Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] nselib / sslcert.lua - breaking when used w/ version detection

From: Tom Sellers <nmap () fadedcode net>
Date: Sat, 25 Oct 2014 06:28:23 -0500
There is a problem with ssl-enum-ciphers.nse when run with version detection
against certain services.  The root cause is in sslcert.lua where functions
'getPrepareTLSWithoutReconnect' and 'isPortSupported' perform a lookup against
a port or service name to determine if STARTTLS should be used against a
given port to negotiate SSL/TLS. No issues occur if provided a port number.

The problem arises when version detection is used against a service that
is in the lookup table, such as ldap or smtp, and that service is already
wrapped in SSL/TLS. The functions will still return a function that the
scripts will then use to try to use STARTTLS resulting in invalid data and
a dropped connection.

For example, the functions' logic works fine against non-TLS LDAP on port
389/tcp but will fail against LDAP/S on port 636/tcp.  Similar results
can be seen on SMTP on port 25 vs SMTPS on port 465/tcp.

I have experienced this against LDAP/S (636/tcp), SMTPS (465/tcp), POP3S
(995/tcp) and IMAP/S (993/tcp).

Example:

Does not work, simply returns version detection information

  nmap -sSV --script=ssl-enum-ciphers -p465  <mail_server_w/_TLS>

  PORT    STATE SERVICE  VERSION
  465/tcp open  ssl/smtp BigName smtp


No version detection, works as expect and returns ciphers

  nmap -sS --script=ssl-enum-ciphers -p465 <mail_server_w/_TLS>


  PORT    STATE SERVICE  VERSION
  465/tcp open  ssl/smtp BigName smtp
  | ssl-enum-ciphers:
  |   SSLv3:
  |     ciphers:
  |       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
  |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
  |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
  |       TLS_RSA_WITH_RC4_128_SHA - strong
  |       TLS_RSA_WITH_RC4_128_MD5 - strong
  |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
  <snip>


This problem will also affect the ssl-ccs-injection, ssl-date, ssl-heartbleed,
and ssl-poodle scripts.  To fix this I have attached a patch that adds checks
to these two functions that determines if the specified port is already
wrapped with TLS and returns nil if so.


Thanks much,

Tom Sellers

Attachment: sslcert_tls_detect.patch
Description: 

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: