh) --- pkg/tlsx/tlsx_test.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkg/tlsx/tlsx_test.go b/pkg/tlsx/tlsx_test.go index 027bc71a..b30127d5 100644 --- a/pkg/tlsx/tlsx_test.go +++ b/pkg/tlsx/tlsx_test.go @@ -12,9 +12,8 @@ import ( ) func TestResolvedIP(t *testing.T) { - allmodes := []string{"ctls", "ztls", "openssl", "auto"} - targethostname := "projectdiscovery.io" + targethostname := "scanme.sh" targets, err := getDNSdata(targethostname) if err != nil { t.Fatalf("failed to get dns data: %v", err) @@ -35,6 +34,10 @@ func TestResolvedIP(t *testing.T) { for _, target := range targets { resp, err := client.ConnectWithOptions(targethostname, target, "443", clients.ConnectOptions{}) if err != nil { + if iputil.IsIPv6(target) { + t.Logf("ipv6 potentially not supported skipping..") + continue + } t.Fatalf("failed to get response from tlsx client: %v", err) } if !iputil.IsIP(resp.IP) {