Nmap Development mailing list archives

Floating a bit of an idea - identifying web server/host OS based on SSL handshake results?

From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Wed, 12 May 2010 13:40:52 -0500

Folks:

        We know how the SSL handshake works, cipher/compression
algorithm wise - client establishes connection to server, lists the
cryptographic capabilities of the client in order of preference, server
replies w/ cipher suite/compression algorithm chosen.

        Idea (which needs from testing ;)) - for heavily
firewalled/obfuscated web servers, an NSE script could establish X SSL
connections, each one with a different set of ciphers (permutations on a
given set or mutually exclusive sets), check which one is chosen by the
server.

        My (untested, unproven) theory is that the server-side
preference for one algorithm over another is hard coded/defaults never
changed, and may allow to sort out not only between
Apache/IIS/JSSE-based servers, but maybe between same server revisions.

        Anyone interested in giving it a shot ? I would love to - if I
had a bit of extra time ;)

        Thanks, 
        Dario
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Floating a bit of an idea - identifying web server/host OS based on SSL handshake results? Dario Ciccarone (dciccaro) (May 12)
- Re: Floating a bit of an idea - identifying web server/host OS based on SSL handshake results? David Fifield (May 14)