Nmap Development mailing list archives
Re: Proposed SSL version detection probe changes
From: Kristof Boeynaems <kristof.boeynaems () gmail com>
Date: Wed, 18 Feb 2009 19:43:56 +0100
Brandon Enright wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 17 Feb 2009 22:02:19 +0000 Brandon Enright <bmenrigh () ucsd edu> wrote:I was surveying 443, 465, 636, 990, 993 and 995. If I get a moment to breath today I'll do a survey of those ports across campus and report the number of non-v2 services.
That would be great. Note that a survey for "non-SSLv2" services is, strictly spoken, not sufficient. You really want to check for TLSv1-only and SSLv3-only servers that do not use the backward compatible SSLv2 ClientHello; let's call these servers "non-SSLv2-compatible". Nmap does not have problems with TLSv1 and SSLv3 servers that do support the backward compatible SSLv2 ClientHello but not SSLv2; let's call these "SSLv2-compatible".
In OpenSSL language: - non-SSLv2-compatible: openssl s_server -no_ssl2 - SSLv2 compatible: openssl s_server -tls1, openssl s_server -ssl3You can use the attached custom nmap-services-probe file that I created yesterday for this distinction, or simply detect the Nsock failures.
<snip> As with a lot of things on my "wish list", it would be best if I justwrote a patch. Code speaks a lot louder than words.
I agree. I might have a try at this in the weekend. Cheers, Kristof
# Nmap service detection probe list # Customized for SSL/TLS detection by Kristof Boeynaems <kristof.boeynaems () gmail com> # # Will output "ssl3-only" or "tlsv1-only" in case the server does not support # the backward compatible SSLv2 ClientHello that the SSLv23 method in Nsock uses. # Hence, these servers cannot be connected to using Nmap/Ncat. # # # Obligatory Null Probe, make it time out as fast as possible Probe TCP NULL q|| totalwaitms 100 ##############################NEXT PROBE############################## #SSLv2-compatible ClientHello, 39 ciphers offered. #Will sollicit a ServerHello from most SSL implementations, apart from the ones that are TLSv1-only or SSLv3-only (that are not SSLv2 compatible). Probe TCP SSLv23SessionReq q|\x80\x9e\x01\x03\x01\x00u\x00\x00\x00 \x00\x00f\x00\x00e\x00\x00d\x00\x00c\x00\x00b\x00\x00:\x00\x009\x00\x008\x00\x005\x00\x004\x00\x003\x00\x002\x00\x00/\x00\x00\x1b\x00\x00\x1a\x00\x00\x19\x00\x00\x18\x00\x00\x17\x00\x00\x16\x00\x00\x15\x00\x00\x14\x00\x00\x13\x00\x00\x12\x00\x00\x11\x00\x00\n\x00\x00\t\x00\x00\x08\x00\x00\x06\x00\x00\x05\x00\x00\x04\x00\x00\x03\x07\x00\xc0\x06\x00@\x04\x00\x80\x03\x00\x80\x02\x00\x80\x01\x00\x80\x00\x00\x02\x00\x00\x01\xe4i<+\xf6\xd6\x9b\xbb\xd3\x81\x9f\xbf\x15\xc1@\xa5o\x14,M \xc4\xc7\xe0\xb6\xb0\xb2\x1f\xf9)\xe8\x98| rarity 3 ports 443,444,548,636,993,1241,1311,2000,4444,5550,7210,7272,8009,8194,9001 # SSLv2 ServerHello match sslv2 m|^..\x04\0.\0\x02| # TLSv1 ServerHello: match tlsv1 m|^\x16\x03\x01..\x02...\x03\x01| # SSLv3 ServerHello: match sslv3 m|^\x16\x03\0..\x02...\x03\0| ##############################NEXT PROBE############################## #SSLv3 ClientHello probe. Will detect both TLSv1 and SSLv3 servers. #Note that it will detect TLSv1 servers based on a failed handshake alert. Probe TCP SSLv3SessionReq q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0| rarity 3 ports 443,444,548,636,993,1241,1311,2000,4444,5550,7210,7272,8009,8194,9001 fallback CatchAll # Generic: TLSv1 Handshake error: match tlsv1-only m|^\x15\x03\0\0\x02\x02\($| # Generic: SSLv3 ServerHello: match sslv3-only m|^\x16\x03\0..\x02...\x03\0| # A catch all probe Probe TCP CatchAll q|\x16| rarity 9 totalwaitms 100 match none m|.*| p/Catch all/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: Proposed SSL version detection probe changes, (continued)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 09)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 09)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 10)
- Re: Proposed SSL version detection probe changes Fyodor (Feb 16)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 09)
- Re: Proposed SSL version detection probe changes Fyodor (Feb 16)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 17)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 17)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 17)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 17)
- Re: Proposed SSL version detection probe changes Brandon Enright (Feb 17)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 18)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Feb 21)
- Re: Proposed SSL version detection probe changes Kristof Boeynaems (Mar 21)