MTLS not working - Githubissues

OJ / gobuster

Directory/File, DNS and VHost busting tool written in Go

Apache License 2.0

9.66k stars 1.18k forks source link

MTLS not working #443

Closed gl4nce closed 1 year ago

gl4nce commented 1 year ago

Unfortunately, MTLS is not working for me. I'm getting Error: error on parsing arguments: could not load P12: pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1.

I did little research and looks like it has something to do with go/security? I'm using version 3.6.0-0kali1.

gobuster dir -u "https://web.site" -w /usr/share/wordlists/dirb/big.txt --client-cert-p12 ./mtls.p12 --client-cert-p12-password "password123"
Error: error on parsing arguments: could not load P12: pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1

gl4nce commented 1 year ago

I found a workaround. Converting p12 to pem format with openssl works fine.

# converting
openssl pkcs12 -in mtls.p12 -out mtls.crt.pem -clcerts -nokeys
openssl pkcs12 -in mtls.p12 -out mtls.key.pem -nocerts -nodes

# gobuster
gobuster dir -u "https://web.site" -w /usr/share/wordlists/dirb/big.txt --client-cert-pem ./mtls.crt.pem --client-cert-pem-key ./mtls.key.pem

firefart commented 1 year ago

Jeah looks like this is a problem with gos implementation of pkcs12. There is already an open issue for this: https://github.com/golang/go/issues/62375

firefart commented 1 year ago

Looks like hashicorp switched to another library because of this problem: https://github.com/hashicorp/go-azure-sdk/pull/328 will have a look if the other library works too

firefart commented 1 year ago

@gl4nce can you please try out the dev branch and see if that works for your p12? go install github.com/OJ/gobuster/v3@dev

Thanks!

gl4nce commented 1 year ago

That was incredibly fast. :)

Tested and working fine for me. Thanks a lot!

$ ./gobuster dir -u "https://web.site" -w /usr/share/wordlists/dirb/big.txt --client-cert-p12 ../mtls.p12 --client-cert-p12-password "password" 
===============================================================
Gobuster v3.7
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://web.site
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.7
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 199]
/.htpasswd            (Status: 403) [Size: 199]
[...]

firefart commented 1 year ago

Awesome thanks for testing :)