Nmap Development mailing list archives

Re: some ssl version scanning not working

From: Matt Selsky <selsky () columbia edu>
Date: Sun, 23 Jan 2011 12:26:56 -0500

Quoting David Fifield <david () bamsoftware com>:

On Mon, Jan 03, 2011 at 01:31:28PM -0500, Matt Selsky wrote:


On Jan 1, 2011, at 8:20 PM, David Fifield wrote:

> On Fri, Dec 31, 2010 at 03:14:13AM -0500, Matt Selsky wrote:
>> I'm having trouble scanning some SSL services (Oracle Enterprise Manager
>> agents in this case) that used to work.  I'm running svn trunk...
>>
>> $ ./nmap --datadir . -sV -p3872 -d angelica
>>
>> Starting Nmap 5.36TEST3 ( http://nmap.org ) at 2010-12-31 02:58 EST
>> --------------- Timing report ---------------
>>  hostgroups: min 1, max 100000
>>  rtt-timeouts: init 1000, min 100, max 10000
>>  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
>>  parallelism: min 0, max 0
>>  max-retries: 10, host-timeout: 0
>>  min-rate: 0, max-rate: 0
>> ---------------------------------------------
>> NSE: Loaded 8 scripts for scanning.
>> Initiating Ping Scan at 02:58
>> Scanning angelica (10.59.213.70) [2 ports]
>> Completed Ping Scan at 02:58, 0.00s elapsed (1 total hosts)
>> Overall sending rates: 2980.63 packets / s.
>> mass_rdns: Using DNS server 10.59.59.70
>> mass_rdns: Using DNS server 10.59.62.10
>> Initiating Parallel DNS resolution of 1 host. at 02:58
>> mass_rdns: 0.01s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
>> Completed Parallel DNS resolution of 1 host. at 02:58, 0.01s elapsed
>> DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 1, NX: 0, DR:
>> 0, SF: 0, TR: 1, CN: 0]
>> Initiating Connect Scan at 02:58
>> Scanning angelica (10.59.213.70) [1 port]
>> Discovered open port 3872/tcp on 128.59.213.70
>> Completed Connect Scan at 02:58, 0.00s elapsed (1 total ports)
>> Overall sending rates: 1396.65 packets / s.
>> Initiating Service scan at 02:58
>> Scanning 1 service on angelica (10.59.213.70)
>> Got nsock CONNECT response with status ERROR - aborting this service
>
> Do you think this is the same error you were getting with ssl-cert.nse?
> http://seclists.org/nmap-dev/2010/q4/71
>
> It would be a big help if you can identify a revision when this started
> happening.

r19801 broke things for the Google Search appliance scan.

"Let nmap.connect take a host table and port table in place of a string
and an integer. This is going to be used to easily support Server Name
Indication for SSL connections."

I'm still working out what commit broke the OEM agent probe.


Good work. I'll check it out.


Update, latest version of svn trunk has the following debug output:

$ ./nmap --datadir=. -sV -p3872 -dd marionberry

Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-01-23 12:16 EST
[...]
Initiating Service scan at 12:16
Scanning 1 service on marionberry (128.59.213.94)
Starting probes against new service: 128.59.213.94:3872 (tcp)
Service scan sending probe NULL to 128.59.213.94:3872 (tcp)
Service scan sending probe GetRequest to 128.59.213.94:3872 (tcp)

Service scan match (Probe GetRequest matched with GetRequest):128.59.213.94:3872 is ssl. Version: |TLS|1.0||

Got nsock CONNECT response with status ERROR - aborting this service
Completed Service scan at 12:16, 6.01s elapsed (1 service on 1 host)
[...]
NSE: Script scanning 128.59.213.94.
NSE: Starting runlevel 1 (of 1) scan.
Nmap scan report for marionberry (128.59.213.94)
Host is up, received conn-refused (0.0010s latency).
rDNS record for 128.59.213.94: marionberry.cc.columbia.edu
Scanned at 2011-01-23 12:16:31 EST for 6s
PORT     STATE SERVICE        REASON  VERSION
3872/tcp open  ssl/oem-agent? syn-ack
[...]

SSL is detected as TLS 1.0.

This doesn't match openssl's s_client. For that application, I needto explicitly disable TLSv1 via -no_tls1, or I need to specify SSLv3only via -ssl3. s_client cannot connect when it tries the defaultSSLv2/v3 behavior.

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: some ssl version scanning not working David Fifield (Jan 01)
- Re: some ssl version scanning not working Matt Selsky (Jan 03)
  - Re: some ssl version scanning not working David Fifield (Jan 03)
    - Re: some ssl version scanning not working Matt Selsky (Jan 23)
    - Re: some ssl version scanning not working [patch] Matt Selsky (Jan 23)