Nessus -- A peek under the hood - IV

--- TRACE running on WebServer

Very low risk here and at times even informational but useful to report specially when you have very few findings to report ;) . Basically while establishing a HTTPS connection an SSL handshake happens, think of it as a 3 way handshake for SSL. Once this completes its all normal HTTP traffic. The key here is to somehow re-create that SSL connection before you start running your HTTP commands like GET,TRACE,OPTIONS etc. So effectively what we did is create an SSL tunnel to the port 443 of the destination webserver as follows using a third party tool called Stunnel. Here's the command that you run:
Once you install STunnel there's a script which you can use to run stunnel against any remote host from within it using a predefined script found in /usr/local/share/doc/stunnel/examples/script.sh by default. So when you make a connection to 192.168.2.249 you'll need to edit the REMOTE_HOST variable in script.sh to your IP so it reads:

Run the script to establish a SSL tunnel to 192.168.2.249. Run tcpdump in another window if ur as interested as me in getting a packet level view of the situation.Once the tunnel is established you can type HTTP commands as you normally do. Here's the sequence of commands to find out if TRACE is enabled on the remote server:

--------------------
[root@pal-lin-arvind Setups]# /usr/local/share/doc/stunnel/examples/script.sh
client script connecting 192.168.2.249:443
OPTIONS * HTTP/1.1
Host: 192.168.2.249

HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Content-Length: 0
Server: Microsoft-IIS/6.0
Public: OPTIONS, TRACE, GET, HEAD, POST
Date: Fri, 12 Oct 2007 16:36:47 GMT
--------------------

The only open connection obviously is the SSL tunnel as can be seen here
[arvind@pal-lin-arvind ~]$ netstat -na | grep -v unix | grep 443
tcp 0 0 192.168.2.92:47032 192.168.2.249:443 ESTABLISHED
[arvind@pal-lin-arvind ~]$