documentation/modules/auxiliary/scanner/http/http_hsts.md
This module checks to see whether or not the scanned systems return the HSTS header to enforce HSTS.
sudo apt-get install apache2
sudo service apache2 start
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Once this is done place the following content into /etc/apache2/conf-available/ssl-params.conf:
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLSessionTickets Off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
Then execute the following:
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
Place the following in /etc/apache2/sites-available/default-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
Place the following in /etc/apache2/sites-available/000-default.conf:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Finally, execute the following commands:
sudo service apache2 stop
sudo a2enmod ssl
sudo a2enmod headers
sudo a2ensite default-ssl
sudo a2enconf ssl-params
sudo apache2ctl configtest
sudo service apache2 restart
use auxiliary/scanner/http/http_hstsset RHOSTS [IP]set RPORT [PORT]runInstall using following instructions for Ubuntu listed above.
msf > use auxiliary/scanner/http/http_hsts
msf auxiliary(scanner/http/http_hsts) > set RHOSTS 192.168.90.91
RHOSTS => 192.168.90.91
msf auxiliary(scanner/http/http_hsts) > run
[+] 192.168.90.91:443 - Strict-Transport-Security:max-age=63072000; includeSubdomains
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/http_hsts) >
tekwizz123@DESKTOP-VF1AJQB:~$ nmap 192.168.90.91 -p 443 --script http-security-headers
Starting Nmap 7.60 ( https://nmap.org ) at 2020-03-31 00:30 CDT
Nmap scan report for 192.168.90.91
Host is up (0.0034s latency).
PORT STATE SERVICE
443/tcp open https
| http-security-headers:
| Strict_Transport_Security:
| Header: Strict-Transport-Security: max-age=63072000; includeSubdomains
| X_Frame_Options:
| Header: X-Frame-Options: DENY
| Description: The browser must not display this content in any frame.
| X_Content_Type_Options:
| Header: X-Content-Type-Options: nosniff
|_ Description: Will prevent the browser from MIME-sniffing a response away from the declared content-type.
Nmap done: 1 IP address (1 host up) scanned in 1.25 seconds