Re: ssl-cert.nse error

[Patrik Karlsson <patrik () cqure net>]

On 17 okt 2010, at 05.03, Matt Selsky wrote:

> On Fri, 15 Oct 2010, David Fifield wrote:
>
> > Is is just ssl-cert, or does it also happen with version detection?
>
> --version-trace shows:
>
> Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-10-16 21:59 EDT
> --------------- Timing report ---------------
>  hostgroups: min 1, max 100000
>  rtt-timeouts: init 1000, min 100, max 10000
>  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
>  parallelism: min 0, max 0
>  max-retries: 10, host-timeout: 0
>  min-rate: 0, max-rate: 0
> ---------------------------------------------
> NSE: Loaded 7 scripts for scanning.
> setrlimit RLIMIT_NOFILE failed: Invalid argument
> Overall sending rates: 19.73 packets / s.
> mass_rdns: Using DNS server 209.18.47.61
> mass_rdns: Using DNS server 209.18.47.62
> mass_rdns: Using DNS server 8.8.8.8
> mass_rdns: Using DNS server 8.8.4.4
> mass_rdns: 0.22s 0/1 [#: 4, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
> DNS resolution of 1 IPs took 0.22s. Mode: Async [#: 4, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
> Overall sending rates: 29.64 packets / s.
> NSOCK (10.7030s) TCP connection requested to 10.59.59.26:443 (IOD #1) EID 8
> NSOCK (10.7880s) Callback: CONNECT SUCCESS for EID 8 [10.59.59.26:443]
> Service scan sending probe NULL to 10.59.59.26:443 (tcp)
> NSOCK (10.7880s) Read request from IOD #1 [10.59.59.26:443] (timeout: 6000ms) EID 18
> NSOCK (16.8200s) Callback: READ TIMEOUT for EID 18 [10.59.59.26:443]
> Service scan sending probe HTTPOptions to 10.59.59.26:443 (tcp)
> NSOCK (16.8200s) Write request for 22 bytes to IOD #1 EID 27 [10.59.59.26:443]: OPTIONS / HTTP/1.0....
> NSOCK (16.8200s) Read request from IOD #1 [10.59.59.26:443] (timeout: 5000ms) EID 34
> NSOCK (16.8220s) Callback: WRITE SUCCESS for EID 27 [10.59.59.26:443]
> NSOCK (16.8740s) Callback READ SUCCESS for EID 34 (peer unspecified) (7 bytes): .......
> NSOCK (16.8740s) Read request from IOD #1 (peer unspecified) (timeout: 4859ms) EID 42
> NSOCK (16.8740s) Callback: READ EOF for EID 42 (peer unspecified)
> NSOCK (16.9620s) TCP connection requested to 10.59.59.26:443 (IOD #2) EID 48
> NSOCK (17.0420s) Callback: CONNECT SUCCESS for EID 48 [10.59.59.26:443]
> Service scan sending probe SSLSessionReq to 10.59.59.26:443 (tcp)
> NSOCK (17.0420s) Write request for 88 bytes to IOD #2 EID 59 [10.59.59.26:443]
> NSOCK (17.0420s) Read request from IOD #2 [10.59.59.26:443] (timeout: 5000ms) EID 66
> NSOCK (17.0420s) Callback: WRITE SUCCESS for EID 59 [10.59.59.26:443]
> NSOCK (17.0910s) Callback READ SUCCESS for EID 66 (peer unspecified) (1296 bytes)
> Service scan match (Probe SSLSessionReq matched with SSLSessionReq): 10.59.59.26:443 is ssl.  Version: |Microsoft IIS 
> SSL|||
> NSOCK (17.0920s) SSL connection requested to 10.59.59.26:443/tcp (IOD #3) EID 73
> NSOCK (17.1760s) EID 73 reconnecting with SSL_OP_NO_SSLv2
> NSOCK (17.2420s) EID 73 error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
> NSOCK (17.2420s) Callback: SSL-CONNECT ERROR [Input/output error (5)] for EID 73 [10.59.59.26:443]
> Got nsock CONNECT response with status ERROR - aborting this service
> Starting RPC scan against google-search0 (10.59.59.26)
> NSE: Script scanning 10.59.59.26.
> NSE: Starting runlevel 1 (of 1) scan.
> NSE: NSE Script Threads (1) running:
> NSE: Starting skypev2-version against 10.59.59.26:443.
> NSE: Finished skypev2-version against 10.59.59.26:443.
> Nmap scan report for google-search0 (10.59.59.26)
> Host is up (0.092s latency).
> rDNS record for 10.59.59.26: google-search0
> Scanned at 2010-10-16 21:59:19 EDT for 11s
> PORT    STATE SERVICE    VERSION
> 443/tcp open  ssl/https?
> Final times for host: srtt: 92363 rttvar: 73497  to: 386351
>
> Read from .: nmap-payloads nmap-rpc nmap-service-probes nmap-services.
> Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 17.96 seconds
>
> > Run "openssl s_client -debug" and see if there is any interesting
> > output, particularly the section that looks like
>
> New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>    Protocol  : TLSv1
>    Cipher    : EDH-RSA-DES-CBC3-SHA
>    Session-ID: 4CBA5940CB52E9DADC9605458E1AF56B2E583DA7A05FA8663BAE0E6458D0C931
>    Session-ID-ctx:
>    Master-Key: 240C8B83B9AADD915FFF9273918B567B667D958C3EF65051685D90A70C2BBEF0D4984FC46977EACA753F7910FE06CACF
>    Key-Arg   : None
>    Start Time: 1287280960
>    Timeout   : 300 (sec)
>    Verify return code: 18 (self signed certificate)
>
> > The line
> >
> > > NSOCK (0.4540s) EID 9 reconnecting with SSL_OP_NO_SSLv2
> >
> > indicates that connecting in SSLv2-compatible mode didn't work, so it
> > feel back to SSLv3-only mode. That seems to be failing too.
>
> The server is only supposed to support SSLv3.  The openssl debug output when I force sslv3 seems odd.
>
> $  openssl s_client -connect google-search0:443 -debug -ssl3
> CONNECTED(00000003)
> write to 0x1001190f0 [0x100815e00] (99 bytes => 99 (0x63))
> 0000 - 16 03 00 00 5e 01 00 00-5a 03 00 4c ba 66 74 7c   ....^...Z..L.ft|
> 0010 - b7 d2 9f 4e e5 e4 82 cd-a2 e9 89 2b b6 20 14 0f   ...N.......+. ..
> 0020 - bb a2 79 e4 cf 2e 68 a0-b3 48 72 00 00 2c 00 39   ..y...h..Hr..,.9
> 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f   .8.5.......3.2./
> 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09   ................
> 0050 - 00 14 00 11 00 08 00 06-00 03 02 01 00 00 04 00   ................
> 0060 - 23                                                #
> 0063 - <SPACES/NULS>
> read from 0x1001190f0 [0x100811400] (5 bytes => 5 (0x5))
> 0000 - 15 03 01 00 02                                    .....
> write to 0x1001190f0 [0x10081b800] (7 bytes => 7 (0x7))
> 0000 - 15 03 01 00 02 02 28                              ......(
> 3218:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version 
> number:/SourceCache/OpenSSL098/OpenSSL098-32/src/ssl/s3_pkt.c:284:
>
> What else can I try?
>
>
> -- 
> Matt
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

This reminds me of a similar problem I had with a WebSphere server a while back.
I don't know if it has anything to do with Matt's problem or if it's something entirely different.
I've set up the test environment again and done some tests.  When running a version scan I get this:

PORT     STATE SERVICE     REASON  VERSION
9443/tcp open  ssl/unknown syn-ack
Final times for host: srtt: 5098 rttvar: 5496  to: 100000

I see this in the debug output:
NSOCK (31.1600s) Callback: SSL-CONNECT TIMEOUT for EID 265 [192.168.56.210:9443]

Here's some output from from openssl s_client:

openssl s_client -connect 192.168.56.210:9043 -debug -ssl2
CONNECTED(00000003)
write to 0x10031ca00 [0x100815e01] (48 bytes => 48 (0x30))
0000 - 80 2e 01 00 02 00 15 00-00 00 10 07 00 c0 05 00   ................
0010 - 80 03 00 80 01 00 80 06-00 40 04 00 80 02 00 80   .........@......
0020 - dd 7b 97 7e d7 32 c1 73-10 32 c8 7e 6c 41 46 f7   .{.~.2.s.2.~lAF.
read from 0x10031ca00 [0x10080dc00] (2 bytes => 0 (0x0))
140735081188476:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:430:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 48 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1287291885
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

openssl s_client -connect 192.168.56.210:9043 -debug -tls1
CONNECTED(00000003)
write to 0x10031c8a0 [0x100817803] (211 bytes => 211 (0xD3))
0000 - 16 03 01 00 ce 01 00 00-ca 03 01 4c ba 84 1d 0c   ...........L....
0010 - 2e 5b d2 76 a9 13 e4 15-b5 2b 47 b0 5f ab f3 0b   .[.v.....+G._...
0020 - e0 29 d8 67 f7 3c 2f cb-5d 6d 39 00 00 5c c0 14   .).g.</.]m9..\..
0030 - c0 0a 00 39 00 38 00 88-00 87 c0 0f c0 05 00 35   ...9.8.........5
0040 - 00 84 c0 12 c0 08 00 16-00 13 c0 0d c0 03 00 0a   ................
0050 - c0 13 c0 09 00 33 00 32-00 9a 00 99 00 45 00 44   .....3.2.....E.D
0060 - c0 0e c0 04 00 2f 00 96-00 41 00 07 c0 11 c0 07   ...../...A......
0070 - c0 0c c0 02 00 05 00 04-00 15 00 12 00 09 00 14   ................
0080 - 00 11 00 08 00 06 00 03-00 ff 02 01 00 00 44 00   ..............D.
0090 - 0b 00 04 03 00 01 02 00-0a 00 34 00 32 00 01 00   ..........4.2...
00a0 - 02 00 03 00 04 00 05 00-06 00 07 00 08 00 09 00   ................
00b0 - 0a 00 0b 00 0c 00 0d 00-0e 00 0f 00 10 00 11 00   ................
00c0 - 12 00 13 00 14 00 15 00-16 00 17 00 18 00 19 00   ................
00d0 - 23                                                #
00d3 - <SPACES/NULS>

SSL3 seems to work fine.

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/