Nmap Development mailing list archives
Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 21 Sep 2015 14:40:48 -0500
Would both of you post the output of "nmap --version" please? I specifically need the version of OpenSSL that you are linking with. The output Venky sent contains this line:
NSOCK INFO [11.6640s] handle_connect_result(): EID 233 error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure This means that the server rejected Nmap's connection attempt. It could be a result of protocol mismatch between Nmap's OpenSSL and whatever the snmpd is using. Suhail is correct, the output of ssl-enum-ciphers would be helpful, too, or a packet capture of just nmap -sV --version-light -p 10161 Dan On Mon, Sep 21, 2015 at 9:38 AM, suhail sullad <suhail.sullad () gmail com> wrote:
Venky, Just to make sure run the snmp sv on port 161 and also include ssl-enum-ciphers script So that it will be helpful for fixing the issue On Sep 21, 2015 8:04 PM, "knare k" <knarelinux () gmail com> wrote:Yes, it does't work even with 6.49beta4. Here is the partial output of nmap with -d2 --script-trace. Service scan sending probe SSLSessionReq to 127.0.0.1:10161 (tcp) NSOCK INFO [11.6600s] nsock_read(): Read request from IOD #9 [127.0.0.1:10161] (timeout: 5000ms) EID 226 NSOCK INFO [11.6600s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 219 [127.0.0.1:10161] NSOCK INFO [11.6610s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 226 [127.0.0.1:10161] (7 bytes): ......( Service scan hard match (Probe SSLSessionReq matched with SSLSessionReq line 11688): 127.0.0.1:10161 is ssl NSOCK INFO [11.6610s] nsi_delete(): nsi_delete (IOD #9) NSOCK INFO [11.6610s] nsi_new2(): nsi_new (IOD #10) NSOCK INFO [11.6610s] nsock_connect_ssl(): SSL connection requested to 127.0.0.1:10161/tcp (IOD #10) EID 233 NSOCK INFO [11.6620s] handle_connect_result(): EID 233 reconnecting with SSL_OP_NO_SSLv2 NSOCK INFO [11.6640s] handle_connect_result(): EID 233 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure NSOCK INFO [11.6640s] nsock_trace_handler_callback(): Callback: SSL-CONNECT ERROR [Input/output error (5)] for EID 233 [127.0.0.1:10161] Got nsock CONNECT response with status ERROR - aborting this service NSOCK INFO [11.6640s] nsi_delete(): nsi_delete (IOD #10) Completed Service scan at 19:57, 11.01s elapsed (1 service on 1 host) NSE: Script scanning 127.0.0.1. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 19:57 Fetchfile found /home/venky/Downloads/nmap-6.49BETA4/nselib/data/enterprise_numbers.txt NSE: Starting rpc-grind M:23fade0 against localhost (127.0.0.1:10161). Fetchfile found /home/venky/Downloads/nmap-6.49BETA4/nmap-rpc NSOCK INFO [11.6640s] nsi_new2(): nsi_new (IOD #1) NSOCK INFO [11.8010s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:10161 (IOD #1) EID 8 NSE: Starting ssl-cert M:23fe410 against localhost (127.0.0.1:10161). NSOCK INFO [11.8010s] nsi_new2(): nsi_new (IOD #2) NSOCK INFO [11.8010s] nsock_connect_ssl(): SSL connection requested to 127.0.0.1:10161/tcp (IOD #2) EID 17 NSE: Starting skypev2-version M:23fbff0 against localhost ( 127.0.0.1:10161). NSOCK INFO [11.8010s] nsi_new2(): nsi_new (IOD #3) NSOCK INFO [11.8010s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:10161 (IOD #3) EID 24 NSOCK INFO [11.8010s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [127.0.0.1:10161] NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | CONNECT NSOCK INFO [11.8010s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 24 [127.0.0.1:10161] NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | CONNECT NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | 00000000: 80 00 00 28 11 d3 fc 0c 00 00 00 00 00 00 00 02 ( 00000010: 00 01 86 a0 00 00 00 02 00 00 00 00 00 00 00 00 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | 00000000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 30 0d 0a GET / HTTP/1.0 00000010: 0d 0a NSOCK INFO [11.8510s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [127.0.0.1:10161] NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | SEND NSOCK INFO [11.8510s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 43 [127.0.0.1:10161] NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | SEND NSOCK INFO [11.8530s] handle_connect_result(): EID 17 reconnecting with SSL_OP_NO_SSLv2 NSOCK INFO [11.8540s] handle_connect_result(): EID 17 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure NSOCK INFO [11.8540s] nsock_trace_handler_callback(): Callback: SSL-CONNECT ERROR [Input/output error (5)] for EID 17 [127.0.0.1:10161] NSE: TCP 127.0.0.1:47352 > 127.0.0.1:10161 | CONNECT NSOCK INFO [11.8540s] nsock_readbytes(): Read request for 4 bytes from IOD #1 [127.0.0.1:10161] EID 50 NSE: Finished ssl-cert M:23fe410 against localhost (127.0.0.1:10161). NSOCK INFO [11.8540s] nsock_readbytes(): Read request for 26 bytes from IOD #3 [127.0.0.1:10161] EID 58 NSE: TCP 127.0.0.1:47352 > 127.0.0.1:10161 | CLOSE NSOCK INFO [11.8540s] nsi_delete(): nsi_delete (IOD #2) NSOCK INFO [11.8550s] nsock_trace_handler_callback(): Callback: READ EOF for EID 50 [127.0.0.1:10161] NSOCK INFO [11.8550s] nsock_trace_handler_callback(): Callback: READ EOF for EID 58 [127.0.0.1:10161] NSE: [rpc-grind M:23fade0 127.0.0.1:10161] isRPC didn't receive response. NSE: [rpc-grind M:23fade0 127.0.0.1:10161] Target port 10161 is not a RPC port. NSE: Finished rpc-grind M:23fade0 against localhost (127.0.0.1:10161). NSE: TCP 127.0.0.1:47351 > 127.0.0.1:10161 | CLOSE NSOCK INFO [11.8550s] nsi_delete(): nsi_delete (IOD #3) NSE: Finished skypev2-version M:23fbff0 against localhost ( 127.0.0.1:10161). NSE: TCP 127.0.0.1:47349 > 127.0.0.1:10161 | CLOSE NSOCK INFO [11.8550s] nsi_delete(): nsi_delete (IOD #1) Completed NSE at 19:57, 0.19s elapsed Nmap scan report for localhost (127.0.0.1) Host is up, received syn-ack (0.00018s latency). Scanned at 2015-09-21 19:57:22 IST for 12s PORT STATE SERVICE REASON VERSION 10161/tcp open ssl/unknown syn-ack Final times for host: srtt: 179 rttvar: 3773 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 19:57 Completed NSE at 19:57, 0.00s elapsed Read from /home/venky/Downloads/nmap-6.49BETA4: nmap-payloads nmap-service-probes nmap-services. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds Thanks Venky On Sun, Sep 20, 2015 at 11:16 PM, suhail sullad <suhail.sullad () gmail com> wrote:I am using 6.49beta4. The sslcert.lua script is failing ingetCertificatefunction due to socket connection error. On Sep 20, 2015 11:11 PM, "Daniel Miller" <bonsaiviking () gmail com>wrote:Thanks for chiming in. What version of Nmap are you using, suhail? Venky, it looks like you're using an older version of Nmap. The ssl-enum-ciphers script has undergone a lot of changes since 6.40. Canyoutry with Nmap 6.49BETA4 or at worst 6.47 and tell us if you stillexperiencea problem? See https://nmap.org/download.html If you still experience a problem, please include output of yourcommandwith -d2 --script-trace options. I will try to reproduce here if Idon'thear back soon. Dan On Sun, Sep 20, 2015 at 2:47 AM, suhail sullad <suhail.sullad () gmail com>wrote:Observed the same issue. Suspecting a cipher issue. On Sep 19, 2015 6:48 PM, "knare k" <knarelinux () gmail com> wrote:Thanks Dan. I configured a local snmp server on an Ubuntu machine with tlssupport.# snmpd dtlsudp:10161 tlstcp:10161 Created a Self-Signed certificate and used it. And the output from the command: "openssl s_client -connect localhost:10161" # openssl s_client -connect localhost:10161 CONNECTED(00000003) depth=0 C = IN, ST = AP, L = HYD, O = xyz, OU = embedded, CN = venky, emailAddress = venky@localhost verify error:num=18:self signed certificate verify return:1 depth=0 C = IN, ST = AP, L = HYD, O = xyz, OU = embedded, CN = venky, emailAddress = venky@localhost verify return:1 140536960857760:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1262:SSL alert number 40 140536960857760:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- Certificate chain 0s:/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhosti:/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost--- Server certificate -----BEGIN CERTIFICATE----- MIICaTCCAdICCQCqllznqB/5gjANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJJ TjELMAkGA1UECAwCQVAxDDAKBgNVBAcMA0hZRDEMMAoGA1UECgwDeHl6MREwDwYD VQQLDAhlbWJlZGRlZDEOMAwGA1UEAwwFdmVua3kxHjAcBgkqhkiG9w0BCQEWD3Zl bmt5QGxvY2FsaG9zdDAeFw0xNTA5MTkwOTI1MDhaFw0xNjA5MTgwOTI1MDhaMHkx CzAJBgNVBAYTAklOMQswCQYDVQQIDAJBUDEMMAoGA1UEBwwDSFlEMQwwCgYDVQQK DAN4eXoxETAPBgNVBAsMCGVtYmVkZGVkMQ4wDAYDVQQDDAV2ZW5reTEeMBwGCSqG SIb3DQEJARYPdmVua3lAbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDA0+Aiqpx9fk/wH9Hg8wQLhEOs9ysC7ASemmv+0u+axru6nsxZTpM7OnMf vFgGjAataERxenNVkt2IuRAWIO4p+A6J/H7WrnW3AqEFqovJoWVucAOkqzZfzIuD bnVdrksyjJoz2KNdamT/C4PLvUp4ksM1cjEHCE5e9EuNe++uQQIDAQABMA0GCSqG SIb3DQEBCwUAA4GBAFFx8mA0mJSr79n1hKlX8SpWYKfZ415Rt/Od3Pa9HFyb4sjl pqZHiF82KlAZNJBhdNcp8rnO+bsjJHd1KK/ECFO3ZFL4apKKaQ+6R4rNTTltLCVe OuHUEptj0ARghnJdSzy4huurwrMurzooZOk6oJ9px4O4MKW9UThGtxr684FZ -----END CERTIFICATE-----subject=/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhostissuer=/C=IN/ST=AP/L=HYD/O=xyz/OU=embedded/CN=venky/emailAddress=venky@localhost--- No client certificate CA names sent --- SSL handshake has read 725 bytes and written 210 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key:AA5C362000AE942C8584A8AD153F4D2592AAD5172A2D4D5FE3457FDB5331982AE0739130A72DB3D86CDC1AAAFB30A13BKey-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1442654860 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- And the output from the command: "nmap -sV -p <snmpport> --script=+ssl-cert <host>" # nmap -sV -p 10161 --script=+ssl-cert localhost Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-19 14:59 IST Nmap scan report for localhost (127.0.0.1) Host is up (0.00014s latency). PORT STATE SERVICE VERSION 10161/tcp open ssl/unknown Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds Thanks Venky On Sat, Sep 19, 2015 at 4:41 AM, Daniel Miller <bonsaiviking () gmail com>wrote:Venky, Can you confirm that the SNMP service is actually running SSL? This would be a highly unusual configuration, but you could test with anindependenttool. What is the output of this command? openssl s_client -connect <host>:<snmpport> Instead of SSL do you perhaps have SNMPv3 with encryption enabled? Dan On Fri, Sep 18, 2015 at 8:25 AM, knare k <knarelinux () gmail com>wrote:Hi Ulrik, Thanks for your response. We tried with the '+' option, but noluck.We have set up snmp server locally on our ubuntu machine andtriedit. Checking if we configured the snmp server properly, I will let you know if it works. Thanks Venky. ---------- Forwarded message ---------- From: Ulrik Haugen <qha () lysator liu se> Date: Mon, Sep 14, 2015 at 9:56 PM Subject: Re: Unable to get SSL Certificate info for SNMP seriverwithnmap ssl-cert To: knare k <knarelinux () gmail com> knare k <knarelinux () gmail com> wrote:I am not able to get SSL certificate for snmp using ssl-certscriptof nmap, able to get for all others. I tried the following command with the snmp port. # nmap -sU -Pn -p <snmpport> <host> --script=ssl-certYou might have more luck with: # nmap -sU -Pn -p <snmpport> --script=+ssl-cert <host> The "+" before the script name makes it run even though theportruledoesn't fire. Unfortunately i can't find the documentation for it right now so i can't show how you should have discovered it. Please report if this works, i have some scripts that need tuningifit does! Best regards /Ulrik Haugen _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert knare k (Sep 14)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Ulrik Haugen (Sep 14)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Daniel Miller (Sep 14)
- Message not available
- Fwd: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert knare k (Sep 18)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Daniel Miller (Sep 18)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert knare k (Sep 19)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 20)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Daniel Miller (Sep 20)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 20)
- Message not available
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 21)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Daniel Miller (Sep 21)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 21)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert suhail sullad (Sep 23)
- Re: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert Daniel Miller (Sep 23)
- Fwd: Unable to get SSL Certificate info for SNMP seriver with nmap ssl-cert knare k (Sep 18)