Nmap Development mailing list archives
Re: ssl/irc not detected
From: Corey Quinn <corey () sequestered net>
Date: Tue, 7 Dec 2010 11:01:49 -0800
On Nov 10, 2010, at 8:30 PM, David Fifield wrote:
On Wed, Nov 10, 2010 at 05:13:55PM -0800, Matt Selsky wrote:IRC servers running behind SSL don't seem to be detected as such. freenode runs non-SSL on port 6667, and SSL on port 7000 and 7070. $ ./nmap --datadir=. -d -sV -p 6667,7000,7070 --version-trace irc.freenode.net Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-11-10 17:06 PST Starting probes against new service: 82.96.64.4:7000 (tcp) NSOCK (2.2170s) TCP connection requested to 82.96.64.4:7000 (IOD #2) EID 16 NSOCK (2.3860s) Callback: CONNECT SUCCESS for EID 16 [82.96.64.4:7000] Service scan sending probe NULL to 82.96.64.4:7000 (tcp) NSOCK (2.3860s) Read request from IOD #2 [82.96.64.4:7000] (timeout: 6000ms) EID 42 NSOCK (8.3860s) Callback: READ TIMEOUT for EID 42 [82.96.64.4:7000] Service scan sending probe RPCCheck to 82.96.64.4:7000 (tcp) NSOCK (8.3860s) Write request for 44 bytes to IOD #2 EID 59 [82.96.64.4:7000]: ...(r..................|.................... NSOCK (8.3860s) Read request from IOD #2 [82.96.64.4:7000] (timeout: 5000ms) EID 66 NSOCK (8.3870s) Callback: WRITE SUCCESS for EID 59 [82.96.64.4:7000] NSOCK (8.3870s) Callback: WRITE SUCCESS for EID 75 [82.96.64.4:7070] NSOCK (8.5570s) Callback: READ ERROR [Connection reset by peer (54)] for EID 66 [82.96.64.4:7000] NSOCK (8.5570s) TCP connection requested to 82.96.64.4:7000 (IOD #5) EID 96 NSOCK (8.7260s) Callback: CONNECT SUCCESS for EID 96 [82.96.64.4:7000] Service scan sending probe DNSVersionBindReq to 82.96.64.4:7000 (tcp) NSOCK (8.7260s) Write request for 32 bytes to IOD #5 EID 123 [82.96.64.4:7000]: ...............version.bind..... NSOCK (8.7260s) Read request from IOD #5 [82.96.64.4:7000] (timeout: 5000ms) EID 130 NSOCK (8.7260s) Callback: WRITE SUCCESS for EID 123 [82.96.64.4:7000] NSOCK (8.9030s) Callback: READ SUCCESS for EID 130 [82.96.64.4:7000] (42 bytes): ERROR :Reconnecting too fast, throttled... Service scan match (Probe DNSVersionBindReq matched with NULL): 82.96.64.4:7000 is irc. Version: |Unreal ircd||| Completed Service scan at 17:06, 6.69s elapsed (3 services on 1 host) I would expect something like the following: PORT STATE SERVICE REASON VERSION 6667/tcp open irc syn-ack 7000/tcp open ssl/irc syn-ack Unreal ircd 7070/tcp open ssl/irc syn-ack Unreal ircd Am I doing something wrong?I think it's this match line: match irc m|^ERROR :Reconnecting too fast, throttled\.\r\n$| p/Unreal ircd/
...which is itself a misfire; we're running freenode on ircd-seven, which is a branch of charybdis.
My guess is that this particular server is capable of responding with the throttling message over plaintext even though it otherwise uses SSL. Try reducing the rarity of the SSLSessionReq probe so it gets tried sooner.
Yes. Certain connection checks happen before the hand-off to ssld; this is one of them. -- Corey / KB1JWQ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ssl/irc not detected Matt Selsky (Nov 10)
- Re: ssl/irc not detected David Fifield (Nov 10)
- Re: ssl/irc not detected Matt Selsky (Dec 06)
- Re: ssl/irc not detected Corey Quinn (Dec 07)
- Re: ssl/irc not detected David Fifield (Dec 07)
- Re: ssl/irc not detected David Fifield (Nov 10)