Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Apache killer 3192

From: Duarte Silva <duarte.silva () serializing me>
Date: Tue, 13 Sep 2011 11:09:39 +0100
Hi Adrian,

could you use the script trace argument with nmap (that way you will be able 
to verify the HTTP request and responses).

nmap -n -v -sT -pT:443 x.x.x.x--script http-vuln-cve2011-3192 --script-
args="http-vuln-cve2011-3192.path=/" --script-trace

By the way, if you don't specify the path argument, by the default, the script 
will use "/".

Regards,
Duarte


On Tuesday 13 September 2011 06:12:48 Adrian Coelho wrote:

-nmap -V

Nmap version 5.51 ( http://nmap.org )

-openssl s_client -connect x.x.x.x:443
----snip----
CERTIFICATE Details
----snip----

HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 13 Sep 2011 04:59:55 GMT
Server: Apache
Last-Modified: Fri, 09 Sep 2011 17:08:47 GMT
ETag: "a576-14b7-4ac853afb05c0"
Accept-Ranges: bytes
Content-Length: 5303
Connection: close
Content-Type: text/html


-nmap -n -v -sT -pT:443 x.x.x.x--script http-vuln-cve2011-3192
--script-args="http-vuln-cve2011-3192.path=/" -d

Starting Nmap 5.51 ( http://nmap.org ) at 2011-09-13 07:25 BST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Loaded 1 scripts for scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating Ping Scan at 07:25
Scanning x.x.x.x[2 ports]
Completed Ping Scan at 07:25, 0.09s elapsed (1 total hosts)
Overall sending rates: 22.49 packets / s.
Initiating Connect Scan at 07:25
Scanning x.x.x.x[1 port]
Discovered open port 443/tcp on x.x.x.x
Completed Connect Scan at 07:25, 0.09s elapsed (1 total ports)
Overall sending rates: 11.41 packets / s.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting http-vuln-cve2011-3192 against x.x.x.x:443.
NSE: Script scanning x.x.x.x.
Initiating NSE at 07:25
NSE: http-vuln-cve2011-3192: Functionality check HEAD request failed for
x.x.x.x(with path '/'). NSE: Finished http-vuln-cve2011-3192 against
x.x.x.x:443.
Completed NSE at 07:25, 0.18s elapsed
Nmap scan report for x.x.x.x
Host is up, received syn-ack (0.086s latency).
Scanned at 2011-09-13 07:25:39 BST for 0s
PORT    STATE SERVICE REASON
443/tcp open  https   syn-ack
Final times for host: srtt: 86289 rttvar: 49094  to: 282665

NSE: Starting runlevel 1 (of 1) scan.
Read from /usr/local/share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds
---

Regards, Adrian

On Sep 13, 2011, at 1:57 AM, John Bond <john.r.bond () gmail com> wrote:

On 12 September 2011 19:46, Henri Doreau <henri.doreau () greenbone net> 

wrote:

2011/9/12 Adrian Coelho <adrian.coelho () gmail com>:

NSE: http-vuln-cve2011-3192: Functionality check HEAD request failed
for x.x.x.x (with path '/').


I can't trigger any problem with the script. Is your server configured
to accept HEAD requests on port 443?


Adrian,

What do you get id you do a head request using openssl

run
openssl s_client -connect server:443

then type
HEAD / HTTP/1.0
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Attachment: smime.p7s
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: