Re: ssl-cert.nse error

[Matt Selsky <selsky () columbia edu>]

On Fri, 15 Oct 2010, David Fifield wrote:

> Is is just ssl-cert, or does it also happen with version detection?

--version-trace shows:

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-10-16 21:59 EDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Loaded 7 scripts for scanning.
setrlimit RLIMIT_NOFILE failed: Invalid argument
Overall sending rates: 19.73 packets / s.
mass_rdns: Using DNS server 209.18.47.61
mass_rdns: Using DNS server 209.18.47.62
mass_rdns: Using DNS server 8.8.8.8
mass_rdns: Using DNS server 8.8.4.4
mass_rdns: 0.22s 0/1 [#: 4, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
DNS resolution of 1 IPs took 0.22s. Mode: Async [#: 4, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Overall sending rates: 29.64 packets / s.
NSOCK (10.7030s) TCP connection requested to 10.59.59.26:443 (IOD #1) EID 8
NSOCK (10.7880s) Callback: CONNECT SUCCESS for EID 8 [10.59.59.26:443]
Service scan sending probe NULL to 10.59.59.26:443 (tcp)
NSOCK (10.7880s) Read request from IOD #1 [10.59.59.26:443] (timeout: 6000ms) EID 18
NSOCK (16.8200s) Callback: READ TIMEOUT for EID 18 [10.59.59.26:443]
Service scan sending probe HTTPOptions to 10.59.59.26:443 (tcp)
NSOCK (16.8200s) Write request for 22 bytes to IOD #1 EID 27 [10.59.59.26:443]: OPTIONS / HTTP/1.0....
NSOCK (16.8200s) Read request from IOD #1 [10.59.59.26:443] (timeout: 5000ms) EID 34
NSOCK (16.8220s) Callback: WRITE SUCCESS for EID 27 [10.59.59.26:443]
NSOCK (16.8740s) Callback READ SUCCESS for EID 34 (peer unspecified) (7 bytes): .......
NSOCK (16.8740s) Read request from IOD #1 (peer unspecified) (timeout: 4859ms) EID 42
NSOCK (16.8740s) Callback: READ EOF for EID 42 (peer unspecified)
NSOCK (16.9620s) TCP connection requested to 10.59.59.26:443 (IOD #2) EID 48
NSOCK (17.0420s) Callback: CONNECT SUCCESS for EID 48 [10.59.59.26:443]
Service scan sending probe SSLSessionReq to 10.59.59.26:443 (tcp)
NSOCK (17.0420s) Write request for 88 bytes to IOD #2 EID 59 [10.59.59.26:443]
NSOCK (17.0420s) Read request from IOD #2 [10.59.59.26:443] (timeout: 5000ms) EID 66
NSOCK (17.0420s) Callback: WRITE SUCCESS for EID 59 [10.59.59.26:443]
NSOCK (17.0910s) Callback READ SUCCESS for EID 66 (peer unspecified) (1296 bytes)
Service scan match (Probe SSLSessionReq matched with SSLSessionReq): 10.59.59.26:443 is ssl.  Version: |Microsoft IIS 
SSL|||
NSOCK (17.0920s) SSL connection requested to 10.59.59.26:443/tcp (IOD #3) EID 73
NSOCK (17.1760s) EID 73 reconnecting with SSL_OP_NO_SSLv2
NSOCK (17.2420s) EID 73 error:140773F2:SSL 
routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
NSOCK (17.2420s) Callback: SSL-CONNECT ERROR [Input/output error (5)] for EID 73 [10.59.59.26:443]
Got nsock CONNECT response with status ERROR - aborting this service
Starting RPC scan against google-search0 (10.59.59.26)
NSE: Script scanning 10.59.59.26.
NSE: Starting runlevel 1 (of 1) scan.
NSE: NSE Script Threads (1) running:
NSE: Starting skypev2-version against 10.59.59.26:443.
NSE: Finished skypev2-version against 10.59.59.26:443.
Nmap scan report for google-search0 (10.59.59.26)
Host is up (0.092s latency).
rDNS record for 10.59.59.26: google-search0
Scanned at 2010-10-16 21:59:19 EDT for 11s
PORT    STATE SERVICE    VERSION
443/tcp open  ssl/https?
Final times for host: srtt: 92363 rttvar: 73497  to: 386351

Read from .: nmap-payloads nmap-rpc nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at 
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.96 seconds

> Run "openssl s_client -debug" and see if there is any interesting
> output, particularly the section that looks like

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 4CBA5940CB52E9DADC9605458E1AF56B2E583DA7A05FA8663BAE0E6458D0C931
    Session-ID-ctx:
    Master-Key: 240C8B83B9AADD915FFF9273918B567B667D958C3EF65051685D90A70C2BBEF0D4984FC46977EACA753F7910FE06CACF
    Key-Arg   : None
    Start Time: 1287280960
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

> The line
>
> > NSOCK (0.4540s) EID 9 reconnecting with SSL_OP_NO_SSLv2
>
> indicates that connecting in SSLv2-compatible mode didn't work, so it
> feel back to SSLv3-only mode. That seems to be failing too.

The server is only supposed to support SSLv3.  The openssl debug 
output when I force sslv3 seems odd.

$  openssl s_client -connect google-search0:443 -debug -ssl3
CONNECTED(00000003)
write to 0x1001190f0 [0x100815e00] (99 bytes => 99 (0x63))
0000 - 16 03 00 00 5e 01 00 00-5a 03 00 4c ba 66 74 7c   ....^...Z..L.ft|
0010 - b7 d2 9f 4e e5 e4 82 cd-a2 e9 89 2b b6 20 14 0f   ...N.......+. ..
0020 - bb a2 79 e4 cf 2e 68 a0-b3 48 72 00 00 2c 00 39   ..y...h..Hr..,.9
0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f   .8.5.......3.2./
0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09   ................
0050 - 00 14 00 11 00 08 00 06-00 03 02 01 00 00 04 00   ................
0060 - 23                                                #
0063 - <SPACES/NULS>
read from 0x1001190f0 [0x100811400] (5 bytes => 5 (0x5))
0000 - 15 03 01 00 02                                    .....
write to 0x1001190f0 [0x10081b800] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28                              ......(
3218:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version 
number:/SourceCache/OpenSSL098/OpenSSL098-32/src/ssl/s3_pkt.c:284:

What else can I try?


--
Matt
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/