Re: Proposed SSL version detection probe changes

[Kristof Boeynaems <kristof.boeynaems () gmail com>]

Brandon Enright wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 17 Feb 2009 22:02:19 +0000
> Brandon Enright <bmenrigh () ucsd edu> wrote:
>
>   
> > I was surveying 443, 465, 636, 990, 993 and 995.  If I get a moment to
> > breath today I'll do a survey of those ports across campus and report
> > the number of non-v2 services.
> >
> >     

That would be great. Note that a survey for "non-SSLv2" services is, 
strictly spoken, not sufficient. You really want to check for TLSv1-only 
and SSLv3-only servers that do not use the backward compatible SSLv2 
ClientHello; let's call these servers "non-SSLv2-compatible". Nmap does 
not have problems with TLSv1 and SSLv3 servers that do support the 
backward compatible SSLv2 ClientHello but not SSLv2; let's call these 
"SSLv2-compatible".

In OpenSSL language:

- non-SSLv2-compatible: openssl s_server -no_ssl2
- SSLv2 compatible: openssl s_server -tls1, openssl s_server -ssl3

You can use the attached custom nmap-services-probe file that I created 
yesterday for this distinction, or simply detect the Nsock failures.

> <snip>
>
> As with a lot of things on my "wish list", it would be best if I just
> wrote a patch.  Code speaks a lot louder than words.  

I agree. I might have a try at this in the weekend.

Cheers,

Kristof

# Nmap service detection probe list 
# Customized for SSL/TLS detection by Kristof Boeynaems <kristof.boeynaems () gmail com>
# 
# Will output "ssl3-only" or "tlsv1-only" in case the server does not support 
# the backward compatible SSLv2 ClientHello that the SSLv23 method in Nsock uses.
# Hence, these servers cannot be connected to using Nmap/Ncat.
#
#


# Obligatory Null Probe, make it time out as fast as possible
Probe TCP NULL q||
totalwaitms 100

##############################NEXT PROBE##############################
#SSLv2-compatible ClientHello, 39 ciphers offered.
#Will sollicit a ServerHello from most SSL implementations, apart from the ones that are TLSv1-only or SSLv3-only (that 
are not SSLv2 compatible). 
Probe TCP SSLv23SessionReq q|\x80\x9e\x01\x03\x01\x00u\x00\x00\x00 
\x00\x00f\x00\x00e\x00\x00d\x00\x00c\x00\x00b\x00\x00:\x00\x009\x00\x008\x00\x005\x00\x004\x00\x003\x00\x002\x00\x00/\x00\x00\x1b\x00\x00\x1a\x00\x00\x19\x00\x00\x18\x00\x00\x17\x00\x00\x16\x00\x00\x15\x00\x00\x14\x00\x00\x13\x00\x00\x12\x00\x00\x11\x00\x00\n\x00\x00\t\x00\x00\x08\x00\x00\x06\x00\x00\x05\x00\x00\x04\x00\x00\x03\x07\x00\xc0\x06\x00@\x04\x00\x80\x03\x00\x80\x02\x00\x80\x01\x00\x80\x00\x00\x02\x00\x00\x01\xe4i<+\xf6\xd6\x9b\xbb\xd3\x81\x9f\xbf\x15\xc1@\xa5o\x14,M
 \xc4\xc7\xe0\xb6\xb0\xb2\x1f\xf9)\xe8\x98|

rarity 3
ports 443,444,548,636,993,1241,1311,2000,4444,5550,7210,7272,8009,8194,9001

# SSLv2 ServerHello
match sslv2 m|^..\x04\0.\0\x02|

# TLSv1 ServerHello:
match tlsv1 m|^\x16\x03\x01..\x02...\x03\x01|

# SSLv3 ServerHello:
match sslv3 m|^\x16\x03\0..\x02...\x03\0|

##############################NEXT PROBE##############################
#SSLv3 ClientHello probe. Will detect both TLSv1 and SSLv3 servers.
#Note that it will detect TLSv1 servers based on a failed handshake alert.
Probe TCP SSLv3SessionReq 
q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0|

rarity 3
ports 443,444,548,636,993,1241,1311,2000,4444,5550,7210,7272,8009,8194,9001
fallback CatchAll

# Generic: TLSv1 Handshake error:
match tlsv1-only m|^\x15\x03\0\0\x02\x02\($|

# Generic: SSLv3 ServerHello:
match sslv3-only m|^\x16\x03\0..\x02...\x03\0|

# A catch all probe
Probe TCP CatchAll q|\x16|

rarity 9
totalwaitms 100

match none m|.*| p/Catch all/ 


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org