Nmap Development mailing list archives
Re: [PATCH] Extended SSL support in Nmap, review
From: Kristof Boeynaems <kristof.boeynaems () gmail com>
Date: Tue, 31 Mar 2009 13:09:47 +0200
On Mon, Mar 30, 2009 at 10:09 PM, David Fifield <david () bamsoftware com> wrote:
On Sun, Mar 22, 2009 at 04:26:50PM +0100, Kristof Boeynaems wrote:Here are the results of that slightly more extensive test. Note that this was still done with nmap-4.85BETA3. Command: nmap -T4 -v -n -PN -sV -p443,465,636,990,995,993 -iL <list of about 700 random SSL servers collected earlier via an iR scan> -d -oA <filename> Results: # nmap-4.85BETA3 - scanned in 1866.96 seconds - Total number of hosts with at least one port open: 611 - Total number of SSL hosts (hosts with at least one ' ssl/' result): 541 - Total of open SSL ports detected (' ssl/'): 781, - Number of open SSL ports detected and successfully investigated (' ssl/something'): 709 - Number of open SSL ports detected and not successfully investigated (' ssl/unknown'): 72 # nmap-4.85BETA3 with two extra general SSL lines in nmap-service-probes file (see below) - scanned in 1832.99 seconds - Total number of hosts with at least one port open: 615 - Total number of SSL hosts (hosts with at least one ' ssl/' result): 593 - Total of open SSL ports detected (' ssl/'): 888, - Number of open SSL ports detected and successfully investigated (' ssl/something'): 801 - Number of open SSL ports detected and not successfully investigated (' ssl/unknown'): 87These results are impressive. I have just a few questions before integrating your nmap-service-probes patch. The TLSv1 handshake error match line is identical to a match line that already existed: # These Nessus match lines might be problematic: match ssl m|^\x15\x03\0\0\x02\x02\($| p/Nessus security scanner/ # Generic: TLSv1 Handshake error: match ssl m|^\x15\x03\0\0\x02\x02\($| p/TLSv1/ So the increase in the number of detected servers must have been completely because of the new SSLv3 ServerHello line: # Generic: SSLv3 ServerHello: match ssl m|^\x16\x03\0..\x02...\x03\0| p/SSLv3/ Is it reasonable that all the change is due to this match line?
The TLS match line will only be triggered in case of a TLSv1-only host. Most SSL hosts out there, though, are SSLv3-compatible, and will reply with SSLv3 to the SSLv3 ClientHello. (Note that the current SSLSessionReq probe is actually an SSLv3 ClientHello probe; in my patch I also added a comment clarifying this in front of the probe.) So a match of the TLSv1 match line is really rare. You are right though, that this line is identical to the Nessus match line. In an earlier patch (see http://seclists.org/nmap-dev/2009/q1/0357.html), I commented out the lines that were "too generic" (in my opinion), but I did not do that in this patch, as I wanted to interfere as little as possible with existing match lines. I copied these other "too generic" match lines again below for your information: #Too generic#match ssl m|^\x16\x03\0\0J\x02\0\0F\x03\0| p/OpenSSL/ #Too generic#match ssl m|^\x16\x03\0..\x02\0\0F\x03\0|s p/Microsoft IIS SSL/ o/Windows/ #Too generic#match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0| #Too generic#match ssl m|^\x16\x03\x01\0J\x02\0\0F\x03\x01| p/Nessus security scanner/ Compare this too the new generic SSLv3 ServerHello match line: match ssl m|^\x16\x03\0..\x02...\x03\0| p/SSLv3/ As you can see, the only "application-dependent" information in this part of the SSLv3 ServerHello are the two length fields, which are denoted by points ('.') in the generic match line (to make it generic). I am not convinced that depending on these length fields is a reliable way of fingerprinting the SSL application, but it might make sense in some isolated cases. For the above examples, though, I believe it would be better to get rid of the match lines, and to let "probing-over-SSL" take care of the further fingerprinting, after having matched the generic SSLv3 match line.
Should we just get rid of the Nessus line if we adopt this patch?
So yes, I would recommend getting rid of the Nessus match line, as well as these other "too generic" match lines, because they really only match a generic SSLv3 ServerHello/TLSv1 handshake error. Cheers, Kristof PS: By the way, by looking up thread http://seclists.org/nmap-dev/2009/q1/0357.html again, I realized that I should have posted this patch there instead; sorry about the mix up, I am having too many different SSL threads going on :) _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: [PATCH] Extended SSL support in Nmap, (continued)
- Re: [PATCH] Extended SSL support in Nmap Brandon Enright (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Brandon Enright (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap doug (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 02)
- Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 03)
- Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 03)
- Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 22)
- Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 30)
- Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 31)
- Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 31)
- Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 03)
- Re: [PATCH] Extended SSL support in Nmap Brandon Enright (Feb 21)