Nmap Development mailing list archives
Re: ssl-cert.nse error
From: Matt Selsky <selsky () columbia edu>
Date: Sat, 16 Oct 2010 23:03:22 -0400 (EDT)
On Fri, 15 Oct 2010, David Fifield wrote:
Is is just ssl-cert, or does it also happen with version detection?
--version-trace shows: Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-10-16 21:59 EDT --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 7 scripts for scanning. setrlimit RLIMIT_NOFILE failed: Invalid argument Overall sending rates: 19.73 packets / s. mass_rdns: Using DNS server 209.18.47.61 mass_rdns: Using DNS server 209.18.47.62 mass_rdns: Using DNS server 8.8.8.8 mass_rdns: Using DNS server 8.8.4.4 mass_rdns: 0.22s 0/1 [#: 4, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] DNS resolution of 1 IPs took 0.22s. Mode: Async [#: 4, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Overall sending rates: 29.64 packets / s. NSOCK (10.7030s) TCP connection requested to 10.59.59.26:443 (IOD #1) EID 8 NSOCK (10.7880s) Callback: CONNECT SUCCESS for EID 8 [10.59.59.26:443] Service scan sending probe NULL to 10.59.59.26:443 (tcp) NSOCK (10.7880s) Read request from IOD #1 [10.59.59.26:443] (timeout: 6000ms) EID 18 NSOCK (16.8200s) Callback: READ TIMEOUT for EID 18 [10.59.59.26:443] Service scan sending probe HTTPOptions to 10.59.59.26:443 (tcp) NSOCK (16.8200s) Write request for 22 bytes to IOD #1 EID 27 [10.59.59.26:443]: OPTIONS / HTTP/1.0.... NSOCK (16.8200s) Read request from IOD #1 [10.59.59.26:443] (timeout: 5000ms) EID 34 NSOCK (16.8220s) Callback: WRITE SUCCESS for EID 27 [10.59.59.26:443] NSOCK (16.8740s) Callback READ SUCCESS for EID 34 (peer unspecified) (7 bytes): ....... NSOCK (16.8740s) Read request from IOD #1 (peer unspecified) (timeout: 4859ms) EID 42 NSOCK (16.8740s) Callback: READ EOF for EID 42 (peer unspecified) NSOCK (16.9620s) TCP connection requested to 10.59.59.26:443 (IOD #2) EID 48 NSOCK (17.0420s) Callback: CONNECT SUCCESS for EID 48 [10.59.59.26:443] Service scan sending probe SSLSessionReq to 10.59.59.26:443 (tcp) NSOCK (17.0420s) Write request for 88 bytes to IOD #2 EID 59 [10.59.59.26:443] NSOCK (17.0420s) Read request from IOD #2 [10.59.59.26:443] (timeout: 5000ms) EID 66 NSOCK (17.0420s) Callback: WRITE SUCCESS for EID 59 [10.59.59.26:443] NSOCK (17.0910s) Callback READ SUCCESS for EID 66 (peer unspecified) (1296 bytes) Service scan match (Probe SSLSessionReq matched with SSLSessionReq): 10.59.59.26:443 is ssl. Version: |Microsoft IIS SSL||| NSOCK (17.0920s) SSL connection requested to 10.59.59.26:443/tcp (IOD #3) EID 73 NSOCK (17.1760s) EID 73 reconnecting with SSL_OP_NO_SSLv2NSOCK (17.2420s) EID 73 error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
NSOCK (17.2420s) Callback: SSL-CONNECT ERROR [Input/output error (5)] for EID 73 [10.59.59.26:443] Got nsock CONNECT response with status ERROR - aborting this service Starting RPC scan against google-search0 (10.59.59.26) NSE: Script scanning 10.59.59.26. NSE: Starting runlevel 1 (of 1) scan. NSE: NSE Script Threads (1) running: NSE: Starting skypev2-version against 10.59.59.26:443. NSE: Finished skypev2-version against 10.59.59.26:443. Nmap scan report for google-search0 (10.59.59.26) Host is up (0.092s latency). rDNS record for 10.59.59.26: google-search0 Scanned at 2010-10-16 21:59:19 EDT for 11s PORT STATE SERVICE VERSION 443/tcp open ssl/https? Final times for host: srtt: 92363 rttvar: 73497 to: 386351 Read from .: nmap-payloads nmap-rpc nmap-service-probes nmap-services.Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.96 seconds
Run "openssl s_client -debug" and see if there is any interesting output, particularly the section that looks like
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 4CBA5940CB52E9DADC9605458E1AF56B2E583DA7A05FA8663BAE0E6458D0C931 Session-ID-ctx: Master-Key: 240C8B83B9AADD915FFF9273918B567B667D958C3EF65051685D90A70C2BBEF0D4984FC46977EACA753F7910FE06CACF Key-Arg : None Start Time: 1287280960 Timeout : 300 (sec) Verify return code: 18 (self signed certificate)
The lineNSOCK (0.4540s) EID 9 reconnecting with SSL_OP_NO_SSLv2indicates that connecting in SSLv2-compatible mode didn't work, so it feel back to SSLv3-only mode. That seems to be failing too.
The server is only supposed to support SSLv3. The openssl debug output when I force sslv3 seems odd.
$ openssl s_client -connect google-search0:443 -debug -ssl3 CONNECTED(00000003) write to 0x1001190f0 [0x100815e00] (99 bytes => 99 (0x63)) 0000 - 16 03 00 00 5e 01 00 00-5a 03 00 4c ba 66 74 7c ....^...Z..L.ft| 0010 - b7 d2 9f 4e e5 e4 82 cd-a2 e9 89 2b b6 20 14 0f ...N.......+. .. 0020 - bb a2 79 e4 cf 2e 68 a0-b3 48 72 00 00 2c 00 39 ..y...h..Hr..,.9 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5.......3.2./ 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 ................ 0050 - 00 14 00 11 00 08 00 06-00 03 02 01 00 00 04 00 ................ 0060 - 23 # 0063 - <SPACES/NULS> read from 0x1001190f0 [0x100811400] (5 bytes => 5 (0x5)) 0000 - 15 03 01 00 02 ..... write to 0x1001190f0 [0x10081b800] (7 bytes => 7 (0x7)) 0000 - 15 03 01 00 02 02 28 ......( 3218:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/SourceCache/OpenSSL098/OpenSSL098-32/src/ssl/s3_pkt.c:284: What else can I try? -- Matt _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ssl-cert.nse error Matt Selsky (Oct 12)
- Re: ssl-cert.nse error David Fifield (Oct 15)
- Re: ssl-cert.nse error Matt Selsky (Oct 16)
- Re: ssl-cert.nse error Patrik Karlsson (Oct 16)
- Re: ssl-cert.nse error Matt Selsky (Oct 16)
- Re: ssl-cert.nse error David Fifield (Oct 15)