wpscan SSL Connect Error

[aarandomhacker]

Before submitting an issue, please make sure you fully read any potential error messages output and did some research on your own.

Subject of the issue

wpscan SSL Connect Error

Your environment

• Version of WPScan: 3.6.3
• Version of Ruby: 2.5.5p157 (2019-03-15 revision 67260) [x86_64-linux-gnu]
• Operating System (OS): Linux kali 4.19.0-kali5-amd64 CHANGELOG file #1 SMP Debian 4.19.37-6kali (2019-07-22) x86_64 GNU/Linux
• Server Accepts: TLS 1.0 && TLS1.1 && TLS1.2

Steps to reproduce

wpscan -v --disable-tls-checks --url
wpscan -v --url

Expected behavior

Site should scan with wpscan

Actual behavior

---

    __          _______   _____
    \ \        / /  __ \ / ____|
     \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
      \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
       \  /\  /  | |     ____) | (__| (_| | | | |
        \/  \/   |_|    |_____/ \___|\__,_|_| |_|

    WordPress Security Scanner by the WPScan Team
                   Version 3.6.3
      Sponsored by Sucuri - https://sucuri.net
  @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_

---

Scan Aborted: The url supplied 'target site' seems to be down (SSL connect error)
Trace: /usr/share/rubygems-integration/all/gems/cms_scanner-0.5.7/app/controllers/core.rb:42:in check_target_availability' /usr/share/rubygems-integration/all/gems/wpscan-3.6.3/app/controllers/core.rb:59:in before_scan'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.5.7/lib/cms_scanner/controllers.rb:44:in each' /usr/share/rubygems-integration/all/gems/cms_scanner-0.5.7/lib/cms_scanner/controllers.rb:44:in block in run'
/usr/lib/ruby/2.5.0/timeout.rb:76:in timeout' /usr/share/rubygems-integration/all/gems/cms_scanner-0.5.7/lib/cms_scanner/controllers.rb:43:in run'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.5.7/lib/cms_scanner/scan.rb:24:in run' /usr/share/rubygems-integration/all/gems/wpscan-3.6.3/bin/wpscan:16:in block in <top (required)>'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.5.7/lib/cms_scanner/scan.rb:15:in initialize' /usr/share/rubygems-integration/all/gems/wpscan-3.6.3/bin/wpscan:6:in new'
/usr/share/rubygems-integration/all/gems/wpscan-3.6.3/bin/wpscan:6:in <top (required)>' /usr/bin/wpscan:23:in load'
/usr/bin/wpscan:23:in `

'

What have you already tried

Tell us what you have already tried to do to fix the issue you are having.

Things you have tried (where relevant):

• Update WPScan to the latest version [Yes ]
• Update Ruby to the latest version [ Yes]
• Ensure you can reach the target site using cURL [Y ]
• Proxied WPScan through a HTTP proxy to view the raw traffic [N ]
• Ensure you are using a supported Operating System (Linux and macOS) [Y ]

[erwanlr]

Are you using a proxy along with wpscan ?

[aarandomhacker]

No

[cnotin]

Same here, and no proxy :)
It seems to be a matter of missing TLS 1.0 support in my case

[cnotin]

I think the issue is more on the side of https://github.com/wpscanteam/CMSScanner

FYI I fixed it by commenting the following in /etc/ssl/openssl.cnf on my Kali:

#[system_default_sect]
#MinProtocol = TLSv1.2
#CipherString = DEFAULT@SECLEVEL=2
#CipherString = DEFAULT

[cnotin]

Or CMSscanner could ask Typhoeus to ask Openssl to TLS < 1.2. Whatever you think is better...

[aarandomhacker]

Fix above worked! By commenting out the MinProtocol & CipherString lines as suggested, I have gotten it to work.

Thanks to @cnotin for the suggestion

[erwanlr]

So it's clearly an issue of your system and the remote server not having a common protocol (such as TLS >= 1.2 local and TLS 1.0 only remote), nothing we can do about it, sorry.

[ethicalhack3r]

Maybe something we can add to the readme as a known issue? The OP stated that it worked with cURL which is strange, unless incorrect.

…

On Wed, 28 Aug 2019, 15:54 Erwan, ***@***.***> wrote: So it's clearly an issue of your system and the remote server not having a common protocol (such as TLS >= 1.2 local and TLS 1.0 only remote), nothing we can do about it, sorry. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1380?email_source=notifications&email_token=AACO4KKV2CVXBHFEN6S26ZLQGZ7SJA5CNFSM4INUGWY2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5LGOKY#issuecomment-525756203>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AACO4KOBYVKIUDCF46F2GILQGZ7SJANCNFSM4INUGWYQ> .

[cnotin]

Technically wpscan could ask to bypass the default and allow a lower version.
It could be done when "--disable-tls-checks" is selected, as the user doesn't care about TLS security level anymore. And it doesn't negatively impact other users.

Your call :)

[aarandomhacker]

I did try the --disable-tls-checks. I also tried it on three separate installations of Kali Linux

[cnotin]

I mean "--disable-tls-checks" doesn't enable TLS 1.0 yet, but it could be changed to do it.

[cnotin]

FYI, here is the related Kali bug:
https://bugs.kali.org/view.php?id=5158

[erwanlr]

Could any of you run the script below from your system (with the OpenSSL config back to its original) against the blog you had issues with please ?

# connect_check.rb

require 'typhoeus'

def check_target(url, params = {})
  res = Typhoeus.get(url, params.merge(connecttimeout: 10))

  puts "#{res.effective_url} - #{res.code} #{res.return_message}"
end

target = ARGV[0]

puts 'Not disabled:'
check_target(target)

puts
puts 'Disabled:'
check_target(target, ssl_verifypeer: false, ssl_verifyhost: 0, sslversion: :tlsv1)

To run it: ruby connect_check.rb BLOG_URL (the BLOG_URL needs to have the protocol, ie http/https)

[cnotin]

Here you go, with both:

• Kali default config

# tail -n 3 /etc/ssl/openssl.cnf
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

# ruby test.rb https://redacted
Not disabled:
https://redacted - 0 SSL connect error

Disabled:
https://redacted - 0 SSL connect error

• Edited config

# tail -n 3 /etc/ssl/openssl.cnf
#[system_default_sect]
#MinProtocol = TLSv1.2
#CipherString = DEFAULT@SECLEVEL=2

# ruby test.rb https://redacted
Not disabled:
https://redacted - 0 SSL peer certificate or SSH remote key was not OK

Disabled:
https://redacted - 200 No error

[cnotin]

Looks like Typhoeus/curl cannot force the usage of TLS 1.0?
Same with:

curl -k --tlsv1 https://...
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

Versions:

# openssl version
OpenSSL 1.1.1c  28 May 2019
# curl -V
curl 7.65.3 (x86_64-pc-linux-gnu) libcurl/7.65.3 OpenSSL/1.1.1c zlib/1.2.11 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2019-07-19
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

[cnotin]

It seems related to this:
curl/curl#4097

[cnotin]

I tested something in:
curl/curl#4097 (comment)
I forced the support of TLS 1.0 in OpenSSL using the correct function.

And with it, it works nice:

#  LD_LIBRARY_PATH=/root/curl/curl/lib/.libs/ wpscan --url https://tls-v1-0.badssl.com:1010/
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.4.4
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

Scan Aborted: The remote website is up, but does not seem to be running WordPress.

Compared to with the normal library:

# wpscan --url https://tls-v1-0.badssl.com:1010/
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.4.4
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

Scan Aborted: The url supplied 'https://tls-v1-0.badssl.com:1010/' seems to be down (SSL connect error)

[erwanlr]

Great, so this is a bug in curl, isn't it ?

[cnotin]

There's indeed a bug in libcurl that prevents from enabling TLSv1 support.
However, wpscan doesn't take advantage of this feature yet.

[erwanlr]

This will be once the issue has been resolved in libcurl and it's been tracked there: wpscanteam/CMSScanner#108

Thank you very much for your investigation on this one and hopefully this will be fixed in curl!

[cnotin]

For tracking: fixed in wpscanteam/CMSScanner#108