Nmap Development mailing list archives

Re: [PATCH] Extended SSL support in Nmap

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 21 Feb 2009 21:12:12 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Sat, 21 Feb 2009 20:01:33 +0100 or thereabouts Kristof Boeynaems
<kristof.boeynaems () gmail com> wrote:
...snip...

Based on these results, it seems that the patches version is more 
performant (faster, and generating less packets), while also giving
much more information (less 'ssl/unknown's). Also the quality of the 
information seems better. Note that the difference in detected ssl
ports is due to the fact that 1. and 2. detect a certain services as 
"ssl/unknown", while 3. detects this same service as "imaps?". Not
sure why this happens.


The 'imaps?' detection happens because the scan was probing port 993
and couldn't get any response out of it.  Nmap would have tried the SSL
(v23) probe but not gotten a response and then moved on to other probes
in the file.  When all the probes probes Nmap tries don't match it just
lists the service from the name in nmap-services and slaps a '?' onto
the end.

With your patch though one of the other SSL probes would have elicited
a response that would allow Nmap to find the service inside of the
tunnel.

Failed service matching is a very time consuming.  Probes have to be
tried in sequence and some of them have semi-long timeouts.  By
succeeding on the first few probes a lot of wasted effort was prevented.

Of course a lot more performance (and functional) testing is
necessary; I am executing some more extensive tests (more hosts)
myself.


I think this is actually going to be pretty hard to test.  Starting a
new SSL session is already a very slow, very CPU-intensive task.  When
I was doing a SSL survey of the Internet I had to keep the
- --max-hostgroup to 16 because if it was any higher Nmap would try to
version-probe too many SSL services at once and I wouldn't have enough
CPU to handle all of the session instantiation.

Jah mentioned seeing this here:

http://seclists.org/nmap-dev/2008/q2/0332.html

I don't think I'm going to have time this weekend to test things but
I'll add it to my TODO wish-list.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkmgbjYACgkQqaGPzAsl94JNWwCdEhung1oxfY/8lM3CciweLaAF
/DcAoKi1jg6muIpw60m/+qhqVZC81o/C
=8gDg
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Brandon Enright (Feb 21)
  - Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
    - Re: [PATCH] Extended SSL support in Nmap Brandon Enright (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap doug (Feb 21)
  - Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 02)
  - Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 03)
    - Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 03)
    - Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 22)
    - Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 30)
    - Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 31)

(Thread continues...)