Nmap Development mailing list archives
Re: ssl-cert.nse error
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 17 Oct 2010 07:30:59 +0200
On 17 okt 2010, at 05.03, Matt Selsky wrote:
On Fri, 15 Oct 2010, David Fifield wrote:Is is just ssl-cert, or does it also happen with version detection?--version-trace shows: Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-10-16 21:59 EDT --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 7 scripts for scanning. setrlimit RLIMIT_NOFILE failed: Invalid argument Overall sending rates: 19.73 packets / s. mass_rdns: Using DNS server 209.18.47.61 mass_rdns: Using DNS server 209.18.47.62 mass_rdns: Using DNS server 8.8.8.8 mass_rdns: Using DNS server 8.8.4.4 mass_rdns: 0.22s 0/1 [#: 4, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] DNS resolution of 1 IPs took 0.22s. Mode: Async [#: 4, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Overall sending rates: 29.64 packets / s. NSOCK (10.7030s) TCP connection requested to 10.59.59.26:443 (IOD #1) EID 8 NSOCK (10.7880s) Callback: CONNECT SUCCESS for EID 8 [10.59.59.26:443] Service scan sending probe NULL to 10.59.59.26:443 (tcp) NSOCK (10.7880s) Read request from IOD #1 [10.59.59.26:443] (timeout: 6000ms) EID 18 NSOCK (16.8200s) Callback: READ TIMEOUT for EID 18 [10.59.59.26:443] Service scan sending probe HTTPOptions to 10.59.59.26:443 (tcp) NSOCK (16.8200s) Write request for 22 bytes to IOD #1 EID 27 [10.59.59.26:443]: OPTIONS / HTTP/1.0.... NSOCK (16.8200s) Read request from IOD #1 [10.59.59.26:443] (timeout: 5000ms) EID 34 NSOCK (16.8220s) Callback: WRITE SUCCESS for EID 27 [10.59.59.26:443] NSOCK (16.8740s) Callback READ SUCCESS for EID 34 (peer unspecified) (7 bytes): ....... NSOCK (16.8740s) Read request from IOD #1 (peer unspecified) (timeout: 4859ms) EID 42 NSOCK (16.8740s) Callback: READ EOF for EID 42 (peer unspecified) NSOCK (16.9620s) TCP connection requested to 10.59.59.26:443 (IOD #2) EID 48 NSOCK (17.0420s) Callback: CONNECT SUCCESS for EID 48 [10.59.59.26:443] Service scan sending probe SSLSessionReq to 10.59.59.26:443 (tcp) NSOCK (17.0420s) Write request for 88 bytes to IOD #2 EID 59 [10.59.59.26:443] NSOCK (17.0420s) Read request from IOD #2 [10.59.59.26:443] (timeout: 5000ms) EID 66 NSOCK (17.0420s) Callback: WRITE SUCCESS for EID 59 [10.59.59.26:443] NSOCK (17.0910s) Callback READ SUCCESS for EID 66 (peer unspecified) (1296 bytes) Service scan match (Probe SSLSessionReq matched with SSLSessionReq): 10.59.59.26:443 is ssl. Version: |Microsoft IIS SSL||| NSOCK (17.0920s) SSL connection requested to 10.59.59.26:443/tcp (IOD #3) EID 73 NSOCK (17.1760s) EID 73 reconnecting with SSL_OP_NO_SSLv2 NSOCK (17.2420s) EID 73 error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message NSOCK (17.2420s) Callback: SSL-CONNECT ERROR [Input/output error (5)] for EID 73 [10.59.59.26:443] Got nsock CONNECT response with status ERROR - aborting this service Starting RPC scan against google-search0 (10.59.59.26) NSE: Script scanning 10.59.59.26. NSE: Starting runlevel 1 (of 1) scan. NSE: NSE Script Threads (1) running: NSE: Starting skypev2-version against 10.59.59.26:443. NSE: Finished skypev2-version against 10.59.59.26:443. Nmap scan report for google-search0 (10.59.59.26) Host is up (0.092s latency). rDNS record for 10.59.59.26: google-search0 Scanned at 2010-10-16 21:59:19 EDT for 11s PORT STATE SERVICE VERSION 443/tcp open ssl/https? Final times for host: srtt: 92363 rttvar: 73497 to: 386351 Read from .: nmap-payloads nmap-rpc nmap-service-probes nmap-services. Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.96 secondsRun "openssl s_client -debug" and see if there is any interesting output, particularly the section that looks likeNew, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 4CBA5940CB52E9DADC9605458E1AF56B2E583DA7A05FA8663BAE0E6458D0C931 Session-ID-ctx: Master-Key: 240C8B83B9AADD915FFF9273918B567B667D958C3EF65051685D90A70C2BBEF0D4984FC46977EACA753F7910FE06CACF Key-Arg : None Start Time: 1287280960 Timeout : 300 (sec) Verify return code: 18 (self signed certificate)The lineNSOCK (0.4540s) EID 9 reconnecting with SSL_OP_NO_SSLv2indicates that connecting in SSLv2-compatible mode didn't work, so it feel back to SSLv3-only mode. That seems to be failing too.The server is only supposed to support SSLv3. The openssl debug output when I force sslv3 seems odd. $ openssl s_client -connect google-search0:443 -debug -ssl3 CONNECTED(00000003) write to 0x1001190f0 [0x100815e00] (99 bytes => 99 (0x63)) 0000 - 16 03 00 00 5e 01 00 00-5a 03 00 4c ba 66 74 7c ....^...Z..L.ft| 0010 - b7 d2 9f 4e e5 e4 82 cd-a2 e9 89 2b b6 20 14 0f ...N.......+. .. 0020 - bb a2 79 e4 cf 2e 68 a0-b3 48 72 00 00 2c 00 39 ..y...h..Hr..,.9 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5.......3.2./ 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 ................ 0050 - 00 14 00 11 00 08 00 06-00 03 02 01 00 00 04 00 ................ 0060 - 23 # 0063 - <SPACES/NULS> read from 0x1001190f0 [0x100811400] (5 bytes => 5 (0x5)) 0000 - 15 03 01 00 02 ..... write to 0x1001190f0 [0x10081b800] (7 bytes => 7 (0x7)) 0000 - 15 03 01 00 02 02 28 ......( 3218:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/SourceCache/OpenSSL098/OpenSSL098-32/src/ssl/s3_pkt.c:284: What else can I try? -- Matt _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
This reminds me of a similar problem I had with a WebSphere server a while back. I don't know if it has anything to do with Matt's problem or if it's something entirely different. I've set up the test environment again and done some tests. When running a version scan I get this: PORT STATE SERVICE REASON VERSION 9443/tcp open ssl/unknown syn-ack Final times for host: srtt: 5098 rttvar: 5496 to: 100000 I see this in the debug output: NSOCK (31.1600s) Callback: SSL-CONNECT TIMEOUT for EID 265 [192.168.56.210:9443] Here's some output from from openssl s_client: openssl s_client -connect 192.168.56.210:9043 -debug -ssl2 CONNECTED(00000003) write to 0x10031ca00 [0x100815e01] (48 bytes => 48 (0x30)) 0000 - 80 2e 01 00 02 00 15 00-00 00 10 07 00 c0 05 00 ................ 0010 - 80 03 00 80 01 00 80 06-00 40 04 00 80 02 00 80 .........@...... 0020 - dd 7b 97 7e d7 32 c1 73-10 32 c8 7e 6c 41 46 f7 .{.~.2.s.2.~lAF. read from 0x10031ca00 [0x10080dc00] (2 bytes => 0 (0x0)) 140735081188476:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:430: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 48 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None Start Time: 1287291885 Timeout : 300 (sec) Verify return code: 0 (ok) --- openssl s_client -connect 192.168.56.210:9043 -debug -tls1 CONNECTED(00000003) write to 0x10031c8a0 [0x100817803] (211 bytes => 211 (0xD3)) 0000 - 16 03 01 00 ce 01 00 00-ca 03 01 4c ba 84 1d 0c ...........L.... 0010 - 2e 5b d2 76 a9 13 e4 15-b5 2b 47 b0 5f ab f3 0b .[.v.....+G._... 0020 - e0 29 d8 67 f7 3c 2f cb-5d 6d 39 00 00 5c c0 14 .).g.</.]m9..\.. 0030 - c0 0a 00 39 00 38 00 88-00 87 c0 0f c0 05 00 35 ...9.8.........5 0040 - 00 84 c0 12 c0 08 00 16-00 13 c0 0d c0 03 00 0a ................ 0050 - c0 13 c0 09 00 33 00 32-00 9a 00 99 00 45 00 44 .....3.2.....E.D 0060 - c0 0e c0 04 00 2f 00 96-00 41 00 07 c0 11 c0 07 ...../...A...... 0070 - c0 0c c0 02 00 05 00 04-00 15 00 12 00 09 00 14 ................ 0080 - 00 11 00 08 00 06 00 03-00 ff 02 01 00 00 44 00 ..............D. 0090 - 0b 00 04 03 00 01 02 00-0a 00 34 00 32 00 01 00 ..........4.2... 00a0 - 02 00 03 00 04 00 05 00-06 00 07 00 08 00 09 00 ................ 00b0 - 0a 00 0b 00 0c 00 0d 00-0e 00 0f 00 10 00 11 00 ................ 00c0 - 12 00 13 00 14 00 15 00-16 00 17 00 18 00 19 00 ................ 00d0 - 23 # 00d3 - <SPACES/NULS> SSL3 seems to work fine. //Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ssl-cert.nse error Matt Selsky (Oct 12)
- Re: ssl-cert.nse error David Fifield (Oct 15)
- Re: ssl-cert.nse error Matt Selsky (Oct 16)
- Re: ssl-cert.nse error Patrik Karlsson (Oct 16)
- Re: ssl-cert.nse error Matt Selsky (Oct 16)
- Re: ssl-cert.nse error David Fifield (Oct 15)