Problems with the sslv2 NSE script / documentation

[Anders Thulin <anders.thulin () sentor se>]

At a recent security test, I received the following result from the sslv2 script:

---
$ nmap -Pn -p443 <host address> --script sslv2
Starting Nmap 5.51 ( http://nmap.org ) at [... omitted]
Nmap scan report for <host address>
Host is up (0.016s latency).
PORT    STATE SERVICE
443/tcp open  https
|_sslv2: server still supports SSLv2

Nmap done: 1 IP address (1 host up) scanned in 2.80 seconds
---

However, when I check the documentaton page of the sslv2 script to ensure that I knew exactly
what that means, I see that a number of crypto suites seem to be supposed to be listed after the
'server still supports SSLv2' line.

By perusing the script code (not expert in NSE, I'm afraid), I find that an alternative
but undocumented result is 'server supports SSLv2 protocol, but no SSLv2 cyphers'.

* Documentation bug: that output should have been documented.


Now, I appear to have received a report that isn't covered by either of these two
possibilities, and this suggests something wrong in either the code or the documentation.

After still more code digging, I find that verbosity appears to play a part: the
script output as shown in the documentation depends on verbosity > 1.

* Documentation bug: there is no mention of verbosity levels.

* Suggestion: include both non-verbose and verbose results in the Sample Output section.


(At present I can't repeat the test against the same host, so I can't verify if the
'-sV -sC' options in the Example Usage documentation does enable verbosity, but as far as I read from
the Nmap ref. man., they don't. So I assume they really don't.)

* Possible Documentation bug: Sample output should, unless anything else is stated, be the result of Example Usage.


It also seems desirable to provide an Example Usage that is minimal or tightly focussed on the script.
Using -sC to invoke sslv2.nse is a bit indirect.

* Suggestion: Replace current example usage with 'nmap -v --script sslv2', and the possible addition that
sslv2 is included in the default script set (-sC).

* Idea: The perfect solution would probably be to give a Synopsis: 'nmap [-v] --script sslv2' which
inclused all other configurations (as verbosity) that affects the script being documented, along
with a number of sample outputs covering the important variations.


Relying on absence of information to convey positive information (which the non-verbose invocation does
in the situation that I encountered) is not ideal, as it assumes the documentation covers
all possibilities, or that the user is an expert on the script.

* Suggestion: Add information about how may ciphers were returned in handshake to make it clear
that the handshake was successful also in the non-verbose case.. Perhaps something like:

        |_sslv2: server still supports SSLv2 (7 cipher specs)


Additionally, the cyphers function appear to be capable of returning an empty string, but there's
also a comment that '-- something's got broken along the way if these aren't equal' next
to it.

This possibly rare error case is not handled in the main body of the program.

* Possible code bug: An error situation appears to lead to just the same situation as I encountered, which
  an expert user would interpret as an indication that the handshake was successful, but where in
  fact there was an code failure.


Hope this is useful,
-- 
Anders Thulin      anders.thulin () sentor se      070-757 36 10 / Intl. +46 70 757 36 10
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/