Nmap Development mailing list archives

Re: [PATCH] Extended SSL support in Nmap, review

From: Kristof Boeynaems <kristof.boeynaems () gmail com>
Date: Sun, 22 Mar 2009 16:26:50 +0100

Kristof Boeynaems wrote:

On Tue, Mar 3, 2009 at 6:34 AM, David Fifield <david () bamsoftware com> wrote:

I especially want to thank you for these test results. They are an
indication of intellectual honesty and rigor as a developer. The results
(with the typo correction in http://seclists.org/nmap-dev/2009/q1/0485.html),
show that this SSL fix, while not urgent, is worthwhile.


Thanks again. By the way, I still owe the list the results of my
(little) more extensive scanning, I'll post them later on, when I have
again access to the data.


Here are the results of that slightly more extensive test. Note that this was still done with nmap-4.85BETA3.

Command:nmap -T4 -v -n -PN -sV -p443,465,636,990,995,993 -iL <list of about 700 random SSL servers collected earlier via an iR scan> -d -oA <filename>


Results:

# nmap-4.85BETA3- scanned in 1866.96 seconds

- Total number of hosts with at least one port open: 611
- Total number of SSL hosts (hosts with at least one ' ssl/' result): 541
- Total of open SSL ports detected (' ssl/'): 781,
- Number of open SSL ports detected and successfully investigated (' ssl/something'): 709
- Number of open SSL ports detected and not successfully investigated (' ssl/unknown'): 72

#  nmap-4.85BETA3 with two extra general SSL lines in nmap-service-probes file (see below)
- scanned in 1832.99 seconds
- Total number of hosts with at least one port open: 615
- Total number of SSL hosts (hosts with at least one ' ssl/' result): 593
- Total of open SSL ports detected (' ssl/'): 888,
- Number of open SSL ports detected and successfully investigated (' ssl/something'): 801
- Number of open SSL ports detected and not successfully investigated (' ssl/unknown'): 87

# nmap-4.85BETA3 with full SSL patch
- scanned in 1837.90 seconds
- Total number of hosts with at least one port open: 617
- Total number of SSL hosts (hosts with at least one ' ssl/' result): 606
- Total of open SSL ports detected (' ssl/'): 910,
- Number of open SSL ports detected and successfully investigated (' ssl/something'): 821
- Number of open SSL ports detected and not successfully investigated (' ssl/unknown'): 89

It is a bit difficult to interpret the results, as not always the same number of open ports/hosts are found. I should 
really do some bigger testing.

However, I think two conclusions can already be drawn from these results:1. Simply adding those two extra SSL match lines in nmap-services-probes makes quite some difference to reliably detect SSL services.

2. Performance of the patched SSL version is very comparable to the unpatched version.

Also note that this batch contains some SSLv3-only and TLSv1-only hosts, which can only be reliable probed by the 
patched SSL version.

While a full SSL patch needs a lot more rework/testing, I would suggest to already tune the SSL section in nmap-service-probes based on the above results.To be really complete, we could add a probe that will detect SSLv2-only versions as well, but with a high rarity value, as these hosts seem very rare (see http://seclists.org/nmap-dev/2009/q1/0783.html); thus we don't want to slow down the default version scan with an extra probe.

See the attached patch for a full patch against the latest nmap-service-probes file, including these two proposed 
changes.


I also noticed that the version information recorded by the SSL probe seems to be actually thrown away at the moment 
the probing is repeated with SSL. I think this is a pity, as it often contains valuable information (as can be seen 
from all the version info in the SSL section of nmap-service-probes). I might look later into resolving this.


Cheers,

Kristof

--- nmap-service-probes.orig    2009-03-22 11:15:21.000000000 +0100
+++ nmap-service-probes 2009-03-22 16:11:50.000000000 +0100
@@ -6485,6 +6485,7 @@
 match webster m/^DICTIONARY server protocol:\r\n\r\nContact name is/ p/Webster dictionary server/
 
 ##############################NEXT PROBE##############################
+#SSLv3 ClientHello probe. Will be able to reliably identify the SSL version used, unless the server is running SSLv2 
only. Note that it will also detect TLSv1 servers, based on a failed handshake alert.
 Probe TCP SSLSessionReq 
q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0|
 
 rarity 3
@@ -6549,6 +6550,30 @@
 match ssl/sophos m|^\x16\x03\0.*Router\$([a-zA-Z0-9_-]+).*Sophos EM Certification Manager|s p/Sophos Message Router/ 
h/$1/
 match ssl/sophos m|^\x16\x03\0.*Sophos EM Certification Manager|s p/Sophos Message Router/
 
+# Generic: TLSv1 Handshake error:
+match ssl m|^\x15\x03\0\0\x02\x02\($| p/TLSv1/
+
+# Generic: SSLv3 ServerHello:
+match ssl m|^\x16\x03\0..\x02...\x03\0| p/SSLv3/
+
+##############################NEXT PROBE##############################
+#SSLv2-compatible ClientHello, 39 ciphers offered.
+#Will sollicit a ServerHello from most SSL implementations, apart from the ones that are TLSv1-only or SSLv3-only. As 
it comes after the SSLv3 probe, its only added value is the detection of SSLv2-only servers
+Probe TCP SSLv23SessionReq q|\x80\x9e\x01\x03\x01\x00u\x00\x00\x00 
\x00\x00f\x00\x00e\x00\x00d\x00\x00c\x00\x00b\x00\x00:\x00\x009\x00\x008\x00\x005\x00\x004\x00\x003\x00\x002\x00\x00/\x00\x00\x1b\x00\x00\x1a\x00\x00\x19\x00\x00\x18\x00\x00\x17\x00\x00\x16\x00\x00\x15\x00\x00\x14\x00\x00\x13\x00\x00\x12\x00\x00\x11\x00\x00\n\x00\x00\t\x00\x00\x08\x00\x00\x06\x00\x00\x05\x00\x00\x04\x00\x00\x03\x07\x00\xc0\x06\x00@\x04\x00\x80\x03\x00\x80\x02\x00\x80\x01\x00\x80\x00\x00\x02\x00\x00\x01\xe4i<+\xf6\xd6\x9b\xbb\xd3\x81\x9f\xbf\x15\xc1@\xa5o\x14,M
 \xc4\xc7\xe0\xb6\xb0\xb2\x1f\xf9)\xe8\x98|
+
+rarity 8
+ports 443,444,548,636,993,1241,1311,2000,4444,5550,7210,7272,8009,8194,9001
+fallback GetRequest
+
+# SSLv2 ServerHello
+match ssl m|^..\x04\0.\0\x02| p/SSLv2/
+
+# TLSv1 ServerHello, compatible with SSLv2:
+match ss1 m|^\x16\x03\x01..\x02...\x03\x01| p/TLSv1/
+
+# SSLv3 ServerHello, compatible with SSLv2:
+match ssl m|^\x16\x03\0..\x02...\x03\0| p/SSLv3/
+
 
 # SMB Negotiate Protocol
 ##############################NEXT PROBE##############################


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap Brandon Enright (Feb 21)
  - Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
    - Re: [PATCH] Extended SSL support in Nmap Brandon Enright (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap doug (Feb 21)
  - Re: [PATCH] Extended SSL support in Nmap Kristof Boeynaems (Feb 21)
- Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 02)
  - Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 03)
    - Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 03)
    - Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 22)
    - Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 30)
    - Re: [PATCH] Extended SSL support in Nmap, review Kristof Boeynaems (Mar 31)
    - Re: [PATCH] Extended SSL support in Nmap, review David Fifield (Mar 31)