Nmap Development mailing list archives

Re: Supporting SNI throughout NSE

From: David Fifield <david () bamsoftware com>
Date: Mon, 16 Aug 2010 11:47:07 -0600

On Fri, Aug 13, 2010 at 04:11:12PM -0700, Fyodor wrote:

On Fri, Aug 13, 2010 at 04:35:41PM -0600, David Fifield wrote:


What I propose is extending socket:connect to allow passing host and
port tables as an alternative to a string and a number, like we do
in lots of other places. If we get a table, we'll use
host.targetname for SNI. If we get a host name, we'll resolve it and
use it as the SNI.

How does this sound? It won't break backward compatibility, but all code
will have to be updated in order to support SNI.


It sounds good to me!  I can think of many cases where we might want
to use SNI against servers other than the listed targets (like for
following redirects, or prerule scripts where we don't have a host
structure), so I'd suggest that we just note the required table
members (and note that the normal host/ports tables meet the
requirements) rather than simply asking people to pass the host/port
tables.  Also, even if someone passes a table for the host (to enable
SNI), I think they should still be allowed to pass a plain port
number.


I have committed this change to nmap.connect, and so far I've update
http.lua and comm.lua to use the host and port tables. Now this is the
output:

$ nmap --script='html-title' -Pn -n xn--j4h.ws xn--k4h.ws -p443           
Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-16 11:43 MDT
Nmap scan report for xn--j4h.ws (173.45.234.167)
Host is up (0.060s latency).
PORT    STATE SERVICE
443/tcp open  https
|_html-title: &#9762;

Nmap scan report for xn--k4h.ws (173.45.234.167)
Host is up (0.059s latency).
PORT    STATE SERVICE
443/tcp open  https
|_html-title: &#9763;

Nmap done: 2 IP addresses (2 hosts up) scanned in 0.80 seconds

The things to notice are that both domains resolve to the same IP
address, both are HTTPS, and they return different HTML titles
("&#9762;" versus "&#9763;").

I've documented what the necessary table format is, but I think that
specially crafted host tables won't be used much, because if you just
supply a string to nmap.connect, it will use that string as the SNI
name.

I'll now go and update other code that is still using host.ip and
port.number.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Supporting SNI throughout NSE David Fifield (Aug 13)
- Re: Supporting SNI throughout NSE Fyodor (Aug 13)
  - Re: Supporting SNI throughout NSE David Fifield (Aug 16)
    - Re: Supporting SNI throughout NSE David Fifield (Aug 16)