Nmap Development mailing list archives
Re: Supporting SNI throughout NSE
From: David Fifield <david () bamsoftware com>
Date: Mon, 16 Aug 2010 11:47:07 -0600
On Fri, Aug 13, 2010 at 04:11:12PM -0700, Fyodor wrote:
On Fri, Aug 13, 2010 at 04:35:41PM -0600, David Fifield wrote:What I propose is extending socket:connect to allow passing host and port tables as an alternative to a string and a number, like we do in lots of other places. If we get a table, we'll use host.targetname for SNI. If we get a host name, we'll resolve it and use it as the SNI. How does this sound? It won't break backward compatibility, but all code will have to be updated in order to support SNI.It sounds good to me! I can think of many cases where we might want to use SNI against servers other than the listed targets (like for following redirects, or prerule scripts where we don't have a host structure), so I'd suggest that we just note the required table members (and note that the normal host/ports tables meet the requirements) rather than simply asking people to pass the host/port tables. Also, even if someone passes a table for the host (to enable SNI), I think they should still be allowed to pass a plain port number.
I have committed this change to nmap.connect, and so far I've update http.lua and comm.lua to use the host and port tables. Now this is the output: $ nmap --script='html-title' -Pn -n xn--j4h.ws xn--k4h.ws -p443 Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-16 11:43 MDT Nmap scan report for xn--j4h.ws (173.45.234.167) Host is up (0.060s latency). PORT STATE SERVICE 443/tcp open https |_html-title: ☢ Nmap scan report for xn--k4h.ws (173.45.234.167) Host is up (0.059s latency). PORT STATE SERVICE 443/tcp open https |_html-title: ☣ Nmap done: 2 IP addresses (2 hosts up) scanned in 0.80 seconds The things to notice are that both domains resolve to the same IP address, both are HTTPS, and they return different HTML titles ("☢" versus "☣"). I've documented what the necessary table format is, but I think that specially crafted host tables won't be used much, because if you just supply a string to nmap.connect, it will use that string as the SNI name. I'll now go and update other code that is still using host.ip and port.number. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Supporting SNI throughout NSE David Fifield (Aug 13)
- Re: Supporting SNI throughout NSE Fyodor (Aug 13)
- Re: Supporting SNI throughout NSE David Fifield (Aug 16)
- Re: Supporting SNI throughout NSE David Fifield (Aug 16)
- Re: Supporting SNI throughout NSE David Fifield (Aug 16)
- Re: Supporting SNI throughout NSE Fyodor (Aug 13)