error connecting to site on non-standard port when using proxy

[digininja]

I've just tried to scan a site which was listening on port 4567 through my proxy and got the error:

+ ERROR: Proxy error: opening stream: proxy couldn't make connection

I've set up a similar scenario on my site and it fails on there as well. I've opened port 81 to HTTP traffic:

$ ./nikto.pl -host http://digi.ninja:81 -useproxy http://proxy:3128 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ ERROR: Proxy error: opening stream: proxy couldn't make connection

$ curl --proxy http://proxy:3128 http://digi.ninja:81
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://digi.ninja/">here</a>.</p>
</body></html>

If I specify port 80 rather than 81, that works, so it isn't just specifying a port number, it is the fact it isn't 80 or 443 that seems to be causing the problem.

Watching my Squid logs, I see these two corresponding entries:

1552477574.948      0 10.5.1.1 TCP_DENIED/403 3347 CONNECT digi.ninja:81 - HIER_NONE/- text/html
1552477571.418      1 10.5.1.1 TCP_MISS/301 598 GET http://digi.ninja:81/ - HIER_DIRECT/5.196.105.14 text/html

The reason for the deny is this line in the Squid config as 81 isn't in my SSL_ports list:

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

I don't know why they do this, is it wrong to do a CONNECT to a HTTP port?

Looking at the traffic if I stick with port 80, you don't send a CONNECT.

So, I think there is a bug in your proxy code that is trying to do a CONNECT over HTTP when a port number other than 80 is specified.

Don't I find the fun stuff!

[sullo]

Clearly you are using too many weird ports. I blame you.

I don't understand why Squid does that. That's... odd. I've not heard any specific reason to avoid a CONNECT to a non-80 port, unless they're just out of the box protecting people from making mistakes or being insecure?

This may be a simple fix. Since you have the setup can you change this line in nikto_core.plugin?

Line 2226
$request{'whisker'}->{'method'} = "GET";

to be a CONNECT and retry? A cursory look at the libwhisker code shows that it should properly use CONNECT for proxies.

Thanks

[digininja]

I specialise in weird!

Will give it a try when back from lunch.

On Wed, 13 Mar 2019, 12:46 sullo, notifications@github.com wrote:

Clearly you are using too many weird ports. I blame you.

I don't understand why Squid does that. That's... odd. I've not heard any specific reason to avoid a CONNECT to a non-80 port, unless they're just out of the box protecting people from making mistakes or being insecure?

This may be a simple fix. Since you have the setup can you change this line in nikto_core.plugin?

Line 2226 $request{'whisker'}->{'method'} = "GET";

to be a CONNECT and retry? A cursory look at the libwhisker code shows that it should properly use CONNECT for proxies.

Thanks

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/593#issuecomment-472407382, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHJWRNJzArwDoqqRcXiXHt2KRkio2tcks5vWPMsgaJpZM4btC01 .

[digininja]

No, changing that line doesn't change anything. port 80 still works, 81 doesn't and I still get the initial CONNECT in the log

I've put some debug in and confirmed that it is the request straight after that that causes the problem so you are in the right area for the fix. Why would changing a GET to CONNECT help? The proxy is rejecting the request because it is currently a CONNECT.

[sullo]

can you scrub and post as a snippet/gist the two req/resp pairs (the connect that works and the one "after that" that fails)?

Now in some limited testing with burp, one thing to note is ports < 1200 may be restricted (i.e., is your port 81 actually opening/bind on your OS)?

Second thing is that when using burp as a proxy I'm getting incorrect requests to cirt.net

Connection: close
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Proxy Check)
Host: cirt.net

That's the outgoing from burp. (i get a 404 back which I think is my apache config, NOT nikto/proxy. it works fine on other sites).

I'm curious if your proxy config or target config are interfering (like my target is)?

[digininja]

Port 81 is open on my box and on the target I was initially testing, you can check my box http://digi.ninja:81

I'm going through squid in a fairly default setup, all I've done is allow port 81 in the list of acceptable ports.

Curl works with the proxy and directly so both proxy and the site are working.

I'll send over some logs in a bit.

On Fri, 15 Mar 2019, 19:42 sullo, notifications@github.com wrote:

can you scrub and post as a snippet/gist the two req/resp pairs (the connect that works and the one "after that" that fails)?

Now in some limited testing with burp, one thing to note is ports < 1200 may be restricted (i.e., is your port 81 actually opening/bind on your OS)?

Second thing is that when using burp as a proxy I'm getting incorrect requests to cirt.net

Connection: close User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Proxy Check) Host: cirt.net```

That's the outgoing from burp. (i get a 404 back which I think is my apache config, NOT nikto/proxy. it works fine on other sites).

I'm curious if your proxy config or target config are interfering (like my target is)?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/593#issuecomment-473417772, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHJWVxDAP9hzANWtZpn99q5QG5B1sEJks5vW_fCgaJpZM4btC01 .

[digininja]

Going direct

$ curl http://digi.ninja:81
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://digi.ninja/">here</a>.</p>
</body></html>

Curl through the proxy:

$ curl http://digi.ninja:81 --proxy proxy.digi.lab:3128
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://digi.ninja/">here</a>.</p>
</body></html>

Proxy log

1552679833.199      2 10.5.1.1 TCP_MISS/301 598 GET http://digi.ninja:81/ - HIER_DIRECT/5.196.105.14 text/html

Nikto direct:

$ ./nikto.pl -url http://digi.ninja:81
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          5.196.105.14
+ Target Hostname:    digi.ninja
+ Target Port:        81
+ Start Time:         2019-03-15 19:58:39 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache

Nikto through the proxy:

$ ./nikto.pl -url http://digi.ninja:81 -useproxy proxy.digi.lab:3128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ ERROR: Proxy error: opening stream: proxy couldn't make connection

Proxy message:

1552679966.342      0 10.5.1.1 TCP_DENIED/403 3347 CONNECT digi.ninja:81 - HIER_NONE/- text/html

[corrigac]

looks like some protocol confusion on your port 81 - Redirect looks to be to https://digi.ninja:81/ but your running http on port 81

[digininja]

That's because I've been messing with it for something else. It is back working on HTTP on 81 and it is still broken.

1553794801.157      0 10.5.1.1 TCP_DENIED/403 3347 CONNECT digi.ninja:81 -
HIER_NONE/- text/html

$ ./nikto.pl -url http://digi.ninja:81 -useproxy proxy:3128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ ERROR: Proxy error: opening stream: proxy couldn't make connection

curl -s http://digi.ninja:81 --proxy proxy:3128 | grep "<title"
        <title>DigiNinja - DigiNinja</title>

On Thu, 28 Mar 2019 at 17:31, corrigac notifications@github.com wrote:

looks like some protocol confusion on your port 81 - Redirect looks to be to https://digi.ninja:81/ but your running http on port 81

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/593#issuecomment-477696648, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHJWe0DqFyJpMGvy6b4xepFGkAMmhAYks5vbPx3gaJpZM4btC01 .

[tautology0]

Could you retry and see whether the proxy fixes and using Net::SSLeay fix this in 2.5.0?

[digininja]

I'm getting a silent failure through Burp.

I put dvwa on port 81 and scanned through Burp. Watching the proxy, I've got 8k of requests but haven't had a response to any of them, Nikto hasn't noticed.

But while writing this I just noticed that the requests are going to https not http even though I didn't specify a protocol. I just tried again with http://dvwa.test:81 and the requests were still made to https not http.

Testing against a real https site on a different port I've had the same thing, loads of requests, no responses. If you want to try yourself, feel free to use this URL

https://177c3c33.poison.digi.ninja:2443/basic.php

Checking with Repeater, this is a request that doesn't work:

But when I strip the full domain out of the GET, it does work:

Running through Squid, it does seem to work as I can see the traffic hitting the server.

[stappersg]

@digininja in case this issue dropped from your priority list, please close it.

[digininja]

No, still something I'd like to see working.

On Tue, 21 Jun 2022, 17:41 Geert Stappers, @.***> wrote:

@digininja https://github.com/digininja in case this issue dropped from your priority list, please close it.

— Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/593#issuecomment-1161998701, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWJ4BFUGDJUFG67FNFTVQHWCHANCNFSM4G5UFU2Q . You are receiving this because you were mentioned.Message ID: @.***>

[sullo]

@digininja Can you try this again? I just did some testing against port 81 using Burp as a proxy, and it seems to be working to me. 2.5 branch.

I suspect a fairly recent change to the HTTP/HTTPS checking logic actually fixed this as well. Please confirm.

[digininja]

That does seem to be working now.

$ ./program/nikto.pl --url   https://b423f5d6.poison.digi.ninja:2443 --useproxy proxy.digi.lab:3128
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          (proxied)
+ Target Hostname:    b423f5d6.poison.digi.ninja
+ Target Port:        2443
+ Proxy:              proxy.digi.lab:3128
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /CN=*.poison.digi.ninja
                   Altnames: *.poison.digi.ninja, poison.digi.ninja
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=US/O=Let's Encrypt/CN=R3
+ Start Time:         2022-07-06 16:19:49 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache
+ Retrieved via header: 1.1 varnish (Varnish/6.5).

[sullo]

Awesome! Thanks for confirming.