Nmap Development mailing list archives
Re: [PATCH] Always list SSL in case any SSL connection succeeded
From: Kristof Boeynaems <kristof.boeynaems () gmail com>
Date: Tue, 24 Feb 2009 22:09:35 +0100
David Fifield wrote:
On Sun, Feb 22, 2009 at 12:04:53AM +0100, Kristof Boeynaems wrote:A quick patch for the 'bug' described in http://seclists.org/nmap-dev/2009/q1/0484.html."There is still a 'bug', where all detected SSL information will be thrown away in case the SSL server does not respond at all, beyond the SSL handshake. However, because the SSL connections succeeded, Nmap should list these situations as 'ssl/unknown'.This bug can very easily be reproduced by setting up your own OpenSSL server as follows: openssl s_server -cert /usr/share/doc/libssl-dev/demos/sign/cert.pem -key /usr/share/doc/libssl-dev/demos/sign/key.pemThis OpenSSL server will listen at 4433 by default, and will not return anything beyond an SSL connection."<snip> I think the bug could be fixed in a better way, though. The code already passes (*svc)->tunnel in the case of no match, so the fact that SSL was detected is already recorded. I think you should rather patch getNmapServiceName in output.cc. That's the function that builds up a name from the service info.
Thanks for looking into this.In fact, trying to adapt getNmapServiceName() was the first thing I tried, but that does not work, as apparently that function never gets called in the case described above. It seems that Nmap gives up on the ssl tunnel completely, even before that function.
I followed the code a bit further, and it turns out that the tunnel that getNmapServiceName() ultimately receives is set by getServiceProbeProbeResults() in portlist.cc. This function in turn gets it from 'serviceprobe_tunnel', which is initialized with the value of SERVICE_TUNNEL_NONE. It seems that the only way that 'serviceprobe_tunnel' (and hence ultimately the tunnel description in getNmapServiceName()) can be changed, is through a call to setServiceProbeResults(). This function is called from nse_nmaplib.cc, and from service_scan.cc. But, this function is *never* called in the test case of above. Thus the tunnel in these cases defaults to SERVICE_TUNNEL_NONE.
As far as I can see, processResults() in service_scan.cc is the best place to solve this, by calling setServiceProbeResults() there, even in the test case above. It is in that place that the other calls to setServiceProbeResults() happen, so it seemed logical to add it there.
Nevertheless, if you have other suggestions, I am willing to try them as well.
One more thing: In the test you described, the output should be "ssl/unknown?", not "ssl/unknown". Leaving off the question mark makes it look as if the port was positively identified. It's confusing in this case because the port is named "unknown", but that name comes from the nmap-services file. If you repeat the s_server experiment with port 80 you'll see what I mean. The output should be "ssl/http?", not "ssl/http" or "http?".
Good point. I'll look into that once we have agreed on where we should make the change :)
Thanks, Kristof _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH] Always list SSL in case any SSL connection succeeded Kristof Boeynaems (Feb 21)
- Re: [PATCH] Always list SSL in case any SSL connection succeeded Kristof Boeynaems (Feb 21)
- Re: [PATCH] Always list SSL in case any SSL connection succeeded David Fifield (Feb 23)
- Re: [PATCH] Always list SSL in case any SSL connection succeeded Kristof Boeynaems (Feb 24)
- Re: [PATCH] Always list SSL in case any SSL connection succeeded Kristof Boeynaems (Feb 24)
- Re: [PATCH] Always list SSL in case any SSL connection succeeded David Fifield (Mar 02)
- Re: [PATCH] Always list SSL in case any SSL connection succeeded Fyodor (Mar 02)
- Re: [PATCH] Always list SSL in case any SSL connection succeeded David Fifield (Mar 02)
- Re: [PATCH] Always list SSL in case any SSL connection succeeded Fyodor (Mar 02)
- Re: [PATCH] Always list SSL in case any SSL connection succeeded David Fifield (Mar 03)
- Re: [PATCH] Always list SSL in case any SSL connection succeeded Kristof Boeynaems (Feb 24)
- Re: [PATCH] Always list SSL in case any SSL connection succeeded David Fifield (Mar 02)
- Re: [PATCH] Always list SSL in case any SSL connection succeeded Kristof Boeynaems (Mar 02)