Nmap Development mailing list archives
Re: ssl-enum-ciphers with just hostname fails
From: Kent Fritz <kfritz () wolfman devio us>
Date: Sat, 25 Oct 2014 17:17:27 -0400
I couldn't get top-of-tree to build in my environment, and the latest script wouldn't run on 6.47, but the patch did apply on the 6.47 version. But it didn't fix the problem. I'll send you the capture I mentioned off-list. On Fri, Oct 24, 2014 at 09:23:54PM -0500, Daniel Miller wrote:
Kent, Would you mind trying the attached patch to see if it works for you? It checks for a fatal unrecognized_name alert and retries after removing the SNI extension entirely. Dan On Fri, Oct 24, 2014 at 4:11 PM, Daniel Miller <bonsaiviking () gmail com> wrote:Kent, Thanks for noticing the problem. It makes sense that we're not handling this properly: we try to do the server name extension with the best info we have, but don't try to fall back to just IP (no SNI extension) if there's a failure. It would certainly help to have your pcap file, though I'd guess I could replicate it by setting a bogus /etc/hosts entry for a server that supports SNI and scanning with that name. Dan On Fri, Oct 24, 2014 at 4:04 PM, Kent Fritz <kfritz () wolfman devio us> wrote:I was scanning some servers on my network, and found that ssl-enum-ciphers seems to skip TLSv1 and above if you just use the hostname rather than the FQDN or IP address. The first TLS record from the server is a warning about the name, and it appears the code tries to handle it, but it just doesn't work. I have -d output and a pcap I can send off-list if anyone wants to look. Thanks, Kent. _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse index e8b8592..5554503 100644 --- a/scripts/ssl-enum-ciphers.nse +++ b/scripts/ssl-enum-ciphers.nse @@ -340,8 +340,8 @@ local function find_ciphers_group(host, port, protocol, group) ["protocol"] = protocol, ["extensions"] = tcopy(base_extensions), } - if host.targetname then - t["extensions"]["server_name"] = tls.EXTENSION_HELPERS["server_name"](host.targetname) + if host.registry.ssl_sni then + t["extensions"]["server_name"] = tls.EXTENSION_HELPERS["server_name"](host.registry.ssl_sni) end -- This is a hacky sort of tristate variable. There are three conditions: @@ -354,6 +354,13 @@ local function find_ciphers_group(host, port, protocol, group) record = try_params(host, port, t) + if record and record.protocol == protocol and record.type == "alert" and record.body[1].description == "unrecognized_name" then + ctx_log(1, protocol, "Server rejected SNI name. Retrying.") + host.registry.ssl_sni = false + t.extensions.server_name = nil + record = try_params(host, port, t) + end + if record == nil then if protocol_worked then ctx_log(2, protocol, "%d ciphers rejected. (No handshake)", #group) @@ -733,6 +740,13 @@ action = function(host, port) local condvar = nmap.condvar(results) local threads = {} + -- nil => not set + -- false => targetname doesn't work + -- string => use this value + if host.registry.ssl_sni == nil then + host.registry.ssl_sni = host.targetname + end + for name, _ in pairs(tls.PROTOCOLS) do stdnse.debug1("Trying protocol %s.", name) local co = stdnse.new_thread(try_protocol, host, port, name, results)
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ssl-enum-ciphers with just hostname fails Kent Fritz (Oct 24)
- Re: ssl-enum-ciphers with just hostname fails Daniel Miller (Oct 24)
- Re: ssl-enum-ciphers with just hostname fails Daniel Miller (Oct 24)
- Re: ssl-enum-ciphers with just hostname fails Kent Fritz (Oct 25)
- Re: ssl-enum-ciphers with just hostname fails Daniel Miller (Oct 25)
- Re: ssl-enum-ciphers with just hostname fails Kent Fritz (Oct 26)
- Re: ssl-enum-ciphers with just hostname fails Daniel Miller (Oct 24)
- Re: ssl-enum-ciphers with just hostname fails Daniel Miller (Oct 24)