Closed ravenium closed 3 years ago
leonjza
commented
4 years ago it simply groups them under one IP.
I am not sure I am following here. Could you elaborate a little?
screenshot every vhost/dns name it encounters
Nice suggestion! Yes we can definitely add this. Extract non wildcards from a cert, and screenshot those!
ravenium
commented
4 years ago @leonjza Certainly! So let's say I scan 1.2.3.4 (which let's say is a website hosting www.somehost.com, www.someotherhost.com, and admin.somehost.com on tcp/443 with appropriate certificate SANs and vhosts) with nmap and then direct gowitness to read the resulting xml.
Tthe report.html shows only the screenshot for https://1.2.3.4 and lists all the DNS names it saw in the certificate (www.somehost.com, etc) beside that host in the report, rather than attempting to browse any of the additional DNS names.
I think we're on the same page though - by attempting to follow/browse all the SANs listed in the cert (non-wildcard, as you said) you'd pick up some additional information.
Right now I do a slightly clunky process where I parse out the SAN list and associated port number for each https host/cert, then write them all to a file of urls, which gowitness then reads. It works, albeit with some issues.
leonjza
commented
3 years ago Have decided to keep the scope for gowitness to only take screenshots, and do that well. It is possible to feed other tool output that will do a much better job at enumerating that gowitness would into gowitness with something like sometool | gowitness file -f -
I'm currently running some rather ugly regex to get a list of vhosts out of the subject alternative name (SAN) list in a host's certificate file via way of nmap (using their default plugin set, one of which is ssl-certs). I then feed these into gowitness for screenshotting.
I noticed gowitness acknowledges DNS names from this list, but instead of browsing each one, it simply groups them under one IP. It would be nice to be able to instruct gowitness to screenshot every vhost/dns name it encounters for a given host in an nmap file as they may very well be entirely different websites.