Nmap Development mailing list archives
Re: Superfish support for ssl-known-key?
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 19 Feb 2015 12:59:31 -0600
On Thu, Feb 19, 2015 at 11:27 AM, David Fifield <david () bamsoftware com> wrote:
There's this story about how lots of computers have a trusted root CA with a known private key. http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/ It seems like the kind of thing we should detect in ssl-known-key.nse. http://nmap.org/nsedoc/scripts/ssl-known-key However, if I understand correctly, we have to change ssl-known-key a bit for it to work. Superfish will be the issuer certificate, not a leaf certificate. It means we want to check every certificate in the chain, not only the leaf. Robert Graham says this is the key: http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html https://github.com/robertdavidgraham/pemcrack/blob/master/test.pem If so, then this is its fingerprint: $ openssl x509 -noout -fingerprint -in test.pem SHA1 Fingerprint=C8:64:48:48:69:D4:1D:2B:0D:32:31:9C:5A:62:F9:31:5A:AF:2C:BD David Fifield
But how do we report it? It's not something one would expect to find on a server, since it's used to MITM a client. If Nmap finds certs signed with this root cert, I can see a few possibilities: 1. Nmap's traffic is being MITM'd by Superfish on the same machine. Not sure if this is possible, since I don't know how it's actually modifying the traffic. 2. Nmap's traffic is being MITM'd by someone on the LAN. This is a real attack to watch for, since the certificate and key are now public, and it can be assumed there are hundreds or thousands of Lenovo laptops which will trust it. 3. The server actually has a Superfish-signed cert on the service. This seems like the least-likely scenario, but it is the most-likely way that someone would interpret the output of ssl-known-key, since Nmap isn't normally used for detecting MITM. Dan
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Superfish support for ssl-known-key? David Fifield (Feb 19)
- Re: Superfish support for ssl-known-key? Daniel Miller (Feb 19)
- Re: Superfish support for ssl-known-key? David Fifield (Feb 19)
- Re: Superfish support for ssl-known-key? Daniel Miller (Feb 19)
- Re: Superfish support for ssl-known-key? David Fifield (Feb 19)
- Re: Superfish support for ssl-known-key? Daniel Miller (Feb 19)