failed to resolve hostname problem

[digininja]

I've had this a couple of times now:

+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request over HTTP/1.0. The value is "10.22.5.246".
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't resolve hostname
+ Scan terminated:  20 error(s) and 6 item(s) reported on remote host
+ End Time:           2017-03-21 11:08:13 (GMT0) (6 seconds)

The hostname is hardcoded in the hosts file and can be resolved through DNS. From memory, the last time this happened there was also an internal IP disclosure so I'm wondering if that check is somehow overwriting the hostname variable and so breaking everything.

[ss23]

I'm also recieving this error, though there is nothing related to an internal IP address. Here is an excerpt as it looks slightly different for me (have removed some information):

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:
+ Start Time:         2017-03-22 16:12:22 (GMT13)
---------------------------------------------------------------------------
+ Server: nginx
+ Retrieved x-powered-by header: web2py
+ Uncommon header 'web2py_error' found, with contents: invalid path
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't resolve hostname
+ Scan terminated:  20 error(s) and 24 item(s) reported on remote host
+ End Time:           2017-03-22 16:12:30 (GMT13) (8 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

[ss23]

git bisect indicates that 1525fddd279af422c304dc7a9c180b232a56856a is the commit causing this on my end, though I have no idea how this is possible...

[tautology0]

That commit causing the problem does indeed make no sense. Any chance of the results of a -D d for the affect call so we can see what the address is being overwritten by? (or even the results of a -Save.)

The fact you're getting multiple HSTS messages tells me that the hostname keeps on getting changed with each request.

[ss23]

I can see that the hostname has changed from "x.com', to "admin.x.com', which is an internal only domain. I'm going to continue investigating though.

[digininja]

Looks like it is doing subdomain enumeration at the end of the scan, I may have missed it but I don't remember Nikto doing that before.

This is the debug from my run.

nikto_debug.txt

[tautology0]

Ah that would make total sense. One of the lines removed was to ensure that the mutate plugins, including subdomain enumeration would not be run, which means that subdomain is being run (and it's obviously not working that well).

A quick solution would be to put these two lines back into nikto.conf:

@@MUTATE=dictionary;subdomain @@DEFAULT=@@ALL;-@@MUTATE;tests(report:500)

[tautology0]

I'll try and patch it properly, but I'm onsite at the moment with poor Internet access, so I may have to leave this 'til next week.

[digininja]

That fixed it, thanks.

[sullo]

Hmm, seemed like a good idea at the time--crap.

So we should have: @@DEFAULT=@@ALL;-subdomain;-dictionary;tests(report:500)

Correct, @tautology0 ?

[digininja]

But if it stays in and broken turn then if someone enables it then the issue will come back. Wouldn't it be better to fix it or remove it completely.

On Thu, 23 Mar 2017, 19:39 sullo, notifications@github.com wrote:

Hmm, seemed like a good idea at the time--crap.

So we should have: @@DEFAULT=@@ALL;-subdomain;-dictionary;tests(report:500)

Correct, @tautology0 https://github.com/tautology0 ?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/460#issuecomment-288837097, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHJWa8Li_0_XF6dpDkW-yRQO4mTvtfAks5rosplgaJpZM4MjpVv .

[tautology0]

There's two problems here: 1) The definition for which plugins are meant to be run was broken by the patch to remove MUTATE. This can be easily fixed with something like (where @@EXTRA should contain the names of any plugins that we don't want to be run by default)

@@EXTRA=subdomain;dictionary @@DEFAULT=@@ALL;-@@EXTRA;tests(report:500) 2) The subdomain plugin is broken. I favour removing this one totally as there're much better programs to do this around.

The reason why we haven't had a problem with the dictionary plugin is that it has a required parameter or it doesn't do anything, whereas subdomain will do things.

[digininja]

I'd agree with removing it. I use dnsrecon for all my DNS stuff as it is a dedicated tool.

On Thu, 23 Mar 2017, 22:44 David Lodge, notifications@github.com wrote:

There's two problems here:

1. The definition for which plugins are meant to be run was broken by the patch to remove MUTATE. This can be easily fixed with something like (where @@EXTRA https://github.com/EXTRA should contain the names of any plugins that we don't want to be run by default)

@@EXTRA https://github.com/EXTRA=subdomain;dictionary @@DEFAULT https://github.com/DEFAULT=@@ALL https://github.com/ALL;-@ @EXTRA https://github.com/EXTRA;tests(report:500)

1. The subdomain plugin is broken. I favour removing this one totally as there're much better programs to do this around.

The reason why we haven't had a problem with the dictionary plugin is that it has a required parameter or it doesn't do anything, whereas subdomain will do things.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/460#issuecomment-288883091, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHJWagNewWglluC6DipjWR7WtdrXrxoks5rovXNgaJpZM4MjpVv .

[tautology0]

Fixed as discussed above. Also removed subdomain plugin (may I could've deprecated it, but I don't think any one actually uses it).

Moved a few plugins into the EXTRAS list which may improve running time in some cases.

[sullo]

@opt9 has been adding to the subdomain DB,so someone uses it at least.

I'd generally prefer to keep big changes like this for a full release like 2.2, but it doesn't seem like that's going to happen for another 5 years! :) Someone needs to get motivated around here and finish that up (/me looks in mirror).

Thanks @tautology0

[digininja]

I'll certainly buy you a few drinks or dinner if we ever bump into each other at a con, hows that?

On Sat, 25 Mar 2017 at 00:46 sullo notifications@github.com wrote:

@opt9 https://github.com/opt9 has been adding to the subdomain DB,so someone uses it at least.

I'd generally prefer to keep big changes like this for a full release like 2.2, but it doesn't seem like that's going to happen for another 5 years! :) Someone needs to get motivated around here and finish that up (/me looks in mirror).

Thanks @tautology0 https://github.com/tautology0

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/460#issuecomment-289175022, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHJWacTeA3e2kWJu0-iwNrtxUs-9P4dks5rpGPmgaJpZM4MjpVv .

[tautology0]

@digininja you could persuade him to give a talk at Steelcon. If not, I'll take beer on his behalf...

[digininja]

Free bar at SteelCon, all welcome.

On Sun, 26 Mar 2017, 16:57 David Lodge, notifications@github.com wrote:

@digininja https://github.com/digininja you could persuade him to give a talk at Steelcon. If not, I'll take beer on his behalf...

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/460#issuecomment-289293198, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHJWYN6IHBiAs4Cfw2AaOUZMCV4Nqkaks5rporcgaJpZM4MjpVv .

[sullo]

@digininja come on over to rvasec--beer on me!

[digininja]

Would love to get over there. Really need to find a rich patron to send me round the world.

On Mon, 27 Mar 2017 at 03:00 sullo notifications@github.com wrote:

@digininja https://github.com/digininja come on over to rvasec--beer on me!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/460#issuecomment-289336485, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHJWWYzcqPRlaw62RIDoXcbDPrUh_6Oks5rpxhLgaJpZM4MjpVv .