Nmap Development mailing list archives
Floating a bit of an idea - identifying web server/host OS based on SSL handshake results?
From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Wed, 12 May 2010 13:40:52 -0500
Folks: We know how the SSL handshake works, cipher/compression algorithm wise - client establishes connection to server, lists the cryptographic capabilities of the client in order of preference, server replies w/ cipher suite/compression algorithm chosen. Idea (which needs from testing ;)) - for heavily firewalled/obfuscated web servers, an NSE script could establish X SSL connections, each one with a different set of ciphers (permutations on a given set or mutually exclusive sets), check which one is chosen by the server. My (untested, unproven) theory is that the server-side preference for one algorithm over another is hard coded/defaults never changed, and may allow to sort out not only between Apache/IIS/JSSE-based servers, but maybe between same server revisions. Anyone interested in giving it a shot ? I would love to - if I had a bit of extra time ;) Thanks, Dario _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Floating a bit of an idea - identifying web server/host OS based on SSL handshake results? Dario Ciccarone (dciccaro) (May 12)