Nmap Development mailing list archives
Re: [PATCH] Extended SSL support in Nmap
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 21 Feb 2009 21:12:12 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 21 Feb 2009 20:01:33 +0100 or thereabouts Kristof Boeynaems <kristof.boeynaems () gmail com> wrote: ...snip...
Based on these results, it seems that the patches version is more performant (faster, and generating less packets), while also giving much more information (less 'ssl/unknown's). Also the quality of the information seems better. Note that the difference in detected ssl ports is due to the fact that 1. and 2. detect a certain services as "ssl/unknown", while 3. detects this same service as "imaps?". Not sure why this happens.
The 'imaps?' detection happens because the scan was probing port 993 and couldn't get any response out of it. Nmap would have tried the SSL (v23) probe but not gotten a response and then moved on to other probes in the file. When all the probes probes Nmap tries don't match it just lists the service from the name in nmap-services and slaps a '?' onto the end. With your patch though one of the other SSL probes would have elicited a response that would allow Nmap to find the service inside of the tunnel. Failed service matching is a very time consuming. Probes have to be tried in sequence and some of them have semi-long timeouts. By succeeding on the first few probes a lot of wasted effort was prevented.
Of course a lot more performance (and functional) testing is necessary; I am executing some more extensive tests (more hosts) myself.
I think this is actually going to be pretty hard to test. Starting a new SSL session is already a very slow, very CPU-intensive task. When I was doing a SSL survey of the Internet I had to keep the - --max-hostgroup to 16 because if it was any higher Nmap would try to version-probe too many SSL services at once and I wouldn't have enough CPU to handle all of the session instantiation. Jah mentioned seeing this here: http://seclists.org/nmap-dev/2008/q2/0332.html I don't think I'm going to have time this weekend to test things but I'll add it to my TODO wish-list. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmgbjYACgkQqaGPzAsl94JNWwCdEhung1oxfY/8lM3CciweLaAF /DcAoKi1jg6muIpw60m/+qhqVZC81o/C =8gDg -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Brandon Enright (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Brandon Enright (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap doug (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 02)
- Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 03)
- Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 03)
- Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 22)
- Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 30)
- Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 31)
- Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 03)