Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert

[Daniel Miller <bonsaiviking () gmail com>]

Would both of you post the output of "nmap --version" please? I
specifically need the version of OpenSSL that you are linking with. The
output Venky sent contains this line:

> NSOCK INFO [11.6640s] handle_connect_result(): EID 233 error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure

This means that the server rejected Nmap's connection attempt. It could be
a result of protocol mismatch between Nmap's OpenSSL and whatever the snmpd
is using.

Suhail is correct, the output of ssl-enum-ciphers would be helpful, too, or
a packet capture of just nmap -sV --version-light -p 10161

Dan



On Mon, Sep 21, 2015 at 9:38 AM, suhail sullad <suhail.sullad () gmail com>
wrote:

> Venky,
> Just to make sure run the snmp sv on port 161 and also include
> ssl-enum-ciphers script
> So that it will be helpful for fixing the issue
> On Sep 21, 2015 8:04 PM, "knare k" <knarelinux () gmail com> wrote:
>
> > Yes, it does't work even with 6.49beta4. Here is the partial output of
> > nmap with -d2 --script-trace.
> >
> > Service scan sending probe SSLSessionReq to 127.0.0.1:10161 (tcp)
> >
> > NSOCK INFO [11.6600s] nsock_read(): Read request from IOD #9
> > [127.0.0.1:10161] (timeout: 5000ms) EID 226
> > NSOCK INFO [11.6600s] nsock_trace_handler_callback(): Callback: WRITE
> > SUCCESS for EID 219 [127.0.0.1:10161]
> > NSOCK INFO [11.6610s] nsock_trace_handler_callback(): Callback: READ
> > SUCCESS for EID 226 [127.0.0.1:10161] (7 bytes): ......(
> > Service scan hard match (Probe SSLSessionReq matched with
> > SSLSessionReq line 11688): 127.0.0.1:10161 is ssl
> > NSOCK INFO [11.6610s] nsi_delete(): nsi_delete (IOD #9)
> > NSOCK INFO [11.6610s] nsi_new2(): nsi_new (IOD #10)
> > NSOCK INFO [11.6610s] nsock_connect_ssl(): SSL connection requested to
> > 127.0.0.1:10161/tcp (IOD #10) EID 233
> > NSOCK INFO [11.6620s] handle_connect_result(): EID 233 reconnecting
> > with SSL_OP_NO_SSLv2
> > NSOCK INFO [11.6640s] handle_connect_result(): EID 233
> > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> > failure
> > NSOCK INFO [11.6640s] nsock_trace_handler_callback(): Callback:
> > SSL-CONNECT ERROR [Input/output error (5)] for EID 233
> > [127.0.0.1:10161]
> > Got nsock CONNECT response with status ERROR - aborting this service
> > NSOCK INFO [11.6640s] nsi_delete(): nsi_delete (IOD #10)
> > Completed Service scan at 19:57, 11.01s elapsed (1 service on 1 host)
> > NSE: Script scanning 127.0.0.1.
> > NSE: Starting runlevel 1 (of 1) scan.
> > Initiating NSE at 19:57
> > Fetchfile found
> > /home/venky/Downloads/nmap-6.49BETA4/nselib/data/enterprise_numbers.txt
> > NSE: Starting rpc-grind M:23fade0 against localhost (127.0.0.1:10161).
> > Fetchfile found /home/venky/Downloads/nmap-6.49BETA4/nmap-rpc
> > NSOCK INFO [11.6640s] nsi_new2(): nsi_new (IOD #1)
> > NSOCK INFO [11.8010s] nsock_connect_tcp(): TCP connection requested to
> > 127.0.0.1:10161 (IOD #1) EID 8
> > NSE: Starting ssl-cert M:23fe410 against localhost (127.0.0.1:10161).
> > NSOCK INFO [11.8010s] nsi_new2(): nsi_new (IOD #2)
> > NSOCK INFO [11.8010s] nsock_connect_ssl(): SSL connection requested to
> > 127.0.0.1:10161/tcp (IOD #2) EID 17
> > NSE: Starting skypev2-version M:23fbff0 against localhost (
> > 127.0.0.1:10161).
> > NSOCK INFO [11.8010s] nsi_new2(): nsi_new (IOD #3)
> > NSOCK INFO [11.8010s] nsock_connect_tcp(): TCP connection requested to
> > 127.0.0.1:10161 (IOD #3) EID 24
> > NSOCK INFO [11.8010s] nsock_trace_handler_callback(): Callback:
> > CONNECT SUCCESS for EID 8 [127.0.0.1:10161]
> > NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | CONNECT
> > NSOCK INFO [11.8010s] nsock_trace_handler_callback(): Callback:
> > CONNECT SUCCESS for EID 24 [127.0.0.1:10161]
> > NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | CONNECT
> > NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | 00000000: 80 00 00 28 11
> > d3 fc 0c 00 00 00 00 00 00 00 02    (
> > 00000010: 00 01 86 a0 00 00 00 02 00 00 00 00 00 00 00 00
> > 00000020: 00 00 00 00 00 00 00 00 00 00 00 00
> >
> > NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | 00000000: 47 45 54 20 2f
> > 20 48 54 54 50 2f 31 2e 30 0d 0a GET / HTTP/1.0
> > 00000010: 0d 0a
> >
> > NSOCK INFO [11.8510s] nsock_trace_handler_callback(): Callback: WRITE
> > SUCCESS for EID 35 [127.0.0.1:10161]
> > NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | SEND
> > NSOCK INFO [11.8510s] nsock_trace_handler_callback(): Callback: WRITE
> > SUCCESS for EID 43 [127.0.0.1:10161]
> > NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | SEND
> > NSOCK INFO [11.8530s] handle_connect_result(): EID 17 reconnecting
> > with SSL_OP_NO_SSLv2
> > NSOCK INFO [11.8540s] handle_connect_result(): EID 17
> > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> > failure
> > NSOCK INFO [11.8540s] nsock_trace_handler_callback(): Callback:
> > SSL-CONNECT ERROR [Input/output error (5)] for EID 17
> > [127.0.0.1:10161]
> > NSE: TCP 127.0.0.1:47352 > 127.0.0.1:10161 | CONNECT
> > NSOCK INFO [11.8540s] nsock_readbytes(): Read request for 4 bytes from
> > IOD #1 [127.0.0.1:10161] EID 50
> > NSE: Finished ssl-cert M:23fe410 against localhost (127.0.0.1:10161).
> > NSOCK INFO [11.8540s] nsock_readbytes(): Read request for 26 bytes
> > from IOD #3 [127.0.0.1:10161] EID 58
> > NSE: TCP 127.0.0.1:47352 > 127.0.0.1:10161 | CLOSE
> > NSOCK INFO [11.8540s] nsi_delete(): nsi_delete (IOD #2)
> > NSOCK INFO [11.8550s] nsock_trace_handler_callback(): Callback: READ
> > EOF for EID 50 [127.0.0.1:10161]
> > NSOCK INFO [11.8550s] nsock_trace_handler_callback(): Callback: READ
> > EOF for EID 58 [127.0.0.1:10161]
> > NSE: [rpc-grind M:23fade0 127.0.0.1:10161] isRPC didn't receive response.
> > NSE: [rpc-grind M:23fade0 127.0.0.1:10161] Target port 10161 is not a
> > RPC port.
> > NSE: Finished rpc-grind M:23fade0 against localhost (127.0.0.1:10161).
> > NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | CLOSE
> > NSOCK INFO [11.8550s] nsi_delete(): nsi_delete (IOD #3)
> > NSE: Finished skypev2-version M:23fbff0 against localhost (
> > 127.0.0.1:10161).
> > NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | CLOSE
> > NSOCK INFO [11.8550s] nsi_delete(): nsi_delete (IOD #1)
> > Completed NSE at 19:57, 0.19s elapsed
> > Nmap scan report for localhost (127.0.0.1)
> > Host is up, received syn-ack (0.00018s latency).
> > Scanned at 2015-09-21 19:57:22 IST for 12s
> > PORT      STATE SERVICE     REASON  VERSION
> > 10161/tcp open  ssl/unknown syn-ack
> > Final times for host: srtt: 179 rttvar: 3773  to: 100000
> >
> > NSE: Script Post-scanning.
> > NSE: Starting runlevel 1 (of 1) scan.
> > Initiating NSE at 19:57
> > Completed NSE at 19:57, 0.00s elapsed
> > Read from /home/venky/Downloads/nmap-6.49BETA4: nmap-payloads
> > nmap-service-probes nmap-services.
> > Service detection performed. Please report any incorrect results at
> > https://nmap.org/submit/ .
> > Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds
> >
> > Thanks
> > Venky
> >
> > On Sun, Sep 20, 2015 at 11:16 PM, suhail sullad <suhail.sullad () gmail com>
> > wrote:
> > > I am using 6.49beta4. The sslcert.lua script is failing in
> > getCertificate
> > > function due to socket connection error.
> > >
> > > On Sep 20, 2015 11:11 PM, "Daniel Miller" <bonsaiviking () gmail com>
> > wrote:
> > > > Thanks for chiming in. What version of Nmap are you using, suhail?
> > > >
> > > > Venky, it looks like you're using an older version of Nmap. The
> > > > ssl-enum-ciphers script has undergone a lot of changes since 6.40. Can
> > you
> > > > try with Nmap 6.49BETA4 or at worst 6.47 and tell us if you still
> > experience
> > > > a problem? See https://nmap.org/download.html
> > > >
> > > > If you still experience a problem, please include output of your
> > command
> > > > with -d2 --script-trace options. I will try to reproduce here if I
> > don't
> > > > hear back soon.
> > > >
> > > > Dan
> > > >
> > > > On Sun, Sep 20, 2015 at 2:47 AM, suhail sullad <
> > suhail.sullad () gmail com>
> > > > wrote:
> > > > > Observed the same issue. Suspecting a cipher issue.
> > > > >
> > > > > On Sep 19, 2015 6:48 PM, "knare k" <knarelinux () gmail com> wrote:
> > > > > > Thanks Dan.
> > > > > >
> > > > > > I configured a local snmp server on an Ubuntu machine with tls
> > support.
> > > > > > # snmpd dtlsudp:10161 tlstcp:10161
> > > > > >
> > > > > > Created a Self-Signed certificate and used it.
> > > > > >
> > > > > > And the output from the command: "openssl s_client -connect
> > > > > > localhost:10161"
> > > > > >
> > > > > > # openssl s_client -connect localhost:10161
> > > > > > CONNECTED(00000003)
> > > > > > depth=0 C = IN, ST = AP, L = HYD, O = xyz, OU = embedded, CN = venky,
> > > > > > emailAddress = venky@localhost
> > > > > > verify error:num=18:self signed certificate
> > > > > > verify return:1
> > > > > > depth=0 C = IN, ST = AP, L = HYD, O = xyz, OU = embedded, CN = venky,
> > > > > > emailAddress = venky@localhost
> > > > > > verify return:1
> > > > > > 140536960857760:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
> > > > > > alert handshake failure:s3_pkt.c:1262:SSL alert number 40
> > > > > > 140536960857760:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> > > > > > failure:s23_lib.c:177:
> > > > > > ---
> > > > > > Certificate chain
> > > > > >  0
> > s:/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost
> > > > > >
> > i:/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost
> > > > > > ---
> > > > > > Server certificate
> > > > > > -----BEGIN CERTIFICATE-----
> > > > > > MIICaTCCAdICCQCqllznqB/5gjANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJJ
> > > > > > TjELMAkGA1UECAwCQVAxDDAKBgNVBAcMA0hZRDEMMAoGA1UECgwDeHl6MREwDwYD
> > > > > > VQQLDAhlbWJlZGRlZDEOMAwGA1UEAwwFdmVua3kxHjAcBgkqhkiG9w0BCQEWD3Zl
> > > > > > bmt5QGxvY2FsaG9zdDAeFw0xNTA5MTkwOTI1MDhaFw0xNjA5MTgwOTI1MDhaMHkx
> > > > > > CzAJBgNVBAYTAklOMQswCQYDVQQIDAJBUDEMMAoGA1UEBwwDSFlEMQwwCgYDVQQK
> > > > > > DAN4eXoxETAPBgNVBAsMCGVtYmVkZGVkMQ4wDAYDVQQDDAV2ZW5reTEeMBwGCSqG
> > > > > > SIb3DQEJARYPdmVua3lAbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
> > > > > > iQKBgQDA0+Aiqpx9fk/wH9Hg8wQLhEOs9ysC7ASemmv+0u+axru6nsxZTpM7OnMf
> > > > > > vFgGjAataERxenNVkt2IuRAWIO4p+A6J/H7WrnW3AqEFqovJoWVucAOkqzZfzIuD
> > > > > > bnVdrksyjJoz2KNdamT/C4PLvUp4ksM1cjEHCE5e9EuNe++uQQIDAQABMA0GCSqG
> > > > > > SIb3DQEBCwUAA4GBAFFx8mA0mJSr79n1hKlX8SpWYKfZ415Rt/Od3Pa9HFyb4sjl
> > > > > > pqZHiF82KlAZNJBhdNcp8rnO+bsjJHd1KK/ECFO3ZFL4apKKaQ+6R4rNTTltLCVe
> > > > > > OuHUEptj0ARghnJdSzy4huurwrMurzooZOk6oJ9px4O4MKW9UThGtxr684FZ
> > > > > > -----END CERTIFICATE-----
> > subject=/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost
> > > > > >
> > issuer=/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost
> > > > > > ---
> > > > > > No client certificate CA names sent
> > > > > > ---
> > > > > > SSL handshake has read 725 bytes and written 210 bytes
> > > > > > ---
> > > > > > New, TLSv1/SSLv3, Cipher is AES256-SHA
> > > > > > Server public key is 1024 bit
> > > > > > Secure Renegotiation IS supported
> > > > > > Compression: NONE
> > > > > > Expansion: NONE
> > > > > > SSL-Session:
> > > > > >     Protocol  : TLSv1
> > > > > >     Cipher    : AES256-SHA
> > > > > >     Session-ID:
> > > > > >     Session-ID-ctx:
> > > > > >     Master-Key:
> > AA5C362000AE942C8584A8AD153F4D2592AAD5172A2D4D5FE3457FDB5331982AE0739130A72DB3D86CDC1AAAFB30A13B
> > > > > >     Key-Arg   : None
> > > > > >     PSK identity: None
> > > > > >     PSK identity hint: None
> > > > > >     SRP username: None
> > > > > >     Start Time: 1442654860
> > > > > >     Timeout   : 300 (sec)
> > > > > >     Verify return code: 18 (self signed certificate)
> > > > > > ---
> > > > > >
> > > > > >
> > > > > >
> > > > > > And the output from the command: "nmap -sV -p <snmpport>
> > > > > > --script=+ssl-cert <host>"
> > > > > >
> > > > > > # nmap -sV -p 10161 --script=+ssl-cert localhost
> > > > > >
> > > > > > Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-19 14:59 IST
> > > > > > Nmap scan report for localhost (127.0.0.1)
> > > > > > Host is up (0.00014s latency).
> > > > > > PORT      STATE SERVICE     VERSION
> > > > > > 10161/tcp open  ssl/unknown
> > > > > >
> > > > > > Service detection performed. Please report any incorrect results at
> > > > > > http://nmap.org/submit/ .
> > > > > > Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds
> > > > > >
> > > > > >
> > > > > > Thanks
> > > > > > Venky
> > > > > >
> > > > > > On Sat, Sep 19, 2015 at 4:41 AM, Daniel Miller <
> > bonsaiviking () gmail com>
> > > > > > wrote:
> > > > > > > Venky,
> > > > > > >
> > > > > > > Can you confirm that the SNMP service is actually running SSL? This
> > > > > > > would be
> > > > > > > a highly unusual configuration, but you could test with an
> > independent
> > > > > > > tool.
> > > > > > > What is the output of this command?
> > > > > > >
> > > > > > > openssl s_client -connect <host>:<snmpport>
> > > > > > >
> > > > > > > Instead of SSL do you perhaps have SNMPv3 with encryption enabled?
> > > > > > >
> > > > > > > Dan
> > > > > > >
> > > > > > > On Fri, Sep 18, 2015 at 8:25 AM, knare k <knarelinux () gmail com>
> > wrote:
> > > > > > > > Hi Ulrik,
> > > > > > > >
> > > > > > > > Thanks for your response. We tried with the '+' option, but no
> > luck.
> > > > > > > > We have set up  snmp server locally on our ubuntu machine and
> > tried
> > > > > > > > it. Checking if we configured the snmp server properly, I will let
> > > > > > > > you
> > > > > > > > know if it works.
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > > Venky.
> > > > > > > >
> > > > > > > >
> > > > > > > > ---------- Forwarded message ----------
> > > > > > > > From: Ulrik Haugen <qha () lysator liu se>
> > > > > > > > Date: Mon, Sep 14, 2015 at 9:56 PM
> > > > > > > > Subject: Re: Unable to get SSL Certificate info for SNMP seriver
> > with
> > > > > > > > nmap ssl-cert
> > > > > > > > To: knare k <knarelinux () gmail com>
> > > > > > > >
> > > > > > > >
> > > > > > > > knare k <knarelinux () gmail com> wrote:
> > > > > > > > > I am not able to get SSL certificate for snmp using ssl-cert
> > script
> > > > > > > > > of
> > > > > > > > > nmap, able to get for all others. I tried the following command
> > > > > > > > > with
> > > > > > > > > the snmp port.
> > > > > > > > >
> > > > > > > > > # nmap  -sU -Pn -p <snmpport> <host> --script=ssl-cert
> > > > > > > >
> > > > > > > > You might have more luck with:
> > > > > > > >
> > > > > > > > # nmap -sU -Pn -p <snmpport> --script=+ssl-cert <host>
> > > > > > > >
> > > > > > > > The "+" before the script name makes it run even though the
> > portrule
> > > > > > > > doesn't fire. Unfortunately i can't find the documentation for it
> > > > > > > > right
> > > > > > > > now so i can't show how you should have discovered it.
> > > > > > > >
> > > > > > > > Please report if this works, i have some scripts that need tuning
> > if
> > > > > > > > it
> > > > > > > > does!
> > > > > > > >
> > > > > > > > Best regards
> > > > > > > > /Ulrik Haugen
> > > > > > > > _______________________________________________
> > > > > > > > Sent through the dev mailing list
> > > > > > > > https://nmap.org/mailman/listinfo/dev
> > > > > > > > Archived at http://seclists.org/nmap-dev/
> > > > > > _______________________________________________
> > > > > > Sent through the dev mailing list
> > > > > > https://nmap.org/mailman/listinfo/dev
> > > > > > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/