Re: ssl-enum-ciphers with just hostname fails

[Kent Fritz <kfritz () wolfman devio us>]

I couldn't get top-of-tree to build in my environment, and the latest script
wouldn't run on 6.47, but the patch did apply on the 6.47 version.  But 
it didn't fix the problem.  I'll send you the capture I mentioned off-list.

On Fri, Oct 24, 2014 at 09:23:54PM -0500, Daniel Miller wrote:
> Kent,
>
> Would you mind trying the attached patch to see if it works for you?
> It checks for a fatal unrecognized_name alert and retries after
> removing the SNI extension entirely.
>
> Dan
>
> On Fri, Oct 24, 2014 at 4:11 PM, Daniel Miller <bonsaiviking () gmail com> wrote:
> > Kent,
> >
> > Thanks for noticing the problem. It makes sense that we're not
> > handling this properly: we try to do the server name extension with
> > the best info we have, but don't try to fall back to just IP (no SNI
> > extension) if there's a failure. It would certainly help to have your
> > pcap file, though I'd guess I could replicate it by setting a bogus
> > /etc/hosts entry for a server that supports SNI and scanning with that
> > name.
> >
> > Dan
> >
> > On Fri, Oct 24, 2014 at 4:04 PM, Kent Fritz <kfritz () wolfman devio us> wrote:
> > > I was scanning some servers on my network, and found that ssl-enum-ciphers
> > > seems to skip TLSv1 and above if you just use the hostname rather than
> > > the FQDN or IP address.  The first TLS record from the server is a warning
> > > about the name, and it appears the code tries to  handle it, but it just
> > > doesn't work.
> > >
> > > I have -d output and a pcap I can send off-list if anyone wants to look.
> > >
> > > Thanks,
> > >
> > > Kent.
> > >
> > > _______________________________________________
> > > Sent through the dev mailing list
> > > http://nmap.org/mailman/listinfo/dev
> > > Archived at http://seclists.org/nmap-dev/

> diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
> index e8b8592..5554503 100644
> --- a/scripts/ssl-enum-ciphers.nse
> +++ b/scripts/ssl-enum-ciphers.nse
> @@ -340,8 +340,8 @@ local function find_ciphers_group(host, port, protocol, group)
>      ["protocol"] = protocol,
>      ["extensions"] = tcopy(base_extensions),
>    }
> -  if host.targetname then
> -    t["extensions"]["server_name"] = tls.EXTENSION_HELPERS["server_name"](host.targetname)
> +  if host.registry.ssl_sni then
> +    t["extensions"]["server_name"] = tls.EXTENSION_HELPERS["server_name"](host.registry.ssl_sni)
>    end
>  
>    -- This is a hacky sort of tristate variable. There are three conditions:
> @@ -354,6 +354,13 @@ local function find_ciphers_group(host, port, protocol, group)
>  
>      record = try_params(host, port, t)
>  
> +    if record and record.protocol == protocol and record.type == "alert" and record.body[1].description == 
> "unrecognized_name" then
> +      ctx_log(1, protocol, "Server rejected SNI name. Retrying.")
> +      host.registry.ssl_sni = false
> +      t.extensions.server_name = nil
> +      record = try_params(host, port, t)
> +    end
> +
>      if record == nil then
>        if protocol_worked then
>          ctx_log(2, protocol, "%d ciphers rejected. (No handshake)", #group)
> @@ -733,6 +740,13 @@ action = function(host, port)
>    local condvar = nmap.condvar(results)
>    local threads = {}
>  
> +  -- nil => not set
> +  -- false => targetname doesn't work
> +  -- string => use this value
> +  if host.registry.ssl_sni == nil then
> +    host.registry.ssl_sni = host.targetname
> +  end
> +
>    for name, _ in pairs(tls.PROTOCOLS) do
>      stdnse.debug1("Trying protocol %s.", name)
>      local co = stdnse.new_thread(try_protocol, host, port, name, results)

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/