Nmap Development mailing list archives
[NSE] nselib / sslcert.lua - breaking when used w/ version detection
From: Tom Sellers <nmap () fadedcode net>
Date: Sat, 25 Oct 2014 06:28:23 -0500
There is a problem with ssl-enum-ciphers.nse when run with version detection against certain services. The root cause is in sslcert.lua where functions 'getPrepareTLSWithoutReconnect' and 'isPortSupported' perform a lookup against a port or service name to determine if STARTTLS should be used against a given port to negotiate SSL/TLS. No issues occur if provided a port number. The problem arises when version detection is used against a service that is in the lookup table, such as ldap or smtp, and that service is already wrapped in SSL/TLS. The functions will still return a function that the scripts will then use to try to use STARTTLS resulting in invalid data and a dropped connection. For example, the functions' logic works fine against non-TLS LDAP on port 389/tcp but will fail against LDAP/S on port 636/tcp. Similar results can be seen on SMTP on port 25 vs SMTPS on port 465/tcp. I have experienced this against LDAP/S (636/tcp), SMTPS (465/tcp), POP3S (995/tcp) and IMAP/S (993/tcp). Example: Does not work, simply returns version detection information nmap -sSV --script=ssl-enum-ciphers -p465 <mail_server_w/_TLS> PORT STATE SERVICE VERSION 465/tcp open ssl/smtp BigName smtp No version detection, works as expect and returns ciphers nmap -sS --script=ssl-enum-ciphers -p465 <mail_server_w/_TLS> PORT STATE SERVICE VERSION 465/tcp open ssl/smtp BigName smtp | ssl-enum-ciphers: | SSLv3: | ciphers: | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong <snip> This problem will also affect the ssl-ccs-injection, ssl-date, ssl-heartbleed, and ssl-poodle scripts. To fix this I have attached a patch that adds checks to these two functions that determines if the specified port is already wrapped with TLS and returns nil if so. Thanks much, Tom Sellers
Attachment:
sslcert_tls_detect.patch
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] nselib / sslcert.lua - breaking when used w/ version detection Tom Sellers (Oct 25)
- Re: [NSE] nselib / sslcert.lua - breaking when used w/ version detection Daniel Miller (Oct 25)
- Re: [NSE] nselib / sslcert.lua - breaking when used w/ version detection Tom Sellers (Oct 25)
- Re: [NSE] nselib / sslcert.lua - breaking when used w/ version detection Daniel Miller (Oct 25)