search

F5-Labs / cryptonice

CryptoNice is both a command line tool and library which provides the ability to scan and report on the configuration of SSL/TLS for your internet or internal facing web services. Built using the sslyze API and ssl, http-client and dns libraries, cryptonice collects data on a given domain and performs a series of tests to check TLS configuration and supporting protocols such as HTTP2 and DNS.
https://www.f5.com/labs/cryptonice
GNU General Public License v3.0
101 stars 25 forks source link

DNS resolution issues #44

Closed warburtr0n closed 3 years ago

warburtr0n commented 3 years ago

We’re checking to see if the given value is an IP or a name, and since it’s a name passing it to the get_dns function to look it up. This returns, but it returns an empty value in a list, because the name is not resolvable (dns_data.get('records').get('A')[0] # get first IP in list) and so we get the index error.

We should add a check somewhere to handle cases where the DNS name handed in is not resolvable.

===============

facebook.net

Traceback (most recent call last):
  File "/opt/python/lib/python3.7/site-packages/cryptonice-1.3.7.1-py3.7.egg/cryptonice/scanner.py", line 374, in scanner_driver
    ipaddress.ip_address(hostname)
  File "/var/lang/lib/python3.7/ipaddress.py", line 54, in ip_address
    address)
ValueError: 'facebook.net' does not appear to be an IPv4 or IPv6 address

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
   File "/opt/python/lib/python3.7/site-packages/cryptonice-1.3.7.1-py3.7.egg/cryptonice/scanner.py", line 386, in scanner_driver
    ip_address = dns_data.get('records').get('A')[0]  # get first IP in list
IndexError: list index out of range
warburtr0n commented 3 years ago

Okay. problem here is that we're not correctly dealing with CNAMEs since we expect an A record

warburtr0n commented 3 years ago

Upcoming code release implements a new goodToGo variable which, based on its boolean value (determined by the existing of a valid IP or successful DNS lookup), will determine whether any scans should be performed.