Nmap Development mailing list archives
Re: Proposed SSL version detection probe changes
From: Kristof Boeynaems <kristof.boeynaems () gmail com>
Date: Mon, 09 Feb 2009 22:33:44 +0100
On Sun, Feb 8, 2009 at 7:06 PM, <doug () hcsw org> wrote:
Nice. You may have already read this but version detection handles SSL specially: http://nmap.org/book/vscan-post-processors.html#vscan-ssl-postprocess The idea is that if with probing we detect that a port is SSL, then we open up a real SSL connection with OpenSSL and run version detection through that. Any improvements to the SSL probes would be great. I'm just now processing a bunch of fingerprints and there are always a few SSL ones that don't get properly recognized.
Hi Doug, All,I had a deeper look at the SSL version probing, and would like to suggest the following:
Instead of trying to fingerprint the SSL response, I think it is more robust to simply *recognize* SSL, and then reconnect with an SSL probe
to get more information on the application behind SSL. This can be done as follows: 1. Add/rewrite the SSL version probes to reliably detect *all* SSL-enabled services in a generic way, as well as the specific SSL version supported (this information is needed to connect with the correct SSL version later on). 2. Rewrite the SSL connection engine to take the exact SSL version detected by the probes (e.g. "sslv2", "sslv3" or "tlsv1"), and create the correct SSL connection (that is, SSLv2-compatible (SSLv23), TLSv1-only or SSLv3-only). An additional requirement for this step is that the extended SSL connection support can also be integrated with Ncat, of course (as this is how it all started, see http://seclists.org/nmap-dev/2009/q1/0319.html ;)) Any thoughts on this approach? The first step is the easiest, which I already implemented myself,based on the probes I listed earlier. See attached "nmap-services.probes.patch", a patch against the
"nmap-service-probes" file that comes with Nmap 4.76. In summary, I commented out the original SSLv3SessionReq probe, and instead defined following two SSL probes: - SSLv23SessionReq, which will sent out a SSLv2-compatible ClientHello. This will match all SSL servers, apart from a SSLv3-only and TLSv1-only server, and reliably detect the SSL version used ("sslv2", "sslv3" or "tlsv1"). - TLSv1SessionReq probe, which will sent out a TLSv1 ClientHello. This will match a SSLv3-only or TLSv1-only server, again reliably detecting the SSL version used ("sslv3" or "tlsv1"). This Probe does not come with any matches, but will instead "fall back" on the matches in SSLv23SessionReq. I based the matches on OpenSSL testing, but I tried to make the match lines as generic as possible; I believe that they will correctly match all possible (RFC compatible) SSL implementations. For now this Probe detection process returns "sslv2", "sslv3" or "tlsv1" (instead of the generic "ssl"). It is possible to differentiate even further between e.g. "sslv3-only" and "sslv3", if people would be interested in that. Note that I also added the port 4433 to these new probes, as this is the default port of "openssl s_server". The second step is a bit more work, and before undertaking such an effort, I'd like to get your feedback on this approach first. Additionally, if anyone with some sound Nmap coding (possibly SSL related) or just plain enthusiasm is willing to team up with me on this one, please let me know! Note that this is quite a major change, which will most likely break with all existing SSL fingerprints. However, I believe it will ultimately make the detection of SSL-enabled services a lot more reliable. If you have a good idea to stay backward-compatible with the existing fingerprints, let me know. One good use of the existing SSL fingerprints (or SSL fingerprints in general) I still see, is in case Nmap is compiled without OpenSSL support. In these cases it will not be able to SSL-connect to the service, and the information collected by the probe is all we can act on. Nevertheless, even in this case, I believe the new probes will trigger more useful (extensive) SSL fingerprints. However, I do not immediately see how this non-OpenSSL-compatibility can easily be implemented. Maybe we can provide a different nmap-service-probes file, depending on whether OpenSSL support is enabled or not? I welcome all comments. Thanks, Kristof
--- nmap-service-probes.orig 2009-02-09 18:21:09.000000000 +0100 +++ nmap-service-probes 2009-02-09 18:17:10.000000000 +0100 @@ -6048,67 +6048,105 @@ match webster m/^DICTIONARY server protocol:\r\n\r\nContact name is/ p/Webster dictionary server/ ##############################NEXT PROBE############################## -Probe TCP SSLSessionReq q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0| +#SSLv2-compatible ClientHello, 39 ciphers offered +#Will sollicit a ServerHello from most SSL implementations, apart from the ones that are TLSv1-only or SSLv3-only +Probe TCP SSLv23SessionReq q|\x80\x9e\x01\x03\x01\x00u\x00\x00\x00 \x00\x00f\x00\x00e\x00\x00d\x00\x00c\x00\x00b\x00\x00:\x00\x009\x00\x008\x00\x005\x00\x004\x00\x003\x00\x002\x00\x00/\x00\x00\x1b\x00\x00\x1a\x00\x00\x19\x00\x00\x18\x00\x00\x17\x00\x00\x16\x00\x00\x15\x00\x00\x14\x00\x00\x13\x00\x00\x12\x00\x00\x11\x00\x00\n\x00\x00\t\x00\x00\x08\x00\x00\x06\x00\x00\x05\x00\x00\x04\x00\x00\x03\x07\x00\xc0\x06\x00@\x04\x00\x80\x03\x00\x80\x02\x00\x80\x01\x00\x80\x00\x00\x02\x00\x00\x01\xe4i<+\xf6\xd6\x9b\xbb\xd3\x81\x9f\xbf\x15\xc1@\xa5o\x14,M \xc4\xc7\xe0\xb6\xb0\xb2\x1f\xf9)\xe8\x98| -rarity 3 -ports 443,444,548,636,993,1241,1311,2000,4444,5550,7210,7272,8009,8194,9001 +rarity 3 +ports 443,444,548,636,993,1241,1311,2000,4433,4444,5550,7210,7272,8009,8194,9001 fallback GetRequest +# SSLv2 ServerHello +match sslv2 m|^..\x04\0.\0\x02| + +# TLSv1 ServerHello: +match tlsv1 m|^\x16\x03\x01..\x02...\x03\x01| + +# SSLv3 ServerHello: +match sslv3 m|^\x16\x03\0..\x02...\x03\0| + + +##############################NEXT PROBE############################## +#TLSv1 ClientHello. Will sollicit a response from both SSLv3-only and TLSv1-only servers; that is, the servers that are not covered by the SSLv23SessionReq Probe +Probe TCP TLSv1SessionReq q|\x16\x03\x01\x00j\x01\x00\x00f\x03\x01I\x8f\x16)\xa0_\xe2\xac\xe6\xfa\xea}$\xd4iH-\xa1^\x9ah\xa28}\xf5\x96\xe8\xc8\xde\x95T\x98\x00\x008\x00:\x009\x008\x005\x004\x003\x002\x00/\x00\x1b\x00\x1a\x00\x19\x00\x18\x00\x17\x00\x16\x00\x15\x00\x14\x00\x13\x00\x12\x00\x11\x00\n\x00\t\x00\x08\x00\x06\x00\x05\x00\x04\x00\x03\x00\x02\x00\x01\x02\x01\x00\x00\x04\x00#\x00\x00| + +rarity 3 +ports 443,444,548,636,993,1241,1311,2000,4433,4444,5550,7210,7272,8009,8194,9001 +fallback SSLv23SessionReq + +#By default no matches, as we will fall back to the general matches in SSLv23SessionReq +#match TLSv1 ServerHello: +#match tlsv1 m|^\x16\x03\x01..\x02...\x03\x01| + +##############################NEXT PROBE############################## +#This probe is redundant, as a SSLv3-only server will respond to the TLSv1 probe above as well +#Note that a TLSv1-only client will not accept a SSLv3 Server Hello, and break the connection upon receiving the SSLv3 Server Hello, but this is irrelevant for our purpose +#Probe TCP SSLv3SessionReq q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0| + +#rarity 3 +#ports 443,444,548,636,993,1241,1311,2000,4433,4444,5550,7210,7272,8009,8194,9001 +#fallback SSLv23SessionReq + +#By default no matches, as we will fall back to the general matches in SSLv23SessionReq +# Very generic; match SSLv3 Server Hello: +#match sslv3 m|^\x16\x03\0..\x02...\x03\0 + # Apple Filing Protocol (AFP) over TCP on Mac OS X -match afp m|^\x01\x03\0\0\xff\xff\xecQ\0\0\x01.\0\0\0\0\0.\0.\0.\0.\x80\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x05\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 2.2; Mac OS X 10.1.*/ -match afp m|^\x01\x03\0\0\xff\xff\xecQ\0\0..\0\0\0\0\0.\0.\0.\0.\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x06\x06AFP3\.1\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.2.*/ -match afp m|^\x01\x03\0\0\xff\xff\xecQ\0\0..\0\0\0\0\0.\0.\0.\0.\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x03\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.3.*/ -match afp m|^\x01\x03\0\0....\0\0..\0\0\0\0\0.\0.\0.\0..\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x04\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128|s p/Apple AFP/ i|name: $1; protocol 3.2; Max OS X 10.4/10.5| -match afp m|^\x01\x03\0\0....\0\0..\0\0\0\0\0.\0...\0..\xfa.([^\0\x01]+)[\0\x01].*\tMacintosh\x01\x06AFP3\.1.\tDHCAST128|s p/Apple Airport Extreme AFP/ i/name: $1; protocol 3.1/ d/WAP/ -match afp m|^\x01\x03\0\0....\0\0..\0\0\0\0\0.\0...\0..\xfb.([^\0\x01]+)[\0\x01].*AirPort.*AFP3\.2|s p|Apple Airport Extreme/Time Capsule AFP| i/name: $1; protocol 3.2 WAP/ +#match afp m|^\x01\x03\0\0\xff\xff\xecQ\0\0\x01.\0\0\0\0\0.\0.\0.\0.\x80\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x05\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 2.2; Mac OS X 10.1.*/ +#match afp m|^\x01\x03\0\0\xff\xff\xecQ\0\0..\0\0\0\0\0.\0.\0.\0.\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x06\x06AFP3\.1\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.2.*/ +#match afp m|^\x01\x03\0\0\xff\xff\xecQ\0\0..\0\0\0\0\0.\0.\0.\0.\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x03\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.3.*/ +#match afp m|^\x01\x03\0\0....\0\0..\0\0\0\0\0.\0.\0.\0..\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x04\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128|s p/Apple AFP/ i|name: $1; protocol 3.2; Max OS X 10.4/10.5| +#match afp m|^\x01\x03\0\0....\0\0..\0\0\0\0\0.\0...\0..\xfa.([^\0\x01]+)[\0\x01].*\tMacintosh\x01\x06AFP3\.1.\tDHCAST128|s p/Apple Airport Extreme AFP/ i/name: $1; protocol 3.1/ d/WAP/ +#match afp m|^\x01\x03\0\0....\0\0..\0\0\0\0\0.\0...\0..\xfb.([^\0\x01]+)[\0\x01].*AirPort.*AFP3\.2|s p|Apple Airport Extreme/Time Capsule AFP| i/name: $1; protocol 3.2 WAP/ -match login m|^\0\r\nlogin: \^W\^@\^@\^@\^| p/VxWorks logind/ o/VxWorks/ +#match login m|^\0\r\nlogin: \^W\^@\^@\^@\^| p/VxWorks logind/ o/VxWorks/ -match maxdb m|^.Rejected bad connect packet\0$|s p/SAP MaxDB/ +#match maxdb m|^.Rejected bad connect packet\0$|s p/SAP MaxDB/ # OpenSSL/0.9.7aa -match ssl m|^\x16\x03\0\0J\x02\0\0F\x03\0| p/OpenSSL/ +#match ssl m|^\x16\x03\0\0J\x02\0\0F\x03\0| p/OpenSSL/ # Don't think these 2 are correct: #match ssl m|^\x16\x03\0\x04#\x02\0\0F\x03\0| p/Apache Tomcat SSL/ #match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0| p/Apache mod_ssl/ # Microsoft-IIS/5.0 - note that OpenSSL must go above this one because this is more general -match ssl m|^\x16\x03\0..\x02\0\0F\x03\0|s p/Microsoft IIS SSL/ o/Windows/ +#match ssl m|^\x16\x03\0..\x02\0\0F\x03\0|s p/Microsoft IIS SSL/ o/Windows/ # Novell Netware 6 Enterprise Web server 5.1 https # Novell Netware Ldap over SSL or enterprise web server 5.1 over SSL -match ssl m|^\x16\x03\0\0:\x02\0\x006\x03\0| p/Novell Netware SSL/ o/NetWare/ -# Very generic: -match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0| +#match ssl m|^\x16\x03\0\0:\x02\0\x006\x03\0| p/Novell Netware SSL/ o/NetWare/ +# Very generic; +#match sslv3 m|^\x16\x03\0\0\*\x02\0\0&\x03\0| # Cisco IDS 4.1 Appliance -match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0\xd10:\xbd\\\x8e\xe3\x15\x1c\x0fZ\xe4\x04\x87\x07\xc0\x82\xa9\xd4\x0e\x9c1LXk\xd1\xd2\x0b\x1a\xc6/p\0\0\n\0\x16\x03\0\x026\x0b\0\x022\0| p/Cisco IDS SSL/ d/firewall/ +#match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0\xd10:\xbd\\\x8e\xe3\x15\x1c\x0fZ\xe4\x04\x87\x07\xc0\x82\xa9\xd4\x0e\x9c1LXk\xd1\xd2\x0b\x1a\xc6/p\0\0\n\0\x16\x03\0\x026\x0b\0\x022\0| p/Cisco IDS SSL/ d/firewall/ # These Nessus match lines might be problematic: -match ssl m|^\x15\x03\0\0\x02\x02\($| p/Nessus security scanner/ -match ssl m|^\x16\x03\x01\0J\x02\0\0F\x03\x01| p/Nessus security scanner/ +#A reply starting with 15 indicates an alert, in this stage most probably a handshake failure +#match ssl m|^\x15\x03\0\0\x02\x02\($| p/Nessus security scanner/ +#match ssl m|^\x16\x03\x01\0J\x02\0\0F\x03\x01| p/Nessus security scanner/ # PGP Corporation Keyserver Web Console 7.0 - custom Apache 1.3 # PGP LDAPS Keyserver 8.X -match ssl m|^\x16\x03\0\0\+\x02\0\0'\x03\0...\?|s p/PGP Corporation product SSL/ +#match ssl m|^\x16\x03\0\0\+\x02\0\0'\x03\0...\?|s p/PGP Corporation product SSL/ # Unreal IRCd SSL # RemotelyAnywhere -match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0\?| +#match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0\?| # Tumbleweed SecureTransport 4.1.1 Transaction Manager Secure Port on Solaris # Dell Openmanage -match ssl m|^\x15\x03[\x01\x00]\0\x02\x01\0$| p/multi-vendor SSL/ +#match ssl m|^\x15\x03[\x01\x00]\0\x02\x01\0$| p/multi-vendor SSL/ # Probably Oracle https? -match ssl m|^}\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Oracle https/ -match ssl m|^\x15\x03\0\0\x02\x02\(31666:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr\.c:881:\n| p/Webmin SSL Control Panel/ -match ssl m|^20928:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr\.c:565:\n| p/qmail-pop3d behind stunnel/ +#match ssl m|^}\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Oracle https/ +#match ssl m|^\x15\x03\0\0\x02\x02\(31666:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr\.c:881:\n| p/Webmin SSL Control Panel/ +#match ssl m|^20928:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr\.c:565:\n| p/qmail-pop3d behind stunnel/ -match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0B| p/Tor over SSL/ -match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03.*IOS-Self-Signed-Certificate|s p/Cisco IOS ssl/ d/router/ +#match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0B| p/Tor over SSL/ +#match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03.*IOS-Self-Signed-Certificate|s p/Cisco IOS ssl/ d/router/ -match xtel m|^\x15Annuaire \xe9lectronique| p/xteld/ i/French/ +#match xtel m|^\x15Annuaire \xe9lectronique| p/xteld/ i/French/ -match tor m|^\x16\x03\0\0\*\x02\0\0&\x03\0.*T[oO][rR]1.*[\x00-\x20]([-\w_.]+) <identity>|s p/Tor node/ i/Node name: $1/ +#match tor m|^\x16\x03\0\0\*\x02\0\0&\x03\0.*T[oO][rR]1.*[\x00-\x20]([-\w_.]+) <identity>|s p/Tor node/ i/Node name: $1/ # Sophos Message Router -match ssl/sophos m|^\x16\x03\0.*Router\$([a-zA-Z0-9_-]+).*Sophos EM Certification Manager|s p/Sophos Message Router/ h/$1/ -match ssl/sophos m|^\x16\x03\0.*Sophos EM Certification Manager|s p/Sophos Message Router/ +#match ssl/sophos m|^\x16\x03\0.*Router\$([a-zA-Z0-9_-]+).*Sophos EM Certification Manager|s p/Sophos Message Router/ h/$1/ +#match ssl/sophos m|^\x16\x03\0.*Sophos EM Certification Manager|s p/Sophos Message Router/ # SMB Negotiate Protocol
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Proposed SSL version detection probe changes Kristof Boeynaems (Feb 08)
- Re: Proposed SSL version detection probe changes doug (Feb 08)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 09)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 09)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 10)
- Re: Proposed SSL version detection probe changes Fyodor (Feb 16)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 09)
- Re: Proposed SSL version detection probe changes Fyodor (Feb 16)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 17)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 17)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 17)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 17)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 17)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 18)
- Re: Proposed SSL version detection probe changes doug (Feb 08)