Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

sslstrip -sV false positives

From: Jacek Wielemborek <d33tah () gmail com>
Date: Mon, 24 Mar 2014 16:18:33 +0100
Hi,

Today _ynk on IRC reported that the Nmap 6.40 recognized his home router's 
HTTP port as sslstrip. Bonsaiviking pointed out that the patterns for sslstrip 
is quite likely to produce false positives. Here's what the patterns look 
like:

match http-proxy m|^HTTP/1\.1 400 Bad Request\r\n\r\n$| p/sslstrip/
match http-proxy m|^HTTP/1\.0 200 OK\r\n\r\n$| p/sslstrip/

Perhaps we should change the product name to 'sslstrip?' to suggest that it's 
not exactly reliable? I couldn't get a fingerprint, but here's debug log of the 
probing:

Starting probes against new service: 192.168.1.10:80 (tcp)
Service scan sending probe NULL to 192.168.1.10:80 (tcp)
Service scan sending probe GetRequest to 192.168.1.10:80 (tcp)
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Service scan sending probe HTTPOptions to 192.168.1.10:80 (tcp)
Service scan sending probe RTSPRequest to 192.168.1.10:80 (tcp)
Service scan sending probe X11Probe to 192.168.1.10:80 (tcp)
Service scan sending probe FourOhFourRequest to 192.168.1.10:80 (tcp)
Service scan sending probe GenericLines to 192.168.1.10:80 (tcp)
Service scan match (Probe GenericLines matched with GenericLines line 4615): 
192.168.1.10:80 is http-proxy.  Version: |sslstrip|||
Completed Service scan at 17:01, 24.26s elapsed (1 service on 1 host)
NSE: Script scanning 192.168.1.10.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting 'skypev2-version' (thread: 0x1bffac0) against 192.168.1.10:80.
Initiating NSE at 17:01
NSE: TCP 192.168.1.15:40556 > 192.168.1.10:80 | CONNECT
NSE: TCP 192.168.1.15:40556 > 192.168.1.10:80 | 00000000: 47 45 54 20 2f 20 48 
54 54 50 2f 31 2e 30 0d 0a GET / HTTP/1.0  
00000010: 0d 0a                                             

NSE: TCP 192.168.1.15:40556 > 192.168.1.10:80 | SEND
NSE: TCP 192.168.1.15:40556 < 192.168.1.10:80 | 00000000: 48 54 54 50 2f 31 2e 
31 20 34 30 30 20 42 61 64 HTTP/1.1 400 Bad
00000010: 20 52 65 71 75 65 73 74 0d 0a 0d 0a              Request    

NSE: TCP 192.168.1.15:40556 > 192.168.1.10:80 | CLOSE
NSE: Finished 'skypev2-version' (thread: 0x1bffac0) against 192.168.1.10:80.
Completed NSE at 17:01, 0.01s elapsed

Yours,
Jacek Wielemborek

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: