Browse Source

v1.2.0 support --servername option for pentesting

AJ ONeal 3 months ago
parent
commit
312a5de977
3 changed files with 27 additions and 6 deletions
  1. 11
    0
      README.md
  2. 7
    4
      cmd/sclient/main.go
  3. 9
    2
      sclient.go

+ 11
- 0
README.md View File

@@ -69,6 +69,7 @@ sclient [flags] <remote> <local>
69 69
 
70 70
 * flags
71 71
   * -k, --insecure ignore invalid TLS (SSL/HTTPS) certificates
72
+  * --servername <string> spoof SNI (to disable use IP as &lt;remote&gt; and do not use this option)
72 73
 * remote
73 74
   * must have servername (i.e. example.com)
74 75
   * port is optional (default is 443)
@@ -112,3 +113,13 @@ Piping
112 113
 ```bash
113 114
 printf "GET / HTTP/1.1\r\nHost: telebit.cloud\r\n\r\n" | sclient telebit.cloud:443
114 115
 ```
116
+
117
+Testing for security vulnerabilities on the remote:
118
+
119
+```bash
120
+sclient -servername "Robert'); DROP TABLE Students;" example.com localhost:3000
121
+```
122
+
123
+```bash
124
+sclient -servername "../../../.hidden/private.txt" example.com localhost:3000
125
+```

+ 7
- 4
cmd/sclient/main.go View File

@@ -25,6 +25,7 @@ func usage() {
25 25
 func main() {
26 26
 	flag.Usage = usage
27 27
 	insecure := flag.Bool("k", false, "ignore bad TLS/SSL/HTTPS certificates")
28
+	servername := flag.String("servername", "", "specify a servername different from <remote> (to disable SNI use an IP as <remote> and do use this option)")
28 29
 	flag.BoolVar(insecure, "insecure", false, "ignore bad TLS/SSL/HTTPS certificates")
29 30
 	flag.Parse()
30 31
 	remotestr := flag.Arg(0)
@@ -41,10 +42,12 @@ func main() {
41 42
 		}
42 43
 	}
43 44
 
44
-	opts := &sclient.PipeOpts{}
45
-	opts.RemotePort = 443
46
-	opts.LocalAddress = "localhost"
47
-	opts.InsecureSkipVerify = *insecure
45
+	opts := &sclient.PipeOpts{
46
+		RemotePort:         443,
47
+		LocalAddress:       "localhost",
48
+		InsecureSkipVerify: *insecure,
49
+		ServerName:         *servername,
50
+	}
48 51
 
49 52
 	remote := strings.Split(remotestr, ":")
50 53
 	//remoteAddr, remotePort, err := net.SplitHostPort(remotestr)

+ 9
- 2
sclient.go View File

@@ -46,6 +46,7 @@ type PipeOpts struct {
46 46
 	LocalAddress       string
47 47
 	LocalPort          int
48 48
 	InsecureSkipVerify bool
49
+	ServerName         string
49 50
 }
50 51
 
51 52
 type Tun struct{}
@@ -88,7 +89,10 @@ func pipe(r Rwc, w Rwc, t string) {
88 89
 
89 90
 func handleConnection(remote string, conn Rwc, opts *PipeOpts) {
90 91
 	sclient, err := tls.Dial("tcp", remote,
91
-		&tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify})
92
+		&tls.Config{
93
+			ServerName:         opts.ServerName,
94
+			InsecureSkipVerify: opts.InsecureSkipVerify,
95
+		})
92 96
 
93 97
 	if err != nil {
94 98
 		fmt.Fprintf(os.Stderr, "[error] (remote) %s\n", err)
@@ -111,7 +115,10 @@ func handleConnection(remote string, conn Rwc, opts *PipeOpts) {
111 115
 func (*Tun) DialAndListen(opts *PipeOpts) error {
112 116
 	remote := opts.RemoteAddress + ":" + strconv.Itoa(opts.RemotePort)
113 117
 	conn, err := tls.Dial("tcp", remote,
114
-		&tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify})
118
+		&tls.Config{
119
+			ServerName:         opts.ServerName,
120
+			InsecureSkipVerify: opts.InsecureSkipVerify,
121
+		})
115 122
 
116 123
 	if err != nil {
117 124
 		fmt.Fprintf(os.Stderr, "[warn] '%s' may not be accepting connections: %s\n", remote, err)